Joe Sandbox Cloud Basic Analysis Report
Edit tour

Windows Analysis Report
default.hta

Overview

General Information

Sample name:default.hta
Analysis ID:1676002
MD5:69884c859563d6a1bbd9dbaeb4a69db4
SHA1:ae0d8f75985832eba5f1903707b4175e344785b9
SHA256:d5a4eb04650aa9ca958eb782b175d613b52285e1f17caef218be30aad1a6432b
Tags:htauser-abuse_ch
Infos:

Detection

Score:23
Range:0 - 100
Confidence:60%

Signatures

Opens network shares
AV process strings found (often used to terminate AV products)
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
One or more processes crash
Searches for the Microsoft Outlook file path
Uses a known web browser user agent for HTTP communication

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious

Process Tree

  • System is w10x64
  • mshta.exe (PID: 6640 cmdline: mshta.exe "C:\Users\user\Desktop\default.hta" MD5: 06B02D5C097C7DB1F109749C45F3F505)
    • WerFault.exe (PID: 1412 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6640 -s 2804 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

  • Compliance
  • Networking
  • System Summary
  • Hooking and other Techniques for Hiding and Protection
  • Malware Analysis System Evasion
  • Anti Debugging
  • Lowering of HIPS / PFW / Operating System Security Settings
  • Stealing of Sensitive Information

Click to jump to signature section

Show All Signature Results
Source: unknownHTTPS traffic detected: 192.178.49.196:443 -> 192.168.2.8:49692 version: TLS 1.2
Source: unknownHTTPS traffic detected: 13.33.21.29:443 -> 192.168.2.8:49697 version: TLS 1.2
Source: Joe Sandbox ViewIP Address: 104.17.151.117 104.17.151.117
Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
Source: global trafficHTTP traffic detected: GET /recaptcha/api.js HTTP/1.1Accept: */*Accept-Language: en-CHAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: www.google.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /libs/amplitude-8.5.0-min.gz.js HTTP/1.1Accept: */*Accept-Language: en-CHOrigin: file:Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: cdn.amplitude.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /images/icons/myfiles/default.png HTTP/1.1Accept: */*Accept-Language: en-CHAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: www.mediafire.comConnection: Keep-Alive
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficHTTP traffic detected: GET /recaptcha/api.js HTTP/1.1Accept: */*Accept-Language: en-CHAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: www.google.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /libs/amplitude-8.5.0-min.gz.js HTTP/1.1Accept: */*Accept-Language: en-CHOrigin: file:Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: cdn.amplitude.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /images/icons/myfiles/default.png HTTP/1.1Accept: */*Accept-Language: en-CHAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: www.mediafire.comConnection: Keep-Alive
Source: mshta.exe, 00000000.00000002.1308113571.000000000234B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: <!DOCTYPE html> <html lang="en-US" xmlns:fb="http://www.facebook.com/2008/fbml" xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" /> equals www.facebook.com (Facebook)
Source: mshta.exe, 00000000.00000002.1313579634.0000000006010000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: 2><a href="/upgrade/">Upgrade</a></h2> <ul> <li><a href="/upgrade/index.php?plan=Pro">Professional</a></li> <li><a href="https://fast.io/pricing">Business</a></li> </ul> </div> <div class="footerCol" style="margin-right:0;"> <h2><a href="https://mediafire.zendesk.com/hc/en-us" target="_blank">Support</a></h2> <ul> <li class="minFooterShow"><a href="https://mediafire.zendesk.com/hc/en-us" target="_blank">Get Support</a></li> </ul> </div> </div> </div> <div class="myfilesTabHelp"> <p> Questions? <a href="/help/submit_a_ticket.php" target="_blank" tabindex="-1">Submit a ticket</a> or <a href="/help/" target="_blank">visit our Help Center</a>. </p> <div class="footerShortcuts"> <p style="margin-right:15px;">Keyboard Shortcuts:</p> <div class="footerShortcutHide"><span>U</span> = Upload</div> <div class="footerShortcutHide"><span>N</span> = New Folder</div> <div><span class="footerShortcutsWin">CTRL</span><span class="footerShortcutsMac">CMD</span> + <span>A</span> = Select All</div> <div><span>ESC</span> = Deselect</div> <div class="lastShortcut"><span>DEL</span> = Move to Trash</div> </div> </div> <div id="google_translate_element_dynamic"></div> <ul class="subFooterLinks"> <li id="copyrightInfo">&copy;2025 MediaFire<span> Build 121937</span></li> <li><a href="/advertising/">Advertising</a></li> <li><a href="/policies/terms_of_service.php">Terms</a></li> <li><a href="/policies/privacy_policy.php">Privacy Policy</a></li> <li><a href="/policy_violation/copyright.php">Copyright</a></li> <li><a href="/policy_violation/terms_of_service.php">Abuse</a></li> <li><a href="/credits/">Credits</a></li> <li><a href="/about/">More...</a></li> </ul> <div class="subFooterSocialWrap"> <ul id="subFooterSocial"> <li class="footerIcn"> <a href="http://www.facebook.com/mediafire" class="footerIcnFb" target="_blank" rel="noreferrer" title="MediaFire's Facebook page"> <span class="footerIcnFb"></span> </a> </li> <li class="footerIcn"> <a href="http://twitter.com/#!/mediafire" class="footerIcnTw" target="_blank" rel="noreferrer" title="MediaFire's Twitter page"> <span class="footerIcnTw"></span> </a> </li> <li class="footerIcn"> <a href="http://blog.mediafire.com/" class="footerIcnBlog" target="_blank" title="MediaFire Blog"> <span class="footerIcnBlog"></span> </a> </li> </ul> </div> </div> </div> </footer> <div class="sandboxLabel labelRibbon">SANDBOX</div> <footer id="simpleFooter" role="contentinfo"> <div class="wrap"> <span>&copy;2025 MediaFire&nbsp;&nbsp; <span>Build 121937</span> </span> <span style="opacity:.5;border-left:1px solid #999;margin:0 8px 0 10px;"></span> Need help? <a href="/help/submit_a_ticket.php" target="_blank">Submit a ticket</a>. </div> </footer> <div id="page_screen">&nbsp;</div> <iframe src="/blank.html" style="display:none;" id="userwork" name="userwork" width="0" height="0" frameborder="0"></iframe> <iframe src="/blank.html" style="display:none;" id="emailwork" name="emailwork" width="0" height="0" frameborder="0"></iframe> <scri
Source: mshta.exe, 00000000.00000002.1313579634.0000000006010000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: 2><a href="/upgrade/">Upgrade</a></h2> <ul> <li><a href="/upgrade/index.php?plan=Pro">Professional</a></li> <li><a href="https://fast.io/pricing">Business</a></li> </ul> </div> <div class="footerCol" style="margin-right:0;"> <h2><a href="https://mediafire.zendesk.com/hc/en-us" target="_blank">Support</a></h2> <ul> <li class="minFooterShow"><a href="https://mediafire.zendesk.com/hc/en-us" target="_blank">Get Support</a></li> </ul> </div> </div> </div> <div class="myfilesTabHelp"> <p> Questions? <a href="/help/submit_a_ticket.php" target="_blank" tabindex="-1">Submit a ticket</a> or <a href="/help/" target="_blank">visit our Help Center</a>. </p> <div class="footerShortcuts"> <p style="margin-right:15px;">Keyboard Shortcuts:</p> <div class="footerShortcutHide"><span>U</span> = Upload</div> <div class="footerShortcutHide"><span>N</span> = New Folder</div> <div><span class="footerShortcutsWin">CTRL</span><span class="footerShortcutsMac">CMD</span> + <span>A</span> = Select All</div> <div><span>ESC</span> = Deselect</div> <div class="lastShortcut"><span>DEL</span> = Move to Trash</div> </div> </div> <div id="google_translate_element_dynamic"></div> <ul class="subFooterLinks"> <li id="copyrightInfo">&copy;2025 MediaFire<span> Build 121937</span></li> <li><a href="/advertising/">Advertising</a></li> <li><a href="/policies/terms_of_service.php">Terms</a></li> <li><a href="/policies/privacy_policy.php">Privacy Policy</a></li> <li><a href="/policy_violation/copyright.php">Copyright</a></li> <li><a href="/policy_violation/terms_of_service.php">Abuse</a></li> <li><a href="/credits/">Credits</a></li> <li><a href="/about/">More...</a></li> </ul> <div class="subFooterSocialWrap"> <ul id="subFooterSocial"> <li class="footerIcn"> <a href="http://www.facebook.com/mediafire" class="footerIcnFb" target="_blank" rel="noreferrer" title="MediaFire's Facebook page"> <span class="footerIcnFb"></span> </a> </li> <li class="footerIcn"> <a href="http://twitter.com/#!/mediafire" class="footerIcnTw" target="_blank" rel="noreferrer" title="MediaFire's Twitter page"> <span class="footerIcnTw"></span> </a> </li> <li class="footerIcn"> <a href="http://blog.mediafire.com/" class="footerIcnBlog" target="_blank" title="MediaFire Blog"> <span class="footerIcnBlog"></span> </a> </li> </ul> </div> </div> </div> </footer> <div class="sandboxLabel labelRibbon">SANDBOX</div> <footer id="simpleFooter" role="contentinfo"> <div class="wrap"> <span>&copy;2025 MediaFire&nbsp;&nbsp; <span>Build 121937</span> </span> <span style="opacity:.5;border-left:1px solid #999;margin:0 8px 0 10px;"></span> Need help? <a href="/help/submit_a_ticket.php" target="_blank">Submit a ticket</a>. </div> </footer> <div id="page_screen">&nbsp;</div> <iframe src="/blank.html" style="display:none;" id="userwork" name="userwork" width="0" height="0" frameborder="0"></iframe> <iframe src="/blank.html" style="display:none;" id="emailwork" name="emailwork" width="0" height="0" frameborder="0"></iframe> <scri
Source: mshta.exe, 00000000.00000002.1308113571.000000000234B000.00000004.00000020.00020000.00000000.sdmp, default.htaString found in binary or memory: <!DOCTYPE html> <html lang="en-US" xmlns:fb="http://www.facebook.com/2008/fbml" xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" /> equals www.facebook.com (Facebook)
Source: mshta.exe, 00000000.00000002.1313579634.0000000006010000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: 2><a href="/upgrade/">Upgrade</a></h2> <ul> <li><a href="/upgrade/index.php?plan=Pro">Professional</a></li> <li><a href="https://fast.io/pricing">Business</a></li> </ul> </div> <div class="footerCol" style="margin-right:0;"> <h2><a href="https://mediafire.zendesk.com/hc/en-us" target="_blank">Support</a></h2> <ul> <li class="minFooterShow"><a href="https://mediafire.zendesk.com/hc/en-us" target="_blank">Get Support</a></li> </ul> </div> </div> </div> <div class="myfilesTabHelp"> <p> Questions? <a href="/help/submit_a_ticket.php" target="_blank" tabindex="-1">Submit a ticket</a> or <a href="/help/" target="_blank">visit our Help Center</a>. </p> <div class="footerShortcuts"> <p style="margin-right:15px;">Keyboard Shortcuts:</p> <div class="footerShortcutHide"><span>U</span> = Upload</div> <div class="footerShortcutHide"><span>N</span> = New Folder</div> <div><span class="footerShortcutsWin">CTRL</span><span class="footerShortcutsMac">CMD</span> + <span>A</span> = Select All</div> <div><span>ESC</span> = Deselect</div> <div class="lastShortcut"><span>DEL</span> = Move to Trash</div> </div> </div> <div id="google_translate_element_dynamic"></div> <ul class="subFooterLinks"> <li id="copyrightInfo">&copy;2025 MediaFire<span> Build 121937</span></li> <li><a href="/advertising/">Advertising</a></li> <li><a href="/policies/terms_of_service.php">Terms</a></li> <li><a href="/policies/privacy_policy.php">Privacy Policy</a></li> <li><a href="/policy_violation/copyright.php">Copyright</a></li> <li><a href="/policy_violation/terms_of_service.php">Abuse</a></li> <li><a href="/credits/">Credits</a></li> <li><a href="/about/">More...</a></li> </ul> <div class="subFooterSocialWrap"> <ul id="subFooterSocial"> <li class="footerIcn"> <a href="http://www.facebook.com/mediafire" class="footerIcnFb" target="_blank" rel="noreferrer" title="MediaFire's Facebook page"> <span class="footerIcnFb"></span> </a> </li> <li class="footerIcn"> <a href="http://twitter.com/#!/mediafire" class="footerIcnTw" target="_blank" rel="noreferrer" title="MediaFire's Twitter page"> <span class="footerIcnTw"></span> </a> </li> <li class="footerIcn"> <a href="http://blog.mediafire.com/" class="footerIcnBlog" target="_blank" title="MediaFire Blog"> <span class="footerIcnBlog"></span> </a> </li> </ul> </div> </div> </div> </footer> <div class="sandboxLabel labelRibbon">SANDBOX</div> <footer id="simpleFooter" role="contentinfo"> <div class="wrap"> <span>&copy;2025 MediaFire&nbsp;&nbsp; <span>Build 121937</span> </span> <span style="opacity:.5;border-left:1px solid #999;margin:0 8px 0 10px;"></span> Need help? <a href="/help/submit_a_ticket.php" target="_blank">Submit a ticket</a>. </div> </footer> <div id="page_screen">&nbsp;</div> <iframe src="/blank.html" style="display:none;" id="userwork" name="userwork" width="0" height="0" frameborder="0"></iframe> <iframe src="/blank.html" style="display:none;" id="emailwork" name="emailwork" width="0" height="0" frameborder="0"></iframe> <script
Source: mshta.exe, 00000000.00000002.1313579634.0000000006010000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: 2><a href="/upgrade/">Upgrade</a></h2> <ul> <li><a href="/upgrade/index.php?plan=Pro">Professional</a></li> <li><a href="https://fast.io/pricing">Business</a></li> </ul> </div> <div class="footerCol" style="margin-right:0;"> <h2><a href="https://mediafire.zendesk.com/hc/en-us" target="_blank">Support</a></h2> <ul> <li class="minFooterShow"><a href="https://mediafire.zendesk.com/hc/en-us" target="_blank">Get Support</a></li> </ul> </div> </div> </div> <div class="myfilesTabHelp"> <p> Questions? <a href="/help/submit_a_ticket.php" target="_blank" tabindex="-1">Submit a ticket</a> or <a href="/help/" target="_blank">visit our Help Center</a>. </p> <div class="footerShortcuts"> <p style="margin-right:15px;">Keyboard Shortcuts:</p> <div class="footerShortcutHide"><span>U</span> = Upload</div> <div class="footerShortcutHide"><span>N</span> = New Folder</div> <div><span class="footerShortcutsWin">CTRL</span><span class="footerShortcutsMac">CMD</span> + <span>A</span> = Select All</div> <div><span>ESC</span> = Deselect</div> <div class="lastShortcut"><span>DEL</span> = Move to Trash</div> </div> </div> <div id="google_translate_element_dynamic"></div> <ul class="subFooterLinks"> <li id="copyrightInfo">&copy;2025 MediaFire<span> Build 121937</span></li> <li><a href="/advertising/">Advertising</a></li> <li><a href="/policies/terms_of_service.php">Terms</a></li> <li><a href="/policies/privacy_policy.php">Privacy Policy</a></li> <li><a href="/policy_violation/copyright.php">Copyright</a></li> <li><a href="/policy_violation/terms_of_service.php">Abuse</a></li> <li><a href="/credits/">Credits</a></li> <li><a href="/about/">More...</a></li> </ul> <div class="subFooterSocialWrap"> <ul id="subFooterSocial"> <li class="footerIcn"> <a href="http://www.facebook.com/mediafire" class="footerIcnFb" target="_blank" rel="noreferrer" title="MediaFire's Facebook page"> <span class="footerIcnFb"></span> </a> </li> <li class="footerIcn"> <a href="http://twitter.com/#!/mediafire" class="footerIcnTw" target="_blank" rel="noreferrer" title="MediaFire's Twitter page"> <span class="footerIcnTw"></span> </a> </li> <li class="footerIcn"> <a href="http://blog.mediafire.com/" class="footerIcnBlog" target="_blank" title="MediaFire Blog"> <span class="footerIcnBlog"></span> </a> </li> </ul> </div> </div> </div> </footer> <div class="sandboxLabel labelRibbon">SANDBOX</div> <footer id="simpleFooter" role="contentinfo"> <div class="wrap"> <span>&copy;2025 MediaFire&nbsp;&nbsp; <span>Build 121937</span> </span> <span style="opacity:.5;border-left:1px solid #999;margin:0 8px 0 10px;"></span> Need help? <a href="/help/submit_a_ticket.php" target="_blank">Submit a ticket</a>. </div> </footer> <div id="page_screen">&nbsp;</div> <iframe src="/blank.html" style="display:none;" id="userwork" name="userwork" width="0" height="0" frameborder="0"></iframe> <iframe src="/blank.html" style="display:none;" id="emailwork" name="emailwork" width="0" height="0" frameborder="0"></iframe> <script
Source: js[1].js.0.drString found in binary or memory: function Qt(a,b){var c=gt(b),d=ht(a,c);if(!d)return 0;var e;e=a==="ag"?it(d):dt(d);for(var f=0,g=0;g<e.length;g++)f=Math.max(f,e[g].timestamp);return f}function Rt(a){for(var b=0,c=l(Object.keys(a)),d=c.next();!d.done;d=c.next())for(var e=a[d.value],f=0;f<e.length;f++)b=Math.max(b,Number(e[f].timestamp));return b}function St(a){var b=Math.max(Qt("aw",a),Rt(at($s())?Us():{})),c=Math.max(Qt("gb",a),Rt(at($s())?Us("_gac_gb",!0):{}));c=Math.max(c,Qt("ag",a));return c>b};function hu(){return Jo("dedupe_gclid",function(){return Ar()})};var iu=/^(www\.)?google(\.com?)?(\.[a-z]{2}t?)?$/,ju=/^www.googleadservices.com$/;function ku(a){a||(a=lu());return a.po?!1:a.nn||a.on||a.rn||a.pn||a.df||a.Wm||a.qn||a.dn?!0:!1}function lu(){var a={},b=fs(!0);a.po=!!b._up;var c=vt();a.nn=c.aw!==void 0;a.on=c.dc!==void 0;a.rn=c.wbraid!==void 0;a.pn=c.gbraid!==void 0;a.qn=c.gclsrc==="aw.ds";a.df=Vt().df;var d=A.referrer?fk(lk(A.referrer),"host"):"";a.dn=iu.test(d);a.Wm=ju.test(d);return a};var mu=["https://www.google.com","https://www.youtube.com","https://m.youtube.com"]; equals www.youtube.com (Youtube)
Source: mshta.exe, 00000000.00000002.1308113571.000000000239F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.facebook.com/2008/fbmlS equals www.facebook.com (Facebook)
Source: mshta.exe, 00000000.00000002.1313579634.00000000060E8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.facebook.com/mediafired equals www.facebook.com (Facebook)
Source: mshta.exe, 00000000.00000003.1266865182.0000000005A1B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.youtube.com equals www.youtube.com (Youtube)
Source: mshta.exe, 00000000.00000002.1321362921.00000000076F9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: non_personalized_adsfl_user_data_cacheconversion_linkerread_container_dataapp_installer_idapplicableSectionsEVENT_SETUP_STARTaddConsentListenerwebkitMatchesSelectorinternal.getAuid_user_agent_mobileGA4_CONVERSION_HITconversion_labelinternal.getRegionCodemozMatchesSelectorflight_error_codeinternal.scrubUrlParamsadd_payment_info_user_agent_model_googCallTrackingImplsupportedMethodsmsMatchesSelectorcookie_deprecationgsa_experiment_id_user_agent_platformflight_error_messageoMatchesSelectoradd_shipping_infointernal.sendAdsHitip_geo_data_cacheauto_detection_enabledaddWindowEventListenerv t pid dl tdp expserver_container_urlcorePlatformServicesfl_activity_categoryinternal.sendGtagEventtc_privacy_stringgclid_storage_sourceremove_from_cartsession_durationinternal.copyPreHit_user_agent_wow64engagement_time_msecaddElementEventListenerfl_activity_groupinternal.gtagConfigaw_remarketing_only/as/d/ccm/conversioninternal.getCountryCodecreateArgumentsQueueTAG_CALLBACK_ERRORenhanced_client_idfl_advertiser_idsession_engaged_timeuser_data_auto_latency/g/d/ccm/conversioninternal.setAnchorHrefaddEventCallback/gs/ccm/conversionenhanced_conversionsADS_CONVERSION_HITuser_data_auto_metaTAG_CALLBACK_FAILUREinternal.testRegex/d/ccm/form-dataaw_feed_languageis_legacy_converteduser_data_auto_multiinjectHiddenIframeselect_promotionCONTAINER_EXECUTE_STARTTAG_CALLBACK_SUCCESSis_legacy_loadedfl_random_numbernonGoogleScriptshttps://www.youtube.cominternal.unsiloIddelivery_postal_codeinternal.getUserAgentphone_conversion_idsads_data_redactionestimated_delivery_dateinternal.injectHtmlinternal.addFormDatagtm_eeSafariRfijujSigclawauidudYmCoastMSIE__ehlzb_tuHe/td?id=/asGlBlvdEdgeTfnpajmHcsend_toGewd__evlUfreadyesGeckokmIcMbfrmjjxdEdg/webkit__falydzjYfOperaFa\0scMobileJczdeclIeLgOPRvj__filmccJeVflpstaxSymbolkjBdAjQi\ngtm_upctidWindows__fslNgKcCdgclgbTiRh/gsObhbdscntdidDdEgib\u0000WfLinux__hlgclidMm.jsXfjbCrOSViPbjsPlfcntr__jelehlKewaQbAndroidLcucrogetHgMcrep__lclljvcgtagSetgaawciPadsetBUTTONflngwcGaNeJgiPodgclgsINPUTmbZfgoogtag__sdlQgRblmkaiosnbBjmidgcllpforEachdjtibammPeRgxaobhtml__tlCfFnSbyaDfgclstgooglelamjbttypepolicyconsenthi__ytlcountrytyperdpgetUrlEfsodataiika_eqpbitemsQlskclarg0mapgacidecsidListNcfile://arg1Tbnjsourcedl__tgSgversionhttpVagtm.jsHalabelXitranOcyoga_uidCjJaGfhttpsruleswoojPccontentTg_lps_awmailtoKaBoQcUgcapiUdfgdelopcCo_dcmacrosftprefundRcAaVgifVdggzoDonaconcatUbWgreduceDjWdaddhgpscdlgetItemEoVbvalueconcat every filter forEach hasOwnProperty indexOf join lastIndexOf map pop push reduce reduceRight reverse shift slice some sort splice unshift toString equals www.youtube.com (Youtube)
Source: mshta.exe, 00000000.00000002.1319274108.00000000070D4000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.1319274108.0000000007090000.00000004.00000020.00020000.00000000.sdmp, gtm[1].js.0.dr, js[1].js.0.drString found in binary or memory: return f}iI.K="internal.enableAutoEventOnTimer";var $b=ua(["data-gtm-yt-inspected-"]),kI=["www.youtube.com","www.youtube-nocookie.com"],lI,mI=!1; equals www.youtube.com (Youtube)
Source: mshta.exe, 00000000.00000002.1321220228.00000000076C4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: trip_typecallbackgtmTrackerNameNO_QUEUEpage_view_host_namesetInWindowkeepalivemerchant_idvalue_callbackexperiments_googWcmImplcontent_groupdurationexDescriptionscreen_viewurl_passthroughfirebase_idvalue_keycopyFromWindowhostname_googWcmAkcontent_typeUA-829541-1session_startANALYTICSnavigation_type_ip_overridetoUpperCasesample_rate_google_ngpermissionsredirectinitializedsource_updatenew_customerMONITORINGaffiliationdataLayereventCategoryscreen_nameEVENT_SETUP_ENDgoogle_signalsconversion_idpingData_gaPhoneImplnon_interactiontransportcompletecheckout_optionus_privacytiming_completewww.youtube.comtimingVargoogle_tldinteractivecheckout_stepoptimize_idpt_listener_settrack_social_script_sourceremoveItemgetReferrerUrlresetDataLayerconsent_update_sst_parametersapp_namecontinuegpp_stringpage_hostnameuser_engagementeventLabelitem_list_namesearch_termconversion_apiread_event_dataapp_versionpage_pathlogToConsolefunctionNamesend_page_viewuser_id_updatepage_locationlist_namepage_referrersignalStatusPAGE_LOADMicrosoft EdgegetCookieValueseventDataAccesspage_titlesogtjlhdpromotionscookie_domainPAGEVIEWadd_to_carteventNameshippingcookie_expiresanonymize_ippassengersaw_remarketingMacintosh equals www.youtube.com (Youtube)
Source: mshta.exe, 00000000.00000002.1319274108.00000000070D4000.00000004.00000020.00020000.00000000.sdmp, gtm[1].js.0.drString found in binary or memory: var xH=function(a,b,c,d,e){var f=mE("fsl",c?"nv.mwt":"mwt",0),g;g=c?mE("fsl","nv.ids",[]):mE("fsl","ids",[]);if(!g.length)return!0;var h=rE(a,"gtm.formSubmit",g),m=a.action;m&&m.tagName&&(m=a.cloneNode(!1).action);O(121);if(m==="https://www.facebook.com/tr/")return O(122),!0;h["gtm.elementUrl"]=m;h["gtm.formCanceled"]=c;a.getAttribute("name")!=null&&(h["gtm.interactedFormName"]=a.getAttribute("name"));e&&(h["gtm.formSubmitElement"]=e,h["gtm.formSubmitElementText"]=e.value);if(d&&f){if(!JC(h,LC(b, equals www.facebook.com (Facebook)
Source: mshta.exe, 00000000.00000003.1266818341.0000000005A28000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: www.youtube.com equals www.youtube.com (Youtube)
Source: global trafficDNS traffic detected: DNS query: www.google.com
Source: global trafficDNS traffic detected: DNS query: www.mediafire.com
Source: global trafficDNS traffic detected: DNS query: cdn.amplitude.com
Source: mshta.exe, 00000000.00000002.1308113571.000000000236F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ajax.googleapis.com/
Source: mshta.exe, 00000000.00000002.1308113571.000000000236F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ajax.googleapis.com/0
Source: mshta.exe, 00000000.00000002.1308113571.000000000234B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.1313579634.0000000006050000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1053967303.000000000604B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.1308113571.00000000023BB000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.1308113571.000000000239F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1104285645.000000000604E000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.1316627755.0000000006853000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.1308113571.00000000023E0000.00000004.00000020.00020000.00000000.sdmp, default.htaString found in binary or memory: http://ajax.googleapis.com/ajax/libs/jquery/1.7.2/jquery.min.js
Source: mshta.exe, 00000000.00000002.1313579634.0000000006050000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1053967303.000000000604B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1104285645.000000000604E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ajax.googleapis.com/ajax/libs/jquery/1.7.2/jquery.min.js/
Source: mshta.exe, 00000000.00000002.1308113571.00000000023BB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ajax.googleapis.com/ajax/libs/jquery/1.7.2/jquery.min.js_
Source: mshta.exe, 00000000.00000002.1308113571.00000000023E0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ajax.googleapis.com/ajax/libs/jquery/1.7.2/jquery.min.jsk
Source: mshta.exe, 00000000.00000002.1308113571.000000000234B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://blog.mediafire.com/
Source: mshta.exe, 00000000.00000002.1318166941.0000000006B55000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cdn.ampproject.org
Source: mshta.exe, 00000000.00000002.1308113571.00000000023E0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://twitter.com/#
Source: Amcache.hve.10.drString found in binary or memory: http://upx.sf.net
Source: mshta.exe, 00000000.00000002.1308113571.000000000236F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.1308113571.000000000234B000.00000004.00000020.00020000.00000000.sdmp, default.htaString found in binary or memory: http://www.mediafire.com
Source: mshta.exe, 00000000.00000002.1308113571.000000000236F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.mediafire.com/
Source: mshta.exe, 00000000.00000002.1308113571.000000000236F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.mediafire.com/P
Source: mshta.exe, 00000000.00000002.1308113571.00000000023BB000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1104285645.000000000604E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.mediafire.com/images/icons/myfiles/default.png
Source: mshta.exe, 00000000.00000002.1308113571.00000000023BB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.mediafire.com/images/icons/myfiles/default.png;#
Source: mshta.exe, 00000000.00000002.1308113571.00000000023E0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.mediafire.com/images/icons/myfiles/default.pngogo_u1_full_color.svgrsed.svg
Source: default.htaString found in binary or memory: http://www.mediafire.com/images/logos/mf_logo250x250.png
Source: mshta.exe, 00000000.00000002.1308113571.00000000023BB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.mediafire.com/images/logos/mf_logo250x250.pngk
Source: mshta.exe, 00000000.00000003.1039144872.000000000604F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.cooAW
Source: mshta.exe, 00000000.00000002.1319274108.00000000070D4000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.1319274108.0000000007090000.00000004.00000020.00020000.00000000.sdmp, gtm[1].js.0.dr, js[1].js.0.drString found in binary or memory: https://ad.doubleclick.net/activity;
Source: mshta.exe, 00000000.00000002.1319274108.00000000070D4000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.1319274108.0000000007090000.00000004.00000020.00020000.00000000.sdmp, gtm[1].js.0.dr, js[1].js.0.drString found in binary or memory: https://ad.doubleclick.net/activity;register_conversion=1;
Source: mshta.exe, 00000000.00000002.1319274108.00000000070D4000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.1319274108.0000000007090000.00000004.00000020.00020000.00000000.sdmp, gtm[1].js.0.dr, js[1].js.0.drString found in binary or memory: https://ade.googlesyndication.com/ddm/activity/
Source: mshta.exe, 00000000.00000002.1313579634.0000000006010000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1055279232.00000000060E8000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1055033636.00000000060E8000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1104061474.00000000060E8000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1053967303.00000000060E8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://blog.mediafire.com/
Source: mshta.exe, 00000000.00000003.1055033636.00000000060C1000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1055279232.00000000060C1000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.1313579634.00000000060C1000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1053967303.00000000060C1000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1104061474.00000000060C1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://blog.mediafire.com/&
Source: mshta.exe, 00000000.00000003.1053967303.000000000604B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1266818341.0000000005A28000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.1319274108.0000000007090000.00000004.00000020.00020000.00000000.sdmp, gtm[1].js.0.dr, js[1].js.0.drString found in binary or memory: https://cct.google/taggy/agent.js
Source: mshta.exe, 00000000.00000003.1104285645.000000000604E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.amplitude.com/
Source: mshta.exe, 00000000.00000002.1313579634.0000000006050000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1053967303.000000000604B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1104285645.000000000604E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.amplitude.com/V
Source: mshta.exe, 00000000.00000003.1104285645.000000000604E000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.1313579634.000000000604B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1053967303.0000000006033000.00000004.00000020.00020000.00000000.sdmp, default.htaString found in binary or memory: https://cdn.amplitude.com/libs/amplitude-8.5.0-min.gz.js
Source: mshta.exe, 00000000.00000002.1313579634.0000000006050000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1053967303.000000000604B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1104285645.000000000604E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.amplitude.com/libs/amplitude-8.5.0-min.gz.js#
Source: mshta.exe, 00000000.00000003.1053967303.000000000604B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1104285645.000000000604E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.amplitude.com/libs/amplitude-8.5.0-min.gz.js(
Source: mshta.exe, 00000000.00000003.1053967303.000000000604B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.amplitude.com/libs/amplitude-8.5.0-min.gz.js22658-3693405117-2476756634-1003f
Source: mshta.exe, 00000000.00000002.1313579634.0000000006050000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1053967303.000000000604B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1104285645.000000000604E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.amplitude.com/libs/amplitude-8.5.0-min.gz.js8
Source: mshta.exe, 00000000.00000002.1313579634.0000000006050000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1053967303.000000000604B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1104285645.000000000604E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.amplitude.com/libs/amplitude-8.5.0-min.gz.jsSPSC:
Source: mshta.exe, 00000000.00000002.1313579634.0000000006050000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1053967303.000000000604B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1104285645.000000000604E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.amplitude.com/libs/amplitude-8.5.0-min.gz.jsX
Source: mshta.exe, 00000000.00000002.1313579634.0000000006050000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1053967303.000000000604B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1104285645.000000000604E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.amplitude.com/libs/amplitude-8.5.0-min.gz.jsk
Source: mshta.exe, 00000000.00000002.1313579634.0000000006033000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1053967303.0000000006033000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.amplitude.com/libs/amplitude-8.5.0-min.gz.jst0t
Source: mshta.exe, 00000000.00000002.1322565272.0000000007ED8000.00000004.00000020.00020000.00000000.sdmp, recaptcha__en[1].js.0.drString found in binary or memory: https://cloud.google.com/contact
Source: mshta.exe, 00000000.00000002.1322565272.0000000007ED8000.00000004.00000020.00020000.00000000.sdmp, recaptcha__en[1].js.0.drString found in binary or memory: https://cloud.google.com/recaptcha-enterprise/billing-information
Source: mshta.exe, 00000000.00000002.1322565272.0000000007ED8000.00000004.00000020.00020000.00000000.sdmp, recaptcha__en[1].js.0.drString found in binary or memory: https://cloud.google.com/recaptcha/docs/troubleshoot-recaptcha-issues#automated-query-error
Source: mshta.exe, 00000000.00000002.1322565272.0000000007ED8000.00000004.00000020.00020000.00000000.sdmp, recaptcha__en[1].js.0.drString found in binary or memory: https://cloud.google.com/recaptcha/docs/troubleshoot-recaptcha-issues#localhost-error
Source: mshta.exe, 00000000.00000002.1308113571.00000000023C6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://csp.withgoogle.com/csp/hosted-libraries-pushers
Source: mshta.exe, 00000000.00000003.1104260447.000000000610B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.1308113571.00000000023C6000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1053886703.0000000006107000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.1308113571.000000000239F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://csp.withgoogle.com/csp/recaptcha
Source: mshta.exe, 00000000.00000002.1308113571.00000000023C6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://csp.withgoogle.com/csp/report-to/hosted-libraries-pushers
Source: mshta.exe, 00000000.00000003.1104260447.000000000610B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.1308113571.00000000023C6000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1053886703.0000000006107000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.1308113571.000000000239F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://csp.withgoogle.com/csp/report-to/recaptcha
Source: mshta.exe, 00000000.00000002.1308113571.00000000023C6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://csp.withgoogle.com/csp/report-to/scaffolding/ascgcycc:1068:0
Source: mshta.exe, 00000000.00000002.1308113571.00000000023B4000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1055279232.00000000060E8000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1055033636.00000000060E8000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.1313579634.00000000060F1000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1104061474.00000000060E8000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1053967303.00000000060E8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://csp.withgoogle.com/csp/report-to/scaffolding/ascgcycc:1310:0
Source: mshta.exe, 00000000.00000002.1308113571.00000000023C6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://csp.withgoogle.com/csp/scaffolding/ascgcycc:1068:0
Source: mshta.exe, 00000000.00000003.1055279232.00000000060E8000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1055033636.00000000060E8000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.1313579634.00000000060F1000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1104061474.00000000060E8000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1053967303.00000000060E8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://csp.withgoogle.com/csp/scaffolding/ascgcycc:1310:0
Source: mshta.exe, 00000000.00000002.1308113571.00000000023B4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://csp.withgoogle.com/csp/scaffolding/ascgcycc:1310:01E;
Source: mshta.exe, 00000000.00000002.1322565272.0000000007ED8000.00000004.00000020.00020000.00000000.sdmp, recaptcha__en[1].js.0.drString found in binary or memory: https://developers.google.com/recaptcha/docs/faq#are-there-any-qps-or-daily-limits-on-my-use-of-reca
Source: mshta.exe, 00000000.00000002.1313579634.0000000006010000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1055279232.00000000060E8000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1055033636.00000000060E8000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1104061474.00000000060E8000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1053967303.00000000060E8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://fast.io
Source: mshta.exe, 00000000.00000002.1313579634.0000000006010000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1104061474.00000000060C9000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1055279232.00000000060E8000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1055033636.00000000060E8000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1104061474.00000000060E8000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1053967303.00000000060E8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://fast.io/pricing
Source: mshta.exe, 00000000.00000002.1308113571.00000000023C6000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.1308113571.000000000236F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://fonts.googleapis.com/
Source: mshta.exe, 00000000.00000002.1308113571.000000000231E000.00000004.00000020.00020000.00000000.sdmp, default.htaString found in binary or memory: https://fonts.googleapis.com/css?family=Open
Source: mshta.exe, 00000000.00000002.1308113571.000000000234B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.1313579634.0000000006010000.00000004.00000020.00020000.00000000.sdmp, css[1].css.0.drString found in binary or memory: https://fonts.gstatic.com/l/font?kit=memSYaGs126MiZpBA-UvWbX2vVnXBbObj2OVZyOOSr4dVJWUgsjZ0B4gaVY&ske
Source: mshta.exe, 00000000.00000002.1319274108.00000000070D4000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.1319274108.0000000007090000.00000004.00000020.00020000.00000000.sdmp, gtm[1].js.0.dr, js[1].js.0.drString found in binary or memory: https://google.com/pagead/form-data
Source: mshta.exe, 00000000.00000002.1319274108.00000000070D4000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.1319274108.0000000007090000.00000004.00000020.00020000.00000000.sdmp, gtm[1].js.0.dr, js[1].js.0.drString found in binary or memory: https://googleads.g.doubleclick.net/pagead/viewthroughconversion
Source: mshta.exe, 00000000.00000002.1308113571.00000000023C6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.comk
Source: mshta.exe, 00000000.00000002.1319274108.00000000070D4000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1266865182.0000000005A1B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.1319274108.0000000007090000.00000004.00000020.00020000.00000000.sdmp, gtm[1].js.0.dr, js[1].js.0.drString found in binary or memory: https://m.youtube.com
Source: mshta.exe, 00000000.00000002.1321362921.00000000076F9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://m.youtube.comcustomer_buyer_stageCONTAINER_SETUP_ENDinternal.safeInvokeeuid_logged_in_state_
Source: mshta.exe, 00000000.00000003.1053967303.00000000060E8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://mediafire.zendesk.com/hc/en-us
Source: mshta.exe, 00000000.00000003.1104061474.00000000060D6000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.1313579634.00000000060D6000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1055279232.00000000060D6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://mediafire.zendesk.com/hc/en-usZ
Source: mshta.exe, 00000000.00000002.1316930352.0000000006900000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.1319274108.00000000070D4000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.1319274108.0000000007090000.00000004.00000020.00020000.00000000.sdmp, gtm[1].js.0.dr, js[1].js.0.drString found in binary or memory: https://pagead2.googlesyndication.com
Source: mshta.exe, 00000000.00000002.1319274108.00000000070D4000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.1319274108.0000000007090000.00000004.00000020.00020000.00000000.sdmp, gtm[1].js.0.dr, js[1].js.0.drString found in binary or memory: https://pagead2.googlesyndication.com/ccm/collect
Source: mshta.exe, 00000000.00000002.1319274108.00000000070D4000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.1319274108.0000000007090000.00000004.00000020.00020000.00000000.sdmp, gtm[1].js.0.dr, js[1].js.0.drString found in binary or memory: https://pagead2.googlesyndication.com/pagead/gen_204?id=tcfe
Source: mshta.exe, 00000000.00000003.1267141893.0000000005A0F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://pagead2.googlesyndication.comok.https://pagead2.googlesyndication.com
Source: mshta.exe, 00000000.00000002.1319274108.00000000070D4000.00000004.00000020.00020000.00000000.sdmp, gtm[1].js.0.drString found in binary or memory: https://static.hotjar.com/c/hotjar-
Source: recaptcha__en[1].js.0.drString found in binary or memory: https://support.google.com/recaptcha
Source: mshta.exe, 00000000.00000002.1322565272.0000000007ED8000.00000004.00000020.00020000.00000000.sdmp, recaptcha__en[1].js.0.drString found in binary or memory: https://support.google.com/recaptcha#6262736
Source: mshta.exe, 00000000.00000002.1322565272.0000000007ED8000.00000004.00000020.00020000.00000000.sdmp, recaptcha__en[1].js.0.drString found in binary or memory: https://support.google.com/recaptcha/#6175971
Source: mshta.exe, 00000000.00000002.1322565272.0000000007ED8000.00000004.00000020.00020000.00000000.sdmp, recaptcha__en[1].js.0.drString found in binary or memory: https://support.google.com/recaptcha/?hl=en#6223828
Source: mshta.exe, 00000000.00000002.1321220228.00000000076C4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://targetRef__TAG_ASSISTANTEXTENSION_PARAMGTM_DEBUG_PARAMgtm_debugTADebugSignalREFERRERcct.goog
Source: mshta.exe, 00000000.00000002.1319274108.00000000070D4000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.1319274108.0000000007090000.00000004.00000020.00020000.00000000.sdmp, gtm[1].js.0.dr, js[1].js.0.drString found in binary or memory: https://td.doubleclick.net
Source: mshta.exe, 00000000.00000002.1319274108.0000000007090000.00000004.00000020.00020000.00000000.sdmp, js[1].js.0.drString found in binary or memory: https://www.google-analytics.com/analytics.js
Source: mshta.exe, 00000000.00000002.1321129519.0000000007696000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google-analytics.com/analytics.js;
Source: mshta.exe, 00000000.00000003.1266818341.0000000005A28000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google-analytics.com/analytics.jsY.loadedc.onFailure
Source: js[1].js.0.drString found in binary or memory: https://www.google.com
Source: mshta.exe, 00000000.00000002.1308113571.000000000239F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/
Source: mshta.exe, 00000000.00000002.1308113571.000000000239F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/2
Source: mshta.exe, 00000000.00000002.1319274108.00000000070D4000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.1319274108.0000000007090000.00000004.00000020.00020000.00000000.sdmp, gtm[1].js.0.dr, js[1].js.0.drString found in binary or memory: https://www.google.com/ccm/collect
Source: mshta.exe, 00000000.00000002.1319274108.00000000070D4000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.1319274108.0000000007090000.00000004.00000020.00020000.00000000.sdmp, gtm[1].js.0.dr, js[1].js.0.drString found in binary or memory: https://www.google.com/pagead/form-data
Source: mshta.exe, 00000000.00000003.1039144872.000000000604F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.1308113571.000000000236F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.1308113571.000000000234B000.00000004.00000020.00020000.00000000.sdmp, default.htaString found in binary or memory: https://www.google.com/recaptcha/api.js
Source: mshta.exe, 00000000.00000002.1308113571.000000000234B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/recaptcha/api.js%
Source: mshta.exe, 00000000.00000002.1308113571.000000000234B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.1313579634.0000000006050000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1053967303.000000000604B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1104285645.000000000604E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/recaptcha/api.jsP
Source: mshta.exe, 00000000.00000002.1308113571.0000000002331000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/recaptcha/api.jsWindows
Source: mshta.exe, 00000000.00000002.1316627755.0000000006853000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/recaptcha/api.jsX
Source: mshta.exe, 00000000.00000002.1308113571.000000000234B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/recaptcha/api.jsa
Source: mshta.exe, 00000000.00000002.1308113571.0000000002331000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/recaptcha/api.jsh8
Source: mshta.exe, 00000000.00000002.1308113571.000000000236F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/recaptcha/api.jshtaB
Source: mshta.exe, 00000000.00000003.1039144872.000000000604F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/recaptcha/api.jsk
Source: mshta.exe, 00000000.00000002.1308113571.000000000234B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/recaptcha/api.jsq
Source: mshta.exe, 00000000.00000002.1308113571.00000000023C6000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.1316627755.0000000006865000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.1322565272.0000000007ED8000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1039144872.0000000006034000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1039144872.0000000006043000.00000004.00000020.00020000.00000000.sdmp, api[1].js.0.dr, recaptcha__en[1].js.0.drString found in binary or memory: https://www.google.com/recaptcha/api2/
Source: mshta.exe, 00000000.00000002.1319274108.00000000070D4000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.1319274108.0000000007090000.00000004.00000020.00020000.00000000.sdmp, gtm[1].js.0.dr, js[1].js.0.drString found in binary or memory: https://www.google.com/travel/flights/click/conversion
Source: mshta.exe, 00000000.00000002.1320735031.0000000007605000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.comfledge_drop_reasonconsentGoNiJoshzaKiimhmdmOifescapepkindextypelistzbnamearg0m
Source: mshta.exe, 00000000.00000003.1267141893.0000000005A0F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.comok.https://www.google.com
Source: mshta.exe, 00000000.00000002.1316930352.0000000006900000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.1319274108.00000000070D4000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.1319274108.0000000007090000.00000004.00000020.00020000.00000000.sdmp, gtm[1].js.0.dr, js[1].js.0.drString found in binary or memory: https://www.googleadservices.com
Source: mshta.exe, 00000000.00000002.1321076225.0000000007670000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.googleadservices.cominternal.sortRemoteConfigParametersinternal.addHistoryChangeListener
Source: mshta.exe, 00000000.00000003.1267141893.0000000005A0F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.googleadservices.comok.https://www.googleadservices.com
Source: js[1].js.0.drString found in binary or memory: https://www.googletagmanager.com
Source: mshta.exe, 00000000.00000002.1308113571.000000000239F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.googletagmanager.com/
Source: mshta.exe, 00000000.00000002.1319274108.00000000070D4000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.1319274108.0000000007090000.00000004.00000020.00020000.00000000.sdmp, gtm[1].js.0.dr, js[1].js.0.drString found in binary or memory: https://www.googletagmanager.com/a?
Source: mshta.exe, 00000000.00000003.1104285645.000000000604E000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.1321129519.0000000007696000.00000004.00000800.00020000.00000000.sdmp, default.htaString found in binary or memory: https://www.googletagmanager.com/gtag/js?id=UA-829541-1
Source: mshta.exe, 00000000.00000002.1308113571.000000000234B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.googletagmanager.com/gtag/js?id=UA-829541-1.min.js
Source: mshta.exe, 00000000.00000002.1308113571.0000000002398000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.googletagmanager.com/gtag/js?id=UA-829541-1/n
Source: mshta.exe, 00000000.00000002.1308113571.00000000023BB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.googletagmanager.com/gtag/js?id=UA-829541-12
Source: mshta.exe, 00000000.00000002.1313579634.0000000006050000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.googletagmanager.com/gtag/js?id=UA-829541-13
Source: mshta.exe, 00000000.00000002.1313579634.0000000006050000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.googletagmanager.com/gtag/js?id=UA-829541-1ogleTranslateElementInit.php
Source: mshta.exe, 00000000.00000002.1308113571.000000000234B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.googletagmanager.com/gtag/js?id=UA-829541-1owC:
Source: mshta.exe, 00000000.00000002.1308113571.00000000023C6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.googletagmanager.com/gtag/js?id=UA-829541-1ranslateElementInitA
Source: mshta.exe, 00000000.00000002.1313579634.0000000006050000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1053967303.000000000604B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1104285645.000000000604E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.googletagmanager.com/gtag/js?id=UA-829541-1z
Source: mshta.exe, 00000000.00000002.1308113571.000000000234B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.1318786034.0000000006C3D000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1053967303.000000000604B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.1313579634.000000000604B000.00000004.00000020.00020000.00000000.sdmp, default.htaString found in binary or memory: https://www.googletagmanager.com/gtm.js?id=
Source: mshta.exe, 00000000.00000003.1104285645.000000000604E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.googletagmanager.com/gtm.js?id=GTM-53LP4T
Source: mshta.exe, 00000000.00000002.1313579634.0000000006050000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1053967303.000000000604B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1104285645.000000000604E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.googletagmanager.com/gtm.js?id=GTM-53LP4T-
Source: mshta.exe, 00000000.00000003.1053967303.000000000604B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1104285645.000000000604E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.googletagmanager.com/gtm.js?id=GTM-53LP4T1
Source: mshta.exe, 00000000.00000003.1053967303.000000000604B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1104285645.000000000604E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.googletagmanager.com/gtm.js?id=GTM-53LP4TK
Source: mshta.exe, 00000000.00000002.1313579634.00000000060F1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.googletagmanager.com/gtm.js?id=GTM-53LP4TPPC:
Source: mshta.exe, 00000000.00000002.1313579634.0000000006050000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.googletagmanager.com/gtm.js?id=GTM-53LP4Tjsml
Source: mshta.exe, 00000000.00000003.1053967303.000000000604B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1104285645.000000000604E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.googletagmanager.com/gtm.js?id=GTM-53LP4Tn
Source: mshta.exe, 00000000.00000003.1053967303.000000000604B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1104285645.000000000604E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.googletagmanager.com/gtm.js?id=GTM-53LP4T~
Source: mshta.exe, 00000000.00000002.1308113571.000000000234B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1053967303.000000000604B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.1313579634.000000000604B000.00000004.00000020.00020000.00000000.sdmp, default.htaString found in binary or memory: https://www.googletagmanager.com/ns.html?id=GTM-53LP4T
Source: mshta.exe, 00000000.00000002.1308113571.000000000239F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.googletagmanager.com/q
Source: mshta.exe, 00000000.00000002.1319274108.00000000070D4000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.1321129519.0000000007696000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.1319274108.0000000007090000.00000004.00000020.00020000.00000000.sdmp, gtm[1].js.0.dr, js[1].js.0.drString found in binary or memory: https://www.googletagmanager.com/static/service_worker/
Source: mshta.exe, 00000000.00000003.1266865182.0000000005A1B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.googletagmanager.com/static/service_worker/d.protocol
Source: mshta.exe, 00000000.00000002.1322565272.0000000007ED8000.00000004.00000020.00020000.00000000.sdmp, recaptcha__en[1].js.0.drString found in binary or memory: https://www.gstatic.c..?/recaptcha/releases/w0_qmZVSdobukXrBwYd9dTF7/recaptcha__.
Source: mshta.exe, 00000000.00000002.1313579634.0000000006050000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1053967303.000000000604B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1104285645.000000000604E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.gstatic.com/
Source: mshta.exe, 00000000.00000002.1313579634.0000000006050000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1053967303.000000000604B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1104285645.000000000604E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.gstatic.com/&
Source: mshta.exe, 00000000.00000002.1313579634.0000000006050000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1053967303.000000000604B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1104285645.000000000604E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.gstatic.com/F
Source: mshta.exe, 00000000.00000002.1313579634.0000000006050000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1053967303.000000000604B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1104285645.000000000604E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.gstatic.com/l
Source: mshta.exe, 00000000.00000003.1039144872.0000000006034000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.gstatic.com/recaptcha/releases/w0_qmZVSdobu
Source: mshta.exe, 00000000.00000003.1104285645.000000000604E000.00000004.00000020.00020000.00000000.sdmp, api[1].js.0.drString found in binary or memory: https://www.gstatic.com/recaptcha/releases/w0_qmZVSdobukXrBwYd9dTF7/recaptcha__en.js
Source: mshta.exe, 00000000.00000002.1313579634.0000000006050000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.gstatic.com/recaptcha/releases/w0_qmZVSdobukXrBwYd9dTF7/recaptcha__en.js/
Source: mshta.exe, 00000000.00000002.1313579634.0000000006050000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1053967303.000000000604B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1104285645.000000000604E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.gstatic.com/recaptcha/releases/w0_qmZVSdobukXrBwYd9dTF7/recaptcha__en.js0Cw
Source: mshta.exe, 00000000.00000002.1313579634.0000000006050000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.gstatic.com/recaptcha/releases/w0_qmZVSdobukXrBwYd9dTF7/recaptcha__en.jsLMEM
Source: mshta.exe, 00000000.00000002.1313579634.0000000006050000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1053967303.000000000604B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1104285645.000000000604E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.gstatic.com/recaptcha/releases/w0_qmZVSdobukXrBwYd9dTF7/recaptcha__en.jsZ
Source: mshta.exe, 00000000.00000003.1104285645.000000000604E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.gstatic.com/recaptcha/releases/w0_qmZVSdobukXrBwYd9dTF7/recaptcha__en.jsf
Source: mshta.exe, 00000000.00000003.1053967303.000000000604B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1104285645.000000000604E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.gstatic.com/recaptcha/releases/w0_qmZVSdobukXrBwYd9dTF7/recaptcha__en.jsl
Source: mshta.exe, 00000000.00000003.1053967303.000000000604B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1104285645.000000000604E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.gstatic.com/recaptcha/releases/w0_qmZVSdobukXrBwYd9dTF7/recaptcha__en.jsuC
Source: mshta.exe, 00000000.00000002.1319274108.00000000070D4000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1266865182.0000000005A1B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.1319274108.0000000007090000.00000004.00000020.00020000.00000000.sdmp, gtm[1].js.0.dr, js[1].js.0.drString found in binary or memory: https://www.youtube.com
Source: mshta.exe, 00000000.00000002.1321362921.00000000076F9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.youtube.cominternal.unsiloIddelivery_postal_codeinternal.getUserAgentphone_conversion_id
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49697
Source: unknownNetwork traffic detected: HTTP traffic on port 49697 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49692
Source: unknownNetwork traffic detected: HTTP traffic on port 49692 -> 443
Source: unknownHTTPS traffic detected: 192.178.49.196:443 -> 192.168.2.8:49692 version: TLS 1.2
Source: unknownHTTPS traffic detected: 13.33.21.29:443 -> 192.168.2.8:49697 version: TLS 1.2
Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6640 -s 2804
Source: C:\Windows\SysWOW64\mshta.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXEJump to behavior
Source: classification engineClassification label: sus23.spyw.winHTA@2/17@3/3
Source: C:\Windows\SysWOW64\mshta.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\Q4M8ZOMH\jquery.min[1].jsJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6640
Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\9e995d88-3717-4cd2-ba9f-e771df8b44e7Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: unknownProcess created: C:\Windows\SysWOW64\mshta.exe mshta.exe "C:\Users\user\Desktop\default.hta"
Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6640 -s 2804
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: mshtml.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: powrprof.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wkscli.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: umpdc.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: msiso.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: srpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: msimtf.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: dxgi.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: resourcepolicyclient.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: dataexchange.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: d3d11.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: dcomp.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: twinapi.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wininet.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: schannel.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: mskeyprotect.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: ntasn1.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: dpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: windowscodecs.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: ncrypt.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: ncryptsslp.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: jscript9.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: ieframe.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: mlang.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: sxs.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: d2d1.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: dwrite.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{25336920-03F9-11CF-8FD0-00AA00686F13}\InProcServer32Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SettingsJump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Windows\SysWOW64\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: Amcache.hve.10.drBinary or memory string: VMware
Source: Amcache.hve.10.drBinary or memory string: VMware Virtual USB Mouse
Source: mshta.exe, 00000000.00000002.1308113571.000000000236F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWz
Source: Amcache.hve.10.drBinary or memory string: vmci.syshbin
Source: Amcache.hve.10.drBinary or memory string: VMware-42 27 c5 9a 47 85 d6 84-53 49 ec ec 87 a6 6d 67
Source: Amcache.hve.10.drBinary or memory string: VMware, Inc.
Source: Amcache.hve.10.drBinary or memory string: VMware20,1hbin@
Source: Amcache.hve.10.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.10.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.10.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: mshta.exe, 00000000.00000002.1308113571.000000000236F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.1313579634.0000000006027000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
Source: Amcache.hve.10.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.10.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.10.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.10.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.10.drBinary or memory string: vmci.sys
Source: mshta.exe, 00000000.00000002.1308113571.00000000023C6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: Amcache.hve.10.drBinary or memory string: vmci.syshbin`
Source: Amcache.hve.10.drBinary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.10.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.10.drBinary or memory string: VMware20,1
Source: Amcache.hve.10.drBinary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.10.drBinary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.10.drBinary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.10.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.10.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.10.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.10.drBinary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.10.drBinary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.10.drBinary or memory string: VMware Virtual RAM
Source: Amcache.hve.10.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.10.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
Source: C:\Windows\SysWOW64\mshta.exeMemory allocated: page read and write | page guardJump to behavior
Source: Amcache.hve.10.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.10.drBinary or memory string: msmpeng.exe
Source: Amcache.hve.10.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.10.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
Source: Amcache.hve.10.drBinary or memory string: MsMpEng.exe

Stealing of Sensitive Information

barindex
Source: C:\Windows\SysWOW64\mshta.exeFile opened: \\static.mediafire.com\css\Jump to behavior

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
DLL Side-Loading		1
Process Injection		1
Masquerading		OS Credential Dumping1
Network Share Discovery		Remote Services1
Email Collection		1
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
DLL Side-Loading		1
Disable or Modify Tools		LSASS Memory11
Security Software Discovery		Remote Desktop ProtocolData from Removable Media2
Non-Application Layer Protocol		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
Process Injection		Security Account Manager2
System Information Discovery		SMB/Windows Admin SharesData from Network Shared Drive13
Application Layer Protocol		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
DLL Side-Loading		NTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput Capture1
Ingress Tool Transfer		Traffic DuplicationData Destruction

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1676002 Sample: default.hta Startdate: 28/04/2025 Architecture: WINDOWS Score: 23 12 www.mediafire.com 2->12 14 www.google.com 2->14 16 cdn.amplitude.com 2->16 6 mshta.exe 27 2->6         started        process3 dnsIp4 18 www.google.com 192.178.49.196, 443, 49692 GOOGLEUS United States 6->18 20 www.mediafire.com 104.17.151.117, 445, 49694, 80 CLOUDFLARENETUS United States 6->20 22 cdn.amplitude.com 13.33.21.29, 443, 49697 AMAZON-02US United States 6->22 24 Opens network shares 6->24 10 WerFault.exe 23 16 6->10         started        signatures5 process6

Screenshots

Download Video

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
default.hta0%ReversingLabs

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
https://www.google.comok.https://www.google.com0%Avira URL Cloudsafe
https://blog.mediafire.com/0%Avira URL Cloudsafe
https://fast.io0%Avira URL Cloudsafe
https://fast.io/pricing0%Avira URL Cloudsafe
https://mediafire.zendesk.com/hc/en-usZ0%Avira URL Cloudsafe
https://m.youtube.comcustomer_buyer_stageCONTAINER_SETUP_ENDinternal.safeInvokeeuid_logged_in_state_0%Avira URL Cloudsafe
https://www.youtube.cominternal.unsiloIddelivery_postal_codeinternal.getUserAgentphone_conversion_id0%Avira URL Cloudsafe
http://www.microsoft.cooAW0%Avira URL Cloudsafe
https://targetRef__TAG_ASSISTANTEXTENSION_PARAMGTM_DEBUG_PARAMgtm_debugTADebugSignalREFERRERcct.goog0%Avira URL Cloudsafe
http://blog.mediafire.com/0%Avira URL Cloudsafe
https://blog.mediafire.com/&0%Avira URL Cloudsafe
https://mediafire.zendesk.com/hc/en-us0%Avira URL Cloudsafe
https://www.google.comfledge_drop_reasonconsentGoNiJoshzaKiimhmdmOifescapepkindextypelistzbnamearg0m0%Avira URL Cloudsafe

Domains and IPs

Download Network PCAP: filteredfull

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
www.mediafire.com
104.17.151.117
truefalse
    		high
    cdn.amplitude.com
    		13.33.21.29
    		truefalse
      		high
      www.google.com
      		192.178.49.196
      		truefalse
        		high

        Contacted URLs

        NameMaliciousAntivirus DetectionReputation
        http://www.mediafire.com/images/icons/myfiles/default.pngfalse
          		high
          https://www.google.com/recaptcha/api.jsfalse
            		high
            https://cdn.amplitude.com/libs/amplitude-8.5.0-min.gz.jsfalse
              		high
              NameSourceMaliciousAntivirus DetectionReputation
              https://blog.mediafire.com/mshta.exe, 00000000.00000002.1313579634.0000000006010000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1055279232.00000000060E8000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1055033636.00000000060E8000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1104061474.00000000060E8000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1053967303.00000000060E8000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              https://www.google.com/recaptcha/api.jshtaBmshta.exe, 00000000.00000002.1308113571.000000000236F000.00000004.00000020.00020000.00000000.sdmpfalse
                		high
                https://ad.doubleclick.net/activity;register_conversion=1;mshta.exe, 00000000.00000002.1319274108.00000000070D4000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.1319274108.0000000007090000.00000004.00000020.00020000.00000000.sdmp, gtm[1].js.0.dr, js[1].js.0.drfalse
                  		high
                  https://fast.iomshta.exe, 00000000.00000002.1313579634.0000000006010000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1055279232.00000000060E8000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1055033636.00000000060E8000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1104061474.00000000060E8000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1053967303.00000000060E8000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://support.google.com/recaptcha#6262736mshta.exe, 00000000.00000002.1322565272.0000000007ED8000.00000004.00000020.00020000.00000000.sdmp, recaptcha__en[1].js.0.drfalse
                    		high
                    http://blog.mediafire.com/mshta.exe, 00000000.00000002.1308113571.000000000234B000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://cloud.google.com/recaptcha/docs/troubleshoot-recaptcha-issues#automated-query-errormshta.exe, 00000000.00000002.1322565272.0000000007ED8000.00000004.00000020.00020000.00000000.sdmp, recaptcha__en[1].js.0.drfalse
                      		high
                      https://www.google.com/recaptcha/api.jsh8mshta.exe, 00000000.00000002.1308113571.0000000002331000.00000004.00000020.00020000.00000000.sdmpfalse
                        		high
                        https://google.com/pagead/form-datamshta.exe, 00000000.00000002.1319274108.00000000070D4000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.1319274108.0000000007090000.00000004.00000020.00020000.00000000.sdmp, gtm[1].js.0.dr, js[1].js.0.drfalse
                          		high
                          https://csp.withgoogle.com/csp/recaptchamshta.exe, 00000000.00000003.1104260447.000000000610B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.1308113571.00000000023C6000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1053886703.0000000006107000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.1308113571.000000000239F000.00000004.00000020.00020000.00000000.sdmpfalse
                            		high
                            https://googleads.g.doubleclick.net/pagead/viewthroughconversionmshta.exe, 00000000.00000002.1319274108.00000000070D4000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.1319274108.0000000007090000.00000004.00000020.00020000.00000000.sdmp, gtm[1].js.0.dr, js[1].js.0.drfalse
                              		high
                              https://support.google.com/recaptcha/?hl=en#6223828mshta.exe, 00000000.00000002.1322565272.0000000007ED8000.00000004.00000020.00020000.00000000.sdmp, recaptcha__en[1].js.0.drfalse
                                		high
                                https://cloud.google.com/contactmshta.exe, 00000000.00000002.1322565272.0000000007ED8000.00000004.00000020.00020000.00000000.sdmp, recaptcha__en[1].js.0.drfalse
                                  		high
                                  https://www.youtube.commshta.exe, 00000000.00000002.1319274108.00000000070D4000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1266865182.0000000005A1B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.1319274108.0000000007090000.00000004.00000020.00020000.00000000.sdmp, gtm[1].js.0.dr, js[1].js.0.drfalse
                                    		high
                                    https://cdn.amplitude.com/libs/amplitude-8.5.0-min.gz.js22658-3693405117-2476756634-1003fmshta.exe, 00000000.00000003.1053967303.000000000604B000.00000004.00000020.00020000.00000000.sdmpfalse
                                      		high
                                      https://www.google.comjs[1].js.0.drfalse
                                        		high
                                        https://www.google.com/recaptcha/api.jskmshta.exe, 00000000.00000003.1039144872.000000000604F000.00000004.00000020.00020000.00000000.sdmpfalse
                                          		high
                                          https://cdn.amplitude.com/Vmshta.exe, 00000000.00000002.1313579634.0000000006050000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1053967303.000000000604B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1104285645.000000000604E000.00000004.00000020.00020000.00000000.sdmpfalse
                                            		high
                                            https://cdn.amplitude.com/libs/amplitude-8.5.0-min.gz.js(mshta.exe, 00000000.00000003.1053967303.000000000604B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1104285645.000000000604E000.00000004.00000020.00020000.00000000.sdmpfalse
                                              		high
                                              http://www.mediafire.com/images/logos/mf_logo250x250.pngdefault.htafalse
                                                		high
                                                https://cdn.amplitude.com/libs/amplitude-8.5.0-min.gz.js#mshta.exe, 00000000.00000002.1313579634.0000000006050000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1053967303.000000000604B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1104285645.000000000604E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  		high
                                                  http://www.mediafire.com/images/icons/myfiles/default.png;#mshta.exe, 00000000.00000002.1308113571.00000000023BB000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    		high
                                                    https://www.google.com/2mshta.exe, 00000000.00000002.1308113571.000000000239F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      		high
                                                      https://www.google.com/recaptcha/api.jsqmshta.exe, 00000000.00000002.1308113571.000000000234B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        		high
                                                        https://www.google.com/travel/flights/click/conversionmshta.exe, 00000000.00000002.1319274108.00000000070D4000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.1319274108.0000000007090000.00000004.00000020.00020000.00000000.sdmp, gtm[1].js.0.dr, js[1].js.0.drfalse
                                                          		high
                                                          https://support.google.com/recaptcha/#6175971mshta.exe, 00000000.00000002.1322565272.0000000007ED8000.00000004.00000020.00020000.00000000.sdmp, recaptcha__en[1].js.0.drfalse
                                                            		high
                                                            https://m.youtube.commshta.exe, 00000000.00000002.1319274108.00000000070D4000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1266865182.0000000005A1B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.1319274108.0000000007090000.00000004.00000020.00020000.00000000.sdmp, gtm[1].js.0.dr, js[1].js.0.drfalse
                                                              		high
                                                              https://fast.io/pricingmshta.exe, 00000000.00000002.1313579634.0000000006010000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1104061474.00000000060C9000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1055279232.00000000060E8000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1055033636.00000000060E8000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1104061474.00000000060E8000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1053967303.00000000060E8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              • Avira URL Cloud: safe
                                                              		unknown
                                                              https://cdn.amplitude.com/libs/amplitude-8.5.0-min.gz.js8mshta.exe, 00000000.00000002.1313579634.0000000006050000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1053967303.000000000604B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1104285645.000000000604E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                		high
                                                                https://www.youtube.cominternal.unsiloIddelivery_postal_codeinternal.getUserAgentphone_conversion_idmshta.exe, 00000000.00000002.1321362921.00000000076F9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                https://www.google.com/recaptcha/api2/mshta.exe, 00000000.00000002.1308113571.00000000023C6000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.1316627755.0000000006865000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.1322565272.0000000007ED8000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1039144872.0000000006034000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1039144872.0000000006043000.00000004.00000020.00020000.00000000.sdmp, api[1].js.0.dr, recaptcha__en[1].js.0.drfalse
                                                                  		high
                                                                  http://www.mediafire.com/mshta.exe, 00000000.00000002.1308113571.000000000236F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    https://csp.withgoogle.com/csp/report-to/hosted-libraries-pushersmshta.exe, 00000000.00000002.1308113571.00000000023C6000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      https://support.google.com/recaptcharecaptcha__en[1].js.0.drfalse
                                                                        		high
                                                                        https://www.google.com/pagead/form-datamshta.exe, 00000000.00000002.1319274108.00000000070D4000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.1319274108.0000000007090000.00000004.00000020.00020000.00000000.sdmp, gtm[1].js.0.dr, js[1].js.0.drfalse
                                                                          		high
                                                                          https://csp.withgoogle.com/csp/report-to/scaffolding/ascgcycc:1068:0mshta.exe, 00000000.00000002.1308113571.00000000023C6000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            https://cloud.google.com/recaptcha/docs/troubleshoot-recaptcha-issues#localhost-errormshta.exe, 00000000.00000002.1322565272.0000000007ED8000.00000004.00000020.00020000.00000000.sdmp, recaptcha__en[1].js.0.drfalse
                                                                              		high
                                                                              https://www.google.com/recaptcha/api.jsPmshta.exe, 00000000.00000002.1308113571.000000000234B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.1313579634.0000000006050000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1053967303.000000000604B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1104285645.000000000604E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                http://www.mediafire.commshta.exe, 00000000.00000002.1308113571.000000000236F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.1308113571.000000000234B000.00000004.00000020.00020000.00000000.sdmp, default.htafalse
                                                                                  		high
                                                                                  https://mediafire.zendesk.com/hc/en-usZmshta.exe, 00000000.00000003.1104061474.00000000060D6000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.1313579634.00000000060D6000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1055279232.00000000060D6000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                  • Avira URL Cloud: safe
                                                                                  		unknown
                                                                                  https://cloud.google.com/recaptcha-enterprise/billing-informationmshta.exe, 00000000.00000002.1322565272.0000000007ED8000.00000004.00000020.00020000.00000000.sdmp, recaptcha__en[1].js.0.drfalse
                                                                                    		high
                                                                                    https://targetRef__TAG_ASSISTANTEXTENSION_PARAMGTM_DEBUG_PARAMgtm_debugTADebugSignalREFERRERcct.googmshta.exe, 00000000.00000002.1321220228.00000000076C4000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                    • Avira URL Cloud: safe
                                                                                    		unknown
                                                                                    https://www.google.comok.https://www.google.commshta.exe, 00000000.00000003.1267141893.0000000005A0F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                    • Avira URL Cloud: safe
                                                                                    		unknown
                                                                                    https://csp.withgoogle.com/csp/scaffolding/ascgcycc:1068:0mshta.exe, 00000000.00000002.1308113571.00000000023C6000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                      		high
                                                                                      https://cdn.amplitude.com/libs/amplitude-8.5.0-min.gz.jsXmshta.exe, 00000000.00000002.1313579634.0000000006050000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1053967303.000000000604B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1104285645.000000000604E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                        		high
                                                                                        https://static.hotjar.com/c/hotjar-mshta.exe, 00000000.00000002.1319274108.00000000070D4000.00000004.00000020.00020000.00000000.sdmp, gtm[1].js.0.drfalse
                                                                                          		high
                                                                                          http://upx.sf.netAmcache.hve.10.drfalse
                                                                                            		high
                                                                                            http://www.mediafire.com/images/icons/myfiles/default.pngogo_u1_full_color.svgrsed.svgmshta.exe, 00000000.00000002.1308113571.00000000023E0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                              		high
                                                                                              https://cdn.amplitude.com/libs/amplitude-8.5.0-min.gz.jsSPSC:mshta.exe, 00000000.00000002.1313579634.0000000006050000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1053967303.000000000604B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1104285645.000000000604E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                		high
                                                                                                http://www.mediafire.com/Pmshta.exe, 00000000.00000002.1308113571.000000000236F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                  		high
                                                                                                  https://www.google.com/recaptcha/api.jsamshta.exe, 00000000.00000002.1308113571.000000000234B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                    		high
                                                                                                    https://csp.withgoogle.com/csp/hosted-libraries-pushersmshta.exe, 00000000.00000002.1308113571.00000000023C6000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                      		high
                                                                                                      http://www.microsoft.cooAWmshta.exe, 00000000.00000003.1039144872.000000000604F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                      • Avira URL Cloud: safe
                                                                                                      		unknown
                                                                                                      https://cct.google/taggy/agent.jsmshta.exe, 00000000.00000003.1053967303.000000000604B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1266818341.0000000005A28000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.1319274108.0000000007090000.00000004.00000020.00020000.00000000.sdmp, gtm[1].js.0.dr, js[1].js.0.drfalse
                                                                                                        		high
                                                                                                        https://csp.withgoogle.com/csp/scaffolding/ascgcycc:1310:01E;mshta.exe, 00000000.00000002.1308113571.00000000023B4000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                          		high
                                                                                                          https://csp.withgoogle.com/csp/report-to/recaptchamshta.exe, 00000000.00000003.1104260447.000000000610B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.1308113571.00000000023C6000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1053886703.0000000006107000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.1308113571.000000000239F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                            		high
                                                                                                            https://www.google.com/recaptcha/api.jsXmshta.exe, 00000000.00000002.1316627755.0000000006853000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                              		high
                                                                                                              https://www.google.com/recaptcha/api.jsWindowsmshta.exe, 00000000.00000002.1308113571.0000000002331000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                		high
                                                                                                                http://www.mediafire.com/images/logos/mf_logo250x250.pngkmshta.exe, 00000000.00000002.1308113571.00000000023BB000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                  		high
                                                                                                                  https://developers.google.com/recaptcha/docs/faq#are-there-any-qps-or-daily-limits-on-my-use-of-recamshta.exe, 00000000.00000002.1322565272.0000000007ED8000.00000004.00000020.00020000.00000000.sdmp, recaptcha__en[1].js.0.drfalse
                                                                                                                    		high
                                                                                                                    https://m.youtube.comcustomer_buyer_stageCONTAINER_SETUP_ENDinternal.safeInvokeeuid_logged_in_state_mshta.exe, 00000000.00000002.1321362921.00000000076F9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                    • Avira URL Cloud: safe
                                                                                                                    		unknown
                                                                                                                    https://ad.doubleclick.net/activity;mshta.exe, 00000000.00000002.1319274108.00000000070D4000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.1319274108.0000000007090000.00000004.00000020.00020000.00000000.sdmp, gtm[1].js.0.dr, js[1].js.0.drfalse
                                                                                                                      		high
                                                                                                                      https://cdn.amplitude.com/libs/amplitude-8.5.0-min.gz.jst0tmshta.exe, 00000000.00000002.1313579634.0000000006033000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1053967303.0000000006033000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                        		high
                                                                                                                        https://blog.mediafire.com/&mshta.exe, 00000000.00000003.1055033636.00000000060C1000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1055279232.00000000060C1000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.1313579634.00000000060C1000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1053967303.00000000060C1000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1104061474.00000000060C1000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                        • Avira URL Cloud: safe
                                                                                                                        		unknown
                                                                                                                        https://td.doubleclick.netmshta.exe, 00000000.00000002.1319274108.00000000070D4000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.1319274108.0000000007090000.00000004.00000020.00020000.00000000.sdmp, gtm[1].js.0.dr, js[1].js.0.drfalse
                                                                                                                          		high
                                                                                                                          https://www.google.com/recaptcha/api.js%mshta.exe, 00000000.00000002.1308113571.000000000234B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                            		high
                                                                                                                            https://mediafire.zendesk.com/hc/en-usmshta.exe, 00000000.00000003.1053967303.00000000060E8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                            • Avira URL Cloud: safe
                                                                                                                            		unknown
                                                                                                                            https://www.google.comfledge_drop_reasonconsentGoNiJoshzaKiimhmdmOifescapepkindextypelistzbnamearg0mmshta.exe, 00000000.00000002.1320735031.0000000007605000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                            • Avira URL Cloud: safe
                                                                                                                            		unknown
                                                                                                                            http://twitter.com/#mshta.exe, 00000000.00000002.1308113571.00000000023E0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                              		high
                                                                                                                              http://cdn.ampproject.orgmshta.exe, 00000000.00000002.1318166941.0000000006B55000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                		high
                                                                                                                                https://cdn.amplitude.com/mshta.exe, 00000000.00000003.1104285645.000000000604E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                  		high
                                                                                                                                  https://csp.withgoogle.com/csp/report-to/scaffolding/ascgcycc:1310:0mshta.exe, 00000000.00000002.1308113571.00000000023B4000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1055279232.00000000060E8000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1055033636.00000000060E8000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.1313579634.00000000060F1000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1104061474.00000000060E8000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1053967303.00000000060E8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                    		high
                                                                                                                                    https://csp.withgoogle.com/csp/scaffolding/ascgcycc:1310:0mshta.exe, 00000000.00000003.1055279232.00000000060E8000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1055033636.00000000060E8000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.1313579634.00000000060F1000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1104061474.00000000060E8000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1053967303.00000000060E8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                      		high
                                                                                                                                      https://www.google.com/ccm/collectmshta.exe, 00000000.00000002.1319274108.00000000070D4000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.1319274108.0000000007090000.00000004.00000020.00020000.00000000.sdmp, gtm[1].js.0.dr, js[1].js.0.drfalse
                                                                                                                                        		high
                                                                                                                                        https://www.google.com/mshta.exe, 00000000.00000002.1308113571.000000000239F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                          		high
                                                                                                                                          https://cdn.amplitude.com/libs/amplitude-8.5.0-min.gz.jskmshta.exe, 00000000.00000002.1313579634.0000000006050000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1053967303.000000000604B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1104285645.000000000604E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                            		high
                                                                                                                                            https://www.gstatic.c..?/recaptcha/releases/w0_qmZVSdobukXrBwYd9dTF7/recaptcha__.mshta.exe, 00000000.00000002.1322565272.0000000007ED8000.00000004.00000020.00020000.00000000.sdmp, recaptcha__en[1].js.0.drfalse
                                                                                                                                              		high

                                                                                                                                              World Map of Contacted IPs

                                                                                                                                              • No. of IPs < 25%
                                                                                                                                              • 25% < No. of IPs < 50%
                                                                                                                                              • 50% < No. of IPs < 75%
                                                                                                                                              • 75% < No. of IPs

                                                                                                                                              Public IPs

                                                                                                                                              IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                              104.17.151.117
                                                                                                                                              		www.mediafire.comUnited States
                                                                                                                                              		13335CLOUDFLARENETUSfalse
                                                                                                                                              192.178.49.196
                                                                                                                                              		www.google.comUnited States
                                                                                                                                              		15169GOOGLEUSfalse
                                                                                                                                              13.33.21.29
                                                                                                                                              		cdn.amplitude.comUnited States
                                                                                                                                              		16509AMAZON-02USfalse

                                                                                                                                              General Information

                                                                                                                                              Joe Sandbox version:42.0.0 Malachite
                                                                                                                                              Analysis ID:1676002
                                                                                                                                              Start date and time:2025-04-28 08:55:17 +02:00
                                                                                                                                              Joe Sandbox product:CloudBasic
                                                                                                                                              Overall analysis duration:0h 4m 45s
                                                                                                                                              Hypervisor based Inspection enabled:false
                                                                                                                                              Report type:full
                                                                                                                                              Cookbook file name:default.jbs
                                                                                                                                              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 134, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                                              Number of analysed new started processes analysed:15
                                                                                                                                              Number of new started drivers analysed:0
                                                                                                                                              Number of existing processes analysed:0
                                                                                                                                              Number of existing drivers analysed:0
                                                                                                                                              Number of injected processes analysed:0
                                                                                                                                              Technologies:
                                                                                                                                              • HCA enabled
                                                                                                                                              • EGA enabled
                                                                                                                                              • AMSI enabled
                                                                                                                                              Analysis Mode:default
                                                                                                                                              Analysis stop reason:Timeout
                                                                                                                                              Sample name:default.hta
                                                                                                                                              Detection:SUS
                                                                                                                                              Classification:sus23.spyw.winHTA@2/17@3/3
                                                                                                                                              EGA Information:Failed
                                                                                                                                              HCA Information:
                                                                                                                                              • Successful, ratio: 100%
                                                                                                                                              • Number of executed functions: 37
                                                                                                                                              • Number of non-executed functions: 0
                                                                                                                                              Cookbook Comments:
                                                                                                                                              • Found application associated with file extension: .hta
                                                                                                                                              • Exclude process from analysis (whitelisted): MpCmdRun.exe, sppsvc.exe, WerFault.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                                                                                                                                              • Excluded IPs from analysis (whitelisted): 142.250.68.234, 142.250.69.10, 142.250.68.232, 192.178.49.195, 104.208.16.94, 4.175.87.197, 184.29.183.29, 20.190.190.193
                                                                                                                                              • Excluded domains from analysis (whitelisted): fonts.googleapis.com, fs.microsoft.com, slscr.update.microsoft.com, ajax.googleapis.com, ctldl.windowsupdate.com, static.mediafire.com, fe3cr.delivery.mp.microsoft.com, login.live.com, www.googletagmanager.com, blobcollector.events.data.trafficmanager.net, translate.google.com, umwatson.events.data.microsoft.com, www.gstatic.com, c.pki.goog, onedsblobprdcus16.centralus.cloudapp.azure.com
                                                                                                                                              • Execution Graph export aborted for target mshta.exe, PID 6640 because it is empty
                                                                                                                                              • Not all processes where analyzed, report is missing behavior information
                                                                                                                                              • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                                              • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                                                              • Report size getting too big, too many NtQueryValueKey calls found.

                                                                                                                                              Simulations

                                                                                                                                              Behavior and APIs

                                                                                                                                              TimeTypeDescription
                                                                                                                                              02:56:30API Interceptor1x Sleep call for process: mshta.exe modified
                                                                                                                                              02:56:57API Interceptor1x Sleep call for process: WerFault.exe modified

                                                                                                                                              Joe Sandbox View / Context

                                                                                                                                              IPs

                                                                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                              104.17.151.117LCrypt0rX.vbsGet hashmaliciousLCRYXBrowse
                                                                                                                                                https://tr.ee/lr0TPaGet hashmaliciousUnknownBrowse
                                                                                                                                                  https://www.youtube.com/redirect?event=video_description&redir_token=QUFFLUhqbnozTmR0Vno0czY3WnFuRk4ySHBPbDdhdDRrd3xBQ3Jtc0trcXl4a05HZXJ2UFRLR3VzWVB2cnNjRzN3QkZlaHQ1cGplYXdEUFpfaHp0MXZkajNCb2FfTjBVdkxwSHl6cmU3VnUyamgyem1YOEpKbmlURlZrR3BFa3FCT1hWQnFrczRHZ3N6eGwzdy1uVFBlQ2hXOA&q=https%3A%2F%2Ffusionhacks.pw%2Fcheat%2Fval-176.php&v=DVy4Ry9PsTIGet hashmaliciousUnknownBrowse
                                                                                                                                                    https://tr.ee/KHWUVOGet hashmaliciousUnknownBrowse
                                                                                                                                                      https://www.mediafire.com/file/l3gy4tlxy8vdh8r/Efterforskningsresultater+om+overtr%C3%A6delser.zipGet hashmaliciousUnknownBrowse
                                                                                                                                                        https://tr.ee/wPcrLZGet hashmaliciousUnknownBrowse
                                                                                                                                                          http://goo.su/0F4XkGet hashmaliciousUnknownBrowse
                                                                                                                                                            http://freegamesDL.netGet hashmaliciousUnknownBrowse
                                                                                                                                                              LCrypt0rX.vbsGet hashmaliciousChaos, LCRYXBrowse
                                                                                                                                                                https://www.mediafire.com/file_premium/8q094mjevfshw6g/glass.mp3/fileGet hashmaliciousUnknownBrowse
                                                                                                                                                                  13.33.21.29inquiry for chemical supply-RFQ-0982240.jsGet hashmaliciousFormBookBrowse
                                                                                                                                                                  • www.wizzair.com/0gsf/

                                                                                                                                                                  Domains

                                                                                                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                  cdn.amplitude.comhttps://www.youtube.com/redirect?event=video_description&redir_token=QUFFLUhqbnozTmR0Vno0czY3WnFuRk4ySHBPbDdhdDRrd3xBQ3Jtc0trcXl4a05HZXJ2UFRLR3VzWVB2cnNjRzN3QkZlaHQ1cGplYXdEUFpfaHp0MXZkajNCb2FfTjBVdkxwSHl6cmU3VnUyamgyem1YOEpKbmlURlZrR3BFa3FCT1hWQnFrczRHZ3N6eGwzdy1uVFBlQ2hXOA&q=https%3A%2F%2Ffusionhacks.pw%2Fcheat%2Fval-176.php&v=DVy4Ry9PsTIGet hashmaliciousUnknownBrowse
                                                                                                                                                                  • 13.33.21.19
                                                                                                                                                                  FW Partnership HealthPlan of CA 2025 Employee Engagement Survey Dashboard Invite.msgGet hashmaliciousUnknownBrowse
                                                                                                                                                                  • 13.33.21.29
                                                                                                                                                                  https://email.safetyculture.io/ls/click?upn=u001.cCyxNsYTMFF4ZKCpdv-2Bg28QgUGX9bJuy-2Fei6moTQptvv2V6K6AkKU64zbCs9BLFuHYXR_Jmcoi-2BtLy2oATK-2B5qJhoXO8WIQKx6v-2BgOONpd-2Bdm5MbYvpstcM2UQs-2B9al-2B0YWp-2FLIHioEmA9x7VbqUJ0iHZ5RuT3URHNpHAW8MxlU47M70oaVfGVfxAHKdLKB857L3mVQzC5TLomvNVzTGc1xNZTM7J9SQyDeg5gmqTBxVGR-2Bxhi-2FRpL7ruqhNfku5cyBHFkVu9Mk8YrMqpwuvD03kwfo0jOu-2FDYhLAvlp0PSfypTrsLon1pmBxw-2F-2Bk5HJZZ5zZsFxvoIbMLgyFvWU11-2BLBDSnmfh8fGhZvCRi6eFC57GUJj3UgcGLWVX93vAMrkdqwttsCsMks2-2FB8pIZtGQGxPNam2WW28QD3ltMZUYgGCzJqItoU468pVM9QMdShkp-2Fd6jIukwK-2Bey5UVdQJGNQUj7s61MA7QAnXCmKNmrdW-2FTO9UpLhxl9lryeo13xkrwzWJXJQibThPapZifxIo2ivMw-3D-3DGet hashmaliciousUnknownBrowse
                                                                                                                                                                  • 18.64.155.73
                                                                                                                                                                  https://complianz.com/agreements/pccf9k/portal/newGet hashmaliciousUnknownBrowse
                                                                                                                                                                  • 18.64.155.6
                                                                                                                                                                  http://www.accessmyig.comGet hashmaliciousUnknownBrowse
                                                                                                                                                                  • 108.139.29.12
                                                                                                                                                                  http://goo.su/0F4XkGet hashmaliciousUnknownBrowse
                                                                                                                                                                  • 108.139.29.53
                                                                                                                                                                  http://freegamesDL.netGet hashmaliciousUnknownBrowse
                                                                                                                                                                  • 108.139.29.40
                                                                                                                                                                  https://app.milanote.com/1U2zIh1wMk1t0w?p=EJe9bohrOuKGet hashmaliciousUnknownBrowse
                                                                                                                                                                  • 108.139.29.45
                                                                                                                                                                  https://funeral-notices.co.ukGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                  • 108.139.29.45
                                                                                                                                                                  http://belastingdiensrt.nl.services.cartoriomoreirafeitosa.com.br//#mclear@securustechnologies.comGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                  • 108.139.29.12
                                                                                                                                                                  www.mediafire.com250427-qx3s4s1wct.bin.vbsGet hashmaliciousLCRYXBrowse
                                                                                                                                                                  • 104.17.150.117
                                                                                                                                                                  LCrypt0rX.vbsGet hashmaliciousLCRYXBrowse
                                                                                                                                                                  • 104.17.151.117
                                                                                                                                                                  https://www.youtube.com/redirect?event=video_description&redir_token=QUFFLUhqbnozTmR0Vno0czY3WnFuRk4ySHBPbDdhdDRrd3xBQ3Jtc0trcXl4a05HZXJ2UFRLR3VzWVB2cnNjRzN3QkZlaHQ1cGplYXdEUFpfaHp0MXZkajNCb2FfTjBVdkxwSHl6cmU3VnUyamgyem1YOEpKbmlURlZrR3BFa3FCT1hWQnFrczRHZ3N6eGwzdy1uVFBlQ2hXOA&q=https%3A%2F%2Ffusionhacks.pw%2Fcheat%2Fval-176.php&v=DVy4Ry9PsTIGet hashmaliciousUnknownBrowse
                                                                                                                                                                  • 104.17.150.117
                                                                                                                                                                  https://www.mediafire.com/file_premium/862bjkucj0uc79f/69149366_pdf.lzh/fileGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                                  • 104.17.150.117
                                                                                                                                                                  http://goo.su/0F4XkGet hashmaliciousUnknownBrowse
                                                                                                                                                                  • 104.17.151.117
                                                                                                                                                                  http://freegamesDL.netGet hashmaliciousUnknownBrowse
                                                                                                                                                                  • 104.17.150.117
                                                                                                                                                                  LCrypt0rX.vbsGet hashmaliciousChaos, LCRYX, XmrigBrowse
                                                                                                                                                                  • 104.17.150.117
                                                                                                                                                                  LCrypt0rX.vbsGet hashmaliciousChaos, LCRYX, XmrigBrowse
                                                                                                                                                                  • 104.17.150.117
                                                                                                                                                                  LCrypt0rX.vbsGet hashmaliciousChaos, LCRYXBrowse
                                                                                                                                                                  • 104.17.151.117
                                                                                                                                                                  https://www.mediafire.com/file_premium/8q094mjevfshw6g/glass.mp3/fileGet hashmaliciousUnknownBrowse
                                                                                                                                                                  • 104.17.151.117

                                                                                                                                                                  ASNs

                                                                                                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                  CLOUDFLARENETUSprint-2604020251.img.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                  • 1.1.1.1
                                                                                                                                                                  Dokument PPS542681.img.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                  • 1.1.1.1
                                                                                                                                                                  Factura_2025-04-28_2025827772425_V98115896.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                                                                  • 104.21.48.1
                                                                                                                                                                  250428-ft4acswjs2.bin.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                  • 172.64.41.3
                                                                                                                                                                  250428-fhlaeasvhz.bin.exeGet hashmaliciousAmadey, LummaC Stealer, Vidar, XmrigBrowse
                                                                                                                                                                  • 172.67.218.184
                                                                                                                                                                  wBpka5DkcpKDred.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                                  • 172.67.189.142
                                                                                                                                                                  https://8734873478934795494.z9.web.core.windows.net/Get hashmaliciousTycoon2FABrowse
                                                                                                                                                                  • 104.17.25.14
                                                                                                                                                                  https://pdflink.to/29c49848/Get hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                  • 172.67.190.84
                                                                                                                                                                  https://padlet.com/michaelw58/tender-invite-80hminffvhkh6rmnGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                  • 104.22.67.248
                                                                                                                                                                  250428-d8ejfatjs7.bin.exeGet hashmaliciousCycbotBrowse
                                                                                                                                                                  • 104.21.62.231
                                                                                                                                                                  AMAZON-02UShmips.elfGet hashmaliciousUnknownBrowse
                                                                                                                                                                  • 34.249.145.219
                                                                                                                                                                  250428-gfyndswn16.bin.exeGet hashmaliciousNeconydBrowse
                                                                                                                                                                  • 44.247.155.67
                                                                                                                                                                  250428-f7pn5awlz3.bin.exeGet hashmaliciousNeconydBrowse
                                                                                                                                                                  • 44.247.155.67
                                                                                                                                                                  250428-f6gl5atvas.bin.exeGet hashmaliciousNeconydBrowse
                                                                                                                                                                  • 44.247.155.67
                                                                                                                                                                  250428-ft4acswjs2.bin.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                  • 54.75.69.192
                                                                                                                                                                  boatnet.spc.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                                  • 34.249.145.219
                                                                                                                                                                  250428-fcmlaastav.bin.exeGet hashmaliciousNeconydBrowse
                                                                                                                                                                  • 44.247.155.67
                                                                                                                                                                  wBpka5DkcpKDred.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                                  • 13.248.169.48
                                                                                                                                                                  Space.arm6.elfGet hashmaliciousUnknownBrowse
                                                                                                                                                                  • 34.249.145.219
                                                                                                                                                                  Space.arm.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                                  • 34.249.145.219

                                                                                                                                                                  JA3 Fingerprints

                                                                                                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                  37f463bf4616ecd445d4a1937da06e19paymentcopy_pdf.scrGet hashmaliciousRemcos, GuLoaderBrowse
                                                                                                                                                                  • 192.178.49.196
                                                                                                                                                                  • 13.33.21.29
                                                                                                                                                                  Factura_2025-04-28_2025827772425_V98115896.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                                                                  • 192.178.49.196
                                                                                                                                                                  • 13.33.21.29
                                                                                                                                                                  250428-fhlaeasvhz.bin.exeGet hashmaliciousAmadey, LummaC Stealer, Vidar, XmrigBrowse
                                                                                                                                                                  • 192.178.49.196
                                                                                                                                                                  • 13.33.21.29
                                                                                                                                                                  _____1.0.5 (2).exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                  • 192.178.49.196
                                                                                                                                                                  • 13.33.21.29
                                                                                                                                                                  _____1.0.5 (2).exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                  • 192.178.49.196
                                                                                                                                                                  • 13.33.21.29
                                                                                                                                                                  Windows_Startup_Cleaner.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                  • 192.178.49.196
                                                                                                                                                                  • 13.33.21.29
                                                                                                                                                                  Windows_Startup_Cleaner.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                  • 192.178.49.196
                                                                                                                                                                  • 13.33.21.29
                                                                                                                                                                  VisualCode.exeGet hashmaliciousAsyncRAT, LummaC Stealer, Njrat, Quasar, VidarBrowse
                                                                                                                                                                  • 192.178.49.196
                                                                                                                                                                  • 13.33.21.29
                                                                                                                                                                  250427-29p9bstvez.bin.exeGet hashmaliciousXRedBrowse
                                                                                                                                                                  • 192.178.49.196
                                                                                                                                                                  • 13.33.21.29
                                                                                                                                                                  250427-zg39dazvg1.bin.exeGet hashmaliciousAmadey, CryptOne, LummaC StealerBrowse
                                                                                                                                                                  • 192.178.49.196
                                                                                                                                                                  • 13.33.21.29

                                                                                                                                                                  Dropped Files

                                                                                                                                                                  No context

                                                                                                                                                                  Created / dropped Files

                                                                                                                                                                  C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_mshta.exe_bcb95a7a9e21634649798181010fd5ee01c244_945217a8_7cc03848-914e-4025-8b3d-cbb67dcc1541\Report.wer

                                                                                                                                                                  Download File
                                                                                                                                                                  Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                  File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                  Category:dropped
                                                                                                                                                                  Size (bytes):65536
                                                                                                                                                                  Entropy (8bit):1.2224998049583355
                                                                                                                                                                  Encrypted:false
                                                                                                                                                                  SSDEEP:192:NAd4Gd2xAiY0otkwjhFRc+LmzuiFJZ24IO8Io:CddwAizotkwjvmzuiFJY4IO8I
                                                                                                                                                                  MD5:1B61E32FB6E87A106F37A25EDC1A95E7
                                                                                                                                                                  SHA1:FF20E7DDD7C68F836C18599A06100D76CF45C0DD
                                                                                                                                                                  SHA-256:03F2C8E99DA1403642D652F36C0EEBA40F72CA590A624E18C381C139ABEF430C
                                                                                                                                                                  SHA-512:52AB63F6AA32933073D7EB7E6778AC717CF2B24B12D531BA9D389D2E77B86A7B9FC0EC91DDCBCEAE374A65F07A22729F42847F423379934FA64F7A4B51AB65CF
                                                                                                                                                                  Malicious:false
                                                                                                                                                                  Reputation:low
                                                                                                                                                                  Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.9.0.2.9.7.0.1.4.1.8.5.6.1.7.1.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.9.0.2.9.7.0.1.4.9.5.1.2.4.2.7.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.7.c.c.0.3.8.4.8.-.9.1.4.e.-.4.0.2.5.-.8.b.3.d.-.c.b.b.6.7.d.c.c.1.5.4.1.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.4.0.d.c.9.f.6.d.-.6.5.e.2.-.4.2.a.b.-.8.5.a.e.-.3.c.b.4.e.1.2.3.b.a.0.3.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.m.s.h.t.a...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.M.S.H.T.A...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.9.f.0.-.0.0.0.1.-.0.0.1.8.-.a.9.1.2.-.8.9.9.d.0.a.b.8.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.0.8.9.b.8.3.6.3.e.b.6.8.6.c.8.d.0.5.5.e.c.2.c.4.e.5.8.9.9.f.d.d.4.5.0.e.f.7.7.d.!.m.s.

                                                                                                                                                                  C:\ProgramData\Microsoft\Windows\WER\Temp\WER1178.tmp.WERInternalMetadata.xml

                                                                                                                                                                  Download File
                                                                                                                                                                  Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                  File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                  Category:dropped
                                                                                                                                                                  Size (bytes):6308
                                                                                                                                                                  Entropy (8bit):3.7206605043853322
                                                                                                                                                                  Encrypted:false
                                                                                                                                                                  SSDEEP:96:RSIU6o7wVetbmRy6pRj4jYrsmao7t5aMQU+89bVCsfBLpgGm:R6l7wVeJmk6bmYQopD+89bVCsfBtnm
                                                                                                                                                                  MD5:A050F004490EE2758A2D076FE8B339E1
                                                                                                                                                                  SHA1:2DC615FCA6FDB82297F9AFFD393E254F52F9A779
                                                                                                                                                                  SHA-256:3BFAEE23D72281233EF053D3223A27A4719F415CCD226654E5FAB9747B2D4A65
                                                                                                                                                                  SHA-512:D0D4542BCE0545BDD7568D31718D89643827A0295E2249678D2A9DAA8E8C739608595B8C51EBE85FFE7DCF0D547AAFD298987517764716352921F7F0B61DC572
                                                                                                                                                                  Malicious:false
                                                                                                                                                                  Reputation:low
                                                                                                                                                                  Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.6.4.0.<./.P.i.

                                                                                                                                                                  C:\ProgramData\Microsoft\Windows\WER\Temp\WER11A8.tmp.xml

                                                                                                                                                                  Download File
                                                                                                                                                                  Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                  File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                  Category:dropped
                                                                                                                                                                  Size (bytes):4635
                                                                                                                                                                  Entropy (8bit):4.450829471606079
                                                                                                                                                                  Encrypted:false
                                                                                                                                                                  SSDEEP:48:cvIwWl8zs5Jg77aI9ORWpW8VYhVYm8M4Jzgzl0FE+q8XkVoeHoSwd:uIjfLI7MA7V/Jz4llUkVDHoSwd
                                                                                                                                                                  MD5:0E86BF2DE47FDAF0230D3BD6475AE732
                                                                                                                                                                  SHA1:4BF6D57B63C09020E725D84AB721744707F0C787
                                                                                                                                                                  SHA-256:7C23F9AC2C21EA57D0E784A6AA82DE6F3403B723A9662C7A8B34BDDD1E9372D8
                                                                                                                                                                  SHA-512:57945B34F0C31B6200EB6A2BA0AD26E1B6260883A01E8A68B596D011FE5DF5E6D81E04A789E0729AFEE932933F80D0DCBCFECA925C416D895DD6630C53B4A5D9
                                                                                                                                                                  Malicious:false
                                                                                                                                                                  Reputation:low
                                                                                                                                                                  Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="824999" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                                                                                                                                  C:\ProgramData\Microsoft\Windows\WER\Temp\WERFA2.tmp.dmp

                                                                                                                                                                  Download File
                                                                                                                                                                  Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                  File Type:Mini DuMP crash report, 15 streams, Mon Apr 28 06:56:54 2025, 0x1205a4 type
                                                                                                                                                                  Category:dropped
                                                                                                                                                                  Size (bytes):206246
                                                                                                                                                                  Entropy (8bit):2.0336798570329915
                                                                                                                                                                  Encrypted:false
                                                                                                                                                                  SSDEEP:768:qHRhAcgMUR/+1lbZ36+Zb44mHmdYQxgkPCj78y6uLW:ug+1hZzZb41mRCj78yc
                                                                                                                                                                  MD5:B8883D47ACD89CB2697E5491222A81D9
                                                                                                                                                                  SHA1:67978FCD466CECDFD8E3DE95AC4E7C2A8328F035
                                                                                                                                                                  SHA-256:4A2D0A6869B6709B410488270C434EC4B44F5272A1C0BA2CC353A69DACBA9887
                                                                                                                                                                  SHA-512:F6976E3DDF7445DBEC10E6ECED85B7981505633608F0F1A9FC99EC338D8DFF9F6EB20CED2A874376C5D532FC250BC7EF99E2A15E25C325C4294CBA8E3526BB75
                                                                                                                                                                  Malicious:false
                                                                                                                                                                  Reputation:low
                                                                                                                                                                  Preview:MDMP..a..... ........&.h........................h&..........<....1..........xv..........`.......8...........T...........pm..6...........L1..........83..............................................................................eJ.......3......GenuineIntel............T............&.h.............................0..9...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                  C:\Users\user\AppData\Local\Microsoft\Internet Explorer\MSIMGSIZ.DAT

                                                                                                                                                                  Download File
                                                                                                                                                                  Process:C:\Windows\SysWOW64\mshta.exe
                                                                                                                                                                  File Type:data
                                                                                                                                                                  Category:dropped
                                                                                                                                                                  Size (bytes):49120
                                                                                                                                                                  Entropy (8bit):0.0017331682157558962
                                                                                                                                                                  Encrypted:false
                                                                                                                                                                  SSDEEP:3:Ztt:T
                                                                                                                                                                  MD5:0392ADA071EB68355BED625D8F9695F3
                                                                                                                                                                  SHA1:777253141235B6C6AC92E17E297A1482E82252CC
                                                                                                                                                                  SHA-256:B1313DD95EAF63F33F86F72F09E2ECD700D11159A8693210C37470FCB84038F7
                                                                                                                                                                  SHA-512:EF659EEFCAB16221783ECB258D19801A1FF063478698CF4FCE3C9F98059CA7B1D060B0449E6FD89D3B70439D9735FA1D50088568FF46C9927DE45808250AEC2E
                                                                                                                                                                  Malicious:false
                                                                                                                                                                  Reputation:high, very likely benign file
                                                                                                                                                                  Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\58P5KO4N\api[1].js

                                                                                                                                                                  Download File
                                                                                                                                                                  Process:C:\Windows\SysWOW64\mshta.exe
                                                                                                                                                                  File Type:ASCII text, with very long lines (911), with no line terminators
                                                                                                                                                                  Category:dropped
                                                                                                                                                                  Size (bytes):911
                                                                                                                                                                  Entropy (8bit):5.484507274243087
                                                                                                                                                                  Encrypted:false
                                                                                                                                                                  SSDEEP:24:2jkm94/zKPccAgnHs+KVCekteS189ZsLqo40RWUnYN:VKEcznfKoHMS188LrwUnG
                                                                                                                                                                  MD5:D3C78DBD615BA7840D0AEB2B8E075645
                                                                                                                                                                  SHA1:76F36B2F804C7855B6ACFDEDACE61561236F338D
                                                                                                                                                                  SHA-256:EBBFBBD72E10308320AEBEFEB1E706A9C2373CB4CAAA6543C6CFDA5DF65EE827
                                                                                                                                                                  SHA-512:727E4EF943FC55CDF30D296A835A492432E6DA513242FC29D2BE505B7A64D9E9870FC377F5A9F2DDF69968F65825E071CC32662C54FF6EC92059A4C57861296C
                                                                                                                                                                  Malicious:false
                                                                                                                                                                  Reputation:low
                                                                                                                                                                  Preview:/* PLEASE DO NOT COPY AND PASTE THIS CODE. */(function(){var w=window,C='___grecaptcha_cfg',cfg=w[C]=w[C]||{},N='grecaptcha';var gr=w[N]=w[N]||{};gr.ready=gr.ready||function(f){(cfg['fns']=cfg['fns']||[]).push(f);};w['__recaptcha_api']='https://www.google.com/recaptcha/api2/';(cfg['render']=cfg['render']||[]).push('onload');(cfg['clr']=cfg['clr']||[]).push('true');w['__google_recaptcha_client']=true;var d=document,po=d.createElement('script');po.type='text/javascript';po.async=true; po.charset='utf-8';po.src='https://www.gstatic.com/recaptcha/releases/w0_qmZVSdobukXrBwYd9dTF7/recaptcha__en.js';po.crossOrigin='anonymous';po.integrity='sha384-kEsiil6fLViurM8481EXdJQQkHQUuq7A6OY7TuhkXySraE/9k/xc7bPynNEFwlr3';var e=d.querySelector('script[nonce]'),n=e&&(e['nonce']||e.getAttribute('nonce'));if(n){po.setAttribute('nonce',n);}var s=d.getElementsByTagName('script')[0];s.parentNode.insertBefore(po, s);})();

                                                                                                                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\58P5KO4N\css[1].css

                                                                                                                                                                  Download File
                                                                                                                                                                  Process:C:\Windows\SysWOW64\mshta.exe
                                                                                                                                                                  File Type:ASCII text
                                                                                                                                                                  Category:dropped
                                                                                                                                                                  Size (bytes):247
                                                                                                                                                                  Entropy (8bit):5.428842177231087
                                                                                                                                                                  Encrypted:false
                                                                                                                                                                  SSDEEP:6:0IFFm15+56ZRWHMVgjWizlpdUD4uFl8vpAtCIif0RHC:jFMO6ZRoMYW6pSZE6tCrf0Ri
                                                                                                                                                                  MD5:F5DBA43B69C83A48868FECAD364B5B34
                                                                                                                                                                  SHA1:2A536D153CBBEA8037BE9B3DA5F2A51B6DCFB382
                                                                                                                                                                  SHA-256:4E05BF034F35EE0FD5263203A049263645F575B4846F721F667BEC6505362063
                                                                                                                                                                  SHA-512:F767C167FB7D60405558BFB15FB529DDC00C2E2169F8A938D5B7DC18DF4A4D51E4A4CCBD5EECC61732E592393676C288949F6048B526E78149280F226853DFAF
                                                                                                                                                                  Malicious:false
                                                                                                                                                                  Preview:@font-face {. font-family: 'Open Sans';. font-style: normal;. font-weight: 400;. font-stretch: normal;. src: url(https://fonts.gstatic.com/l/font?kit=memSYaGs126MiZpBA-UvWbX2vVnXBbObj2OVZyOOSr4dVJWUgsjZ0B4gaVY&skey=62c1cbfccc78b4b2&v=v40);.}.

                                                                                                                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\58P5KO4N\js[1].js

                                                                                                                                                                  Download File
                                                                                                                                                                  Process:C:\Windows\SysWOW64\mshta.exe
                                                                                                                                                                  File Type:ASCII text, with very long lines (2361)
                                                                                                                                                                  Category:dropped
                                                                                                                                                                  Size (bytes):249332
                                                                                                                                                                  Entropy (8bit):5.543536835293048
                                                                                                                                                                  Encrypted:false
                                                                                                                                                                  SSDEEP:3072:LKdrV9tD1DN30BUag0fqoaGd535Gk5+FioUJoqu7JeD0/NPgdTnc:Gvp530BUyhaAPYFFl7U0/NPgdo
                                                                                                                                                                  MD5:A267B3A1B6CF29461F9AE2336161B257
                                                                                                                                                                  SHA1:35AEAB59F63DB7A5F162A6FA0CC79DC27EB4B5FC
                                                                                                                                                                  SHA-256:05BA327A7AB8251004C218EB77A386B5F0C2921B6211BD12BDCD505A0B46416E
                                                                                                                                                                  SHA-512:4121092EE8087018D7278A8F8F2F6BCB00DEED51FFF5B55320088E965059FFCC2830A0215A1910BA2F69496DBA6DADF36B658D0B771AC8E85B00A9B00DFCE508
                                                                                                                                                                  Malicious:false
                                                                                                                                                                  Preview:.// Copyright 2012 Google Inc. All rights reserved.. .(function(){..var data = {."resource": {. "version":"1",. . "macros":[{"function":"__e"},{"function":"__cid"}],. "tags":[{"function":"__rep","once_per_event":true,"vtp_containerId":["macro",1],"tag_id":1}],. "predicates":[{"function":"_eq","arg0":["macro",0],"arg1":"gtm.js"}],. "rules":[[["if",0],["add",0]]].},."runtime":[ [50,"__cid",[46,"a"],[36,[17,[13,[41,"$0"],[3,"$0",["require","getContainerVersion"]],["$0"]],"containerId"]]]. ,[50,"__e",[46,"a"],[36,[13,[41,"$0"],[3,"$0",["require","internal.getEventData"]],["$0","event"]]]]. .].,"entities":{."__cid":{"2":true,"4":true,"3":true}.,."__e":{"2":true,"4":true}...}.,"blob":{"1":"1"}.,"permissions":{."__cid":{"read_container_data":{}}.,."__e":{"read_event_data":{"eventDataAccess":"specific","keyPatterns":["event"]}}...}....,"security_groups":{."google":[."__cid".,."__e"..]...}....};.....var k,aa=function(a){var b=0;return function(){return b<a.length?{done:!1,value:a[b++]}:{d

                                                                                                                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\amplitude-8.5.0-min.gz[1].js

                                                                                                                                                                  Download File
                                                                                                                                                                  Process:C:\Windows\SysWOW64\mshta.exe
                                                                                                                                                                  File Type:ASCII text, with very long lines (65536), with no line terminators
                                                                                                                                                                  Category:dropped
                                                                                                                                                                  Size (bytes):69465
                                                                                                                                                                  Entropy (8bit):5.508995251914778
                                                                                                                                                                  Encrypted:false
                                                                                                                                                                  SSDEEP:1536:nA+DtVy1IcRdURpkou5ElpQ0YMVBQjHeJtVkRnDcdzQFp2KtzRa:AMypo1pQ0AHejTb
                                                                                                                                                                  MD5:C43D9F000A09BD500ED8728606A09DE3
                                                                                                                                                                  SHA1:36AD6B0FA2C6BCD116FB642F25789FC2D08A68E6
                                                                                                                                                                  SHA-256:2450E5580136F94BDA7CCF95E3167B57E15B05B513A430967943A50036FA47A4
                                                                                                                                                                  SHA-512:802AF189282AFF84B1262A54E59463BDB9B07EC6D1DBF20FA26712B3E19A2212F1A31F2A2D4DD620D7D1313CEFF43DC4272F51A7A2407296BF6D57C11E38801B
                                                                                                                                                                  Malicious:false
                                                                                                                                                                  Preview:var amplitude=function(){"use strict";function t(e){return(t="function"==typeof Symbol&&"symbol"==typeof Symbol.iterator?function(e){return typeof e}:function(e){return e&&"function"==typeof Symbol&&e.constructor===Symbol&&e!==Symbol.prototype?"symbol":typeof e})(e)}function i(e,t){for(var n=0;n<t.length;n++){var i=t[n];i.enumerable=i.enumerable||!1,i.configurable=!0,"value"in i&&(i.writable=!0),Object.defineProperty(e,i.key,i)}}function r(e,t,n){return t in e?Object.defineProperty(e,t,{value:n,enumerable:!0,configurable:!0,writable:!0}):e[t]=n,e}function _(t){for(var e=1;e<arguments.length;e++){var n=null!=arguments[e]?arguments[e]:{},i=Object.keys(n);"function"==typeof Object.getOwnPropertySymbols&&(i=i.concat(Object.getOwnPropertySymbols(n).filter(function(e){return Object.getOwnPropertyDescriptor(n,e).enumerable}))),i.forEach(function(e){r(t,e,n[e])})}return t}function n(e){return function(e){if(Array.isArray(e)){for(var t=0,n=new Array(e.length);t<e.length;t++)n[t]=e[t];return n}}

                                                                                                                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\gtm[1].js

                                                                                                                                                                  Download File
                                                                                                                                                                  Process:C:\Windows\SysWOW64\mshta.exe
                                                                                                                                                                  File Type:ASCII text, with very long lines (26592)
                                                                                                                                                                  Category:dropped
                                                                                                                                                                  Size (bytes):342635
                                                                                                                                                                  Entropy (8bit):5.557677284087473
                                                                                                                                                                  Encrypted:false
                                                                                                                                                                  SSDEEP:3072:GPkdrV9tDBDN3IlU/g0fqfaGdY35Gk5+FioUJoquvfe+0/NPg65sjK0xGc:GsvF53IlUPoaRPYFFlv70/NPg6cK0/
                                                                                                                                                                  MD5:2E6AB67BE30A8CD7DE978D26D6BD9252
                                                                                                                                                                  SHA1:579F268779B30B83AB089FAACFD0A2164B521A14
                                                                                                                                                                  SHA-256:7BE0441EEE05A1FD5A3067719CB2F4811D701D5463C33F6425EF283D423267C6
                                                                                                                                                                  SHA-512:1A093761C730C6C85B48DB5EBFC6A7ADAEDB8E69A1AD71DA78DDC03992C4122A011F17FAD2BF6A2947BE77FABF2BADBA4606517B550954BD6B183C8B51B26BCC
                                                                                                                                                                  Malicious:false
                                                                                                                                                                  Preview:.// Copyright 2012 Google Inc. All rights reserved.. . (function(w,g){w[g]=w[g]||{};. w[g].e=function(s){return eval(s);};})(window,'google_tag_manager');. .(function(){..var data = {."resource": {. "version":"174",. . "macros":[{"function":"__u","vtp_component":"URL","vtp_enableMultiQueryKeys":false,"vtp_enableIgnoreEmptyQueryParam":false},{"function":"__e"},{"function":"__u","vtp_component":"PATH","vtp_enableMultiQueryKeys":false,"vtp_enableIgnoreEmptyQueryParam":false},{"function":"__vis","vtp_elementId":"mfAppFrame","vtp_outputMethod":"BOOLEAN","vtp_selectorType":"ID","vtp_onScreenRatio":"100"},{"function":"__j","convert_null_to":"false","convert_undefined_to":"false","vtp_name":"MF_UNICORN"},{"function":"__k","vtp_decodeCookie":false,"vtp_name":"uni-opt-out"},{"function":"__v","vtp_dataLayerVersion":2,"vtp_setDefaultValue":false,"vtp_name":"userId"},{"function":"__v","vtp_dataLayerVersion":2,"vtp_setDefaultValue":false,"vtp_name":"userType"},{"function":"__v","vtp_dataLayerVers

                                                                                                                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\recaptcha__en[1].js

                                                                                                                                                                  Download File
                                                                                                                                                                  Process:C:\Windows\SysWOW64\mshta.exe
                                                                                                                                                                  File Type:HTML document, ASCII text, with very long lines (569)
                                                                                                                                                                  Category:dropped
                                                                                                                                                                  Size (bytes):653519
                                                                                                                                                                  Entropy (8bit):5.821252682364424
                                                                                                                                                                  Encrypted:false
                                                                                                                                                                  SSDEEP:6144:K+4IYIWOzpUXzgXcz1RJhG3WaJynggJ9FcfZszyIFSV7RCPt7cw04Q4+k8pHyjcf:TcEcuSFcWztkB4OXIiibAvdWLi
                                                                                                                                                                  MD5:CBD28877A88395976F715EC0854F2851
                                                                                                                                                                  SHA1:F35F838AF11A3BF2A2ADC866CE3E8C73A0E3275F
                                                                                                                                                                  SHA-256:336E6C582C23DC0FB67E2AD68159CFCEEBEE4409A0FB47B51A4323F447BEE396
                                                                                                                                                                  SHA-512:E3E231C8937A6AF7B00FFBECB6FB7A483172948141B95919DFFDF9A9CE5651A996A7E8166BDE2677810AC372978B2926EF6A6E04982EB85C52C4E3E4C6B24521
                                                                                                                                                                  Malicious:false
                                                                                                                                                                  Preview:(function(){/*.. Copyright 2018 Google Inc. SPDX-License-Identifier: Apache-2.0.*/./*.. Copyright The Closure Library Authors.. SPDX-License-Identifier: Apache-2.0.*/./*.. Copyright 2005, 2007 Bob Ippolito. All Rights Reserved.. Copyright The Closure Library Authors.. SPDX-License-Identifier: MIT.*/./*.. Copyright Google LLC. SPDX-License-Identifier: Apache-2.0.*/./*. Copyright The Closure Library Authors.. SPDX-License-Identifier: Apache-2.0.*/.var wS=function(){return[function(z,t,A,g,l,I,R,p,w,Y,D,G,f,n,L){return(((z^((L=[3,4,7],z)>>2>=17&&((z^42)&8)<L[0]&&(p=N[35](22,"rc-prepositional-target"),R=[],Array.prototype.forEach.call(N[8](39,l,document,g,p,"td"),function(a,q,O,S,B){((S={selected:!((B=["push",37,(O=this,17)],this.m)[B[0]](q),1),element:a,index:q},R)[B[0]](S),d[44](47,P[32](B[2],this),new sa(a),ls,function(U,C){((U=!(O.Kb((C=["rc-prepositional-selected",23,38],t)),S).selected)?(r[C[2]](20,C[0],S.element),M[4](50,A,S.index,O.m)):.(N[C[1]](99,S.element,C[0]),O.m.push(S.index)

                                                                                                                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NCK9WNDU\dnserrordiagoff[1]

                                                                                                                                                                  Download File
                                                                                                                                                                  Process:C:\Windows\SysWOW64\mshta.exe
                                                                                                                                                                  File Type:HTML document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                  Category:dropped
                                                                                                                                                                  Size (bytes):1681
                                                                                                                                                                  Entropy (8bit):4.567538112791388
                                                                                                                                                                  Encrypted:false
                                                                                                                                                                  SSDEEP:24:rC7cWhfs5mVM4mVMyIjmgAV28EFP8hRqh/k+CkE03vjqX:u7o5V4VtihV2lFUWlEqvj6
                                                                                                                                                                  MD5:C74D57042D3614B92F2E0AF783ACD5DE
                                                                                                                                                                  SHA1:415F8A0F5DBD61D622724034C182C0B15E80CD20
                                                                                                                                                                  SHA-256:05182A8C3A558E671705B8A8421712A9715A1D597606E3710A6D6CFEB00FB462
                                                                                                                                                                  SHA-512:F33BC2CDA990B07FE8EA37A1F68DDDBF5FA9A67CA028019EA4D848B70CC6410D1468E0CE8F8132665124F6E4B8438AFFC41FB562D9E4A1401498E46CD0D1A0EC
                                                                                                                                                                  Malicious:false
                                                                                                                                                                  Preview:.<!DOCTYPE HTML>..<html>.. <head>.. <link rel="stylesheet" type="text/css" href="NewErrorPageTemplate.css">.. <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">.. <title>Can&rsquo;t reach this page</title>.. <script src="errorPageStrings.js" language="javascript" type="text/javascript">.. </script>.. <script src="httpErrorPagesScripts.js" language="javascript" type="text/javascript">.. </script>.. </head>.... <body onLoad="javascript:getInfo();">.. <div id="contentContainer" class="mainContent">.. <div id="mainTitle" class="title">Can&rsquo;t reach this page</div>.. <div class="taskSection" id="taskSection">.. <ul id="cantDisplayTasks" class="tasks">.. <li id="task1-1">Make sure the web address <span id="webpage" class="webpageURL"></span>is correct</li>.. <li id="task1-2">Search for this site on Bing</li>.. <l

                                                                                                                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NCK9WNDU\error[1]

                                                                                                                                                                  Download File
                                                                                                                                                                  Process:C:\Windows\SysWOW64\mshta.exe
                                                                                                                                                                  File Type:HTML document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                  Category:dropped
                                                                                                                                                                  Size (bytes):3249
                                                                                                                                                                  Entropy (8bit):5.4598794938059125
                                                                                                                                                                  Encrypted:false
                                                                                                                                                                  SSDEEP:96:vKFrZ/kxjqD9zqp36wxVJddFAdd5Ydddopdyddv+dd865FhlleXckVDuca:CGpv+GkduSDl6LRa
                                                                                                                                                                  MD5:939A9FBD880F8B22D4CDD65B7324C6DB
                                                                                                                                                                  SHA1:62167D495B0993DD0396056B814ABAE415A996EE
                                                                                                                                                                  SHA-256:156E7226C757414F8FD450E28E19D0A404FDBA2571425B203FDC9C185CF7FF0E
                                                                                                                                                                  SHA-512:91428FFA2A79F3D05EBDB19ED7F6490A4CEE788DF709AB32E2CDC06AEC948CDCCCDAEBF12555BE4AD315234D30F44C477823A2592258E12D77091FA01308197B
                                                                                                                                                                  Malicious:false
                                                                                                                                                                  Preview:...<HTML id=dlgError STYLE="font-family: ms sans serif; font-size: 8pt;..width: 41.4em; height: 24em">..<HEAD>..<meta http-equiv="Content-Type" content="text/html; charset=utf-8">..<META HTTP-EQUIV="MSThemeCompatible" CONTENT="Yes">..<TITLE id=dialogTitle>..Script Error..</TITLE>..<SCRIPT>..var L_Dialog_ErrorMessage = "An error has occurred in this dialogue.";..var L_ErrorNumber_Text = "Error: ";..var L_ContinueScript_Message = "Do you want to debug the current page?";..var L_AffirmativeKeyCodeLowerCase_Number = 121;..var L_AffirmativeKeyCodeUpperCase_Number = 89;..var L_NegativeKeyCodeLowerCase_Number = 110;..var L_NegativeKeyCodeUpperCase_Number = 78;..</SCRIPT>..<SCRIPT LANGUAGE="JavaScript" src="error.js" defer></SCRIPT>..</HEAD>..<BODY ID=bdy onLoad="loadBdy()" style="font-family: 'ms sans serif';..font-size: 8pt; background: threedface; color: windowtext;" topmargin=0>..<CENTER id=ctrErrorMessage>..<table id=tbl1 cellPadding=3 cellspacing=3 border=0..style="background: buttonfa

                                                                                                                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\Q4M8ZOMH\default[1].png

                                                                                                                                                                  Download File
                                                                                                                                                                  Process:C:\Windows\SysWOW64\mshta.exe
                                                                                                                                                                  File Type:PNG image data, 42 x 42, 8-bit gray+alpha, non-interlaced
                                                                                                                                                                  Category:dropped
                                                                                                                                                                  Size (bytes):364
                                                                                                                                                                  Entropy (8bit):7.194326738537886
                                                                                                                                                                  Encrypted:false
                                                                                                                                                                  SSDEEP:6:6v/lhPU8jVmdbt/MpnnOd7eDXtJAE4u8z7tGyyo+XUDDJim6FeH0b2cz8JXKNrkb:6v/78Imdbt8XTAE4afoDDD56FW0KO8c4
                                                                                                                                                                  MD5:A3E216FD5E461266BABB87B1DA5B7BD1
                                                                                                                                                                  SHA1:3F130DDF6A59146BAD1D5299AD7E290E737D39B0
                                                                                                                                                                  SHA-256:5D974171B3B423F80948236CFBFB8F50005D85C767545E8E5EE6D74B8D8EA5DF
                                                                                                                                                                  SHA-512:DB2DD6B1B2F3A1F32593F7122812071C6A98920DAE318A446671CBD9CCA6B54768EC6C14B3E267ACF9CBAEFAFB3EB4D6E4262A0DC5E98B76EB34EFBBBFE14C75
                                                                                                                                                                  Malicious:false
                                                                                                                                                                  Preview:.PNG........IHDR...*...*.....o......3IDATx.../KCq...oZ.A0L... ".Q....5.Xd..{......Y... ..*&..-..'..{....{..$.....s8....H..F.6m...R2..D....c..aZdd.5Q*.a..Q|feA..=YP..L..q....\......K.............G....X......(>...(..b.(;.b..a:L.s....|..EF.OPAIQ"..$X......,..^...G.1v.U*t....V4..<..=k.B.*VU..Y>H.l0..GR...c......j....oV.G....~...%..d_>..K.g....IEND.B`.

                                                                                                                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\Q4M8ZOMH\dnserrordiagoff[1]

                                                                                                                                                                  Download File
                                                                                                                                                                  Process:C:\Windows\SysWOW64\mshta.exe
                                                                                                                                                                  File Type:HTML document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                  Category:dropped
                                                                                                                                                                  Size (bytes):1681
                                                                                                                                                                  Entropy (8bit):4.567538112791388
                                                                                                                                                                  Encrypted:false
                                                                                                                                                                  SSDEEP:24:rC7cWhfs5mVM4mVMyIjmgAV28EFP8hRqh/k+CkE03vjqX:u7o5V4VtihV2lFUWlEqvj6
                                                                                                                                                                  MD5:C74D57042D3614B92F2E0AF783ACD5DE
                                                                                                                                                                  SHA1:415F8A0F5DBD61D622724034C182C0B15E80CD20
                                                                                                                                                                  SHA-256:05182A8C3A558E671705B8A8421712A9715A1D597606E3710A6D6CFEB00FB462
                                                                                                                                                                  SHA-512:F33BC2CDA990B07FE8EA37A1F68DDDBF5FA9A67CA028019EA4D848B70CC6410D1468E0CE8F8132665124F6E4B8438AFFC41FB562D9E4A1401498E46CD0D1A0EC
                                                                                                                                                                  Malicious:false
                                                                                                                                                                  Preview:.<!DOCTYPE HTML>..<html>.. <head>.. <link rel="stylesheet" type="text/css" href="NewErrorPageTemplate.css">.. <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">.. <title>Can&rsquo;t reach this page</title>.. <script src="errorPageStrings.js" language="javascript" type="text/javascript">.. </script>.. <script src="httpErrorPagesScripts.js" language="javascript" type="text/javascript">.. </script>.. </head>.... <body onLoad="javascript:getInfo();">.. <div id="contentContainer" class="mainContent">.. <div id="mainTitle" class="title">Can&rsquo;t reach this page</div>.. <div class="taskSection" id="taskSection">.. <ul id="cantDisplayTasks" class="tasks">.. <li id="task1-1">Make sure the web address <span id="webpage" class="webpageURL"></span>is correct</li>.. <li id="task1-2">Search for this site on Bing</li>.. <l

                                                                                                                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\Q4M8ZOMH\jquery.min[1].js

                                                                                                                                                                  Download File
                                                                                                                                                                  Process:C:\Windows\SysWOW64\mshta.exe
                                                                                                                                                                  File Type:HTML document, Unicode text, UTF-8 text, with very long lines (32769)
                                                                                                                                                                  Category:dropped
                                                                                                                                                                  Size (bytes):94840
                                                                                                                                                                  Entropy (8bit):5.372946098601679
                                                                                                                                                                  Encrypted:false
                                                                                                                                                                  SSDEEP:1536:8YRKUfAjtledhTmtaFyQHGvCXsedOgRc9izzr4yff8teLvHHEjam7W5X3yzSiLnM:VUb6GvCu09s2o2skAieW
                                                                                                                                                                  MD5:B8D64D0BC142B3F670CC0611B0AEBCAE
                                                                                                                                                                  SHA1:ABCD2BA13348F178B17141B445BC99F1917D47AF
                                                                                                                                                                  SHA-256:47B68DCE8CB6805AD5B3EA4D27AF92A241F4E29A5C12A274C852E4346A0500B4
                                                                                                                                                                  SHA-512:A684ABBE37E8047C55C394366B012CC9AE5D682D29D340BC48A37BE1A549AECED72DE6408BEDFED776A14611E6F3374015B236FBF49422B2982EF18125FF47DC
                                                                                                                                                                  Malicious:false
                                                                                                                                                                  Preview:/*! jQuery v1.7.2 jquery.com | jquery.org/license */.(function(a,b){function cy(a){return f.isWindow(a)?a:a.nodeType===9?a.defaultView||a.parentWindow:!1}function cu(a){if(!cj[a]){var b=c.body,d=f("<"+a+">").appendTo(b),e=d.css("display");d.remove();if(e==="none"||e===""){ck||(ck=c.createElement("iframe"),ck.frameBorder=ck.width=ck.height=0),b.appendChild(ck);if(!cl||!ck.createElement)cl=(ck.contentWindow||ck.contentDocument).document,cl.write((f.support.boxModel?"<!doctype html>":"")+"<html><body>"),cl.close();d=cl.createElement(a),cl.body.appendChild(d),e=f.css(d,"display"),b.removeChild(ck)}cj[a]=e}return cj[a]}function ct(a,b){var c={};f.each(cp.concat.apply([],cp.slice(0,b)),function(){c[this]=a});return c}function cs(){cq=b}function cr(){setTimeout(cs,0);return cq=f.now()}function ci(){try{return new a.ActiveXObject("Microsoft.XMLHTTP")}catch(b){}}function ch(){try{return new a.XMLHttpRequest}catch(b){}}function cb(a,c){a.dataFilter&&(c=a.dataFilter(c,a.dataType));var d=a.dataTyp

                                                                                                                                                                  C:\Windows\appcompat\Programs\Amcache.hve

                                                                                                                                                                  Download File
                                                                                                                                                                  Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                  File Type:MS Windows registry file, NT/2000 or above
                                                                                                                                                                  Category:dropped
                                                                                                                                                                  Size (bytes):1835008
                                                                                                                                                                  Entropy (8bit):4.375807179649337
                                                                                                                                                                  Encrypted:false
                                                                                                                                                                  SSDEEP:6144:0FVfpi6ceLP/9skLmb0ByWWSPtaJG8nAge35OlMMhA2AX4WABlRuNoiL:UV13yWWI/glMM6kFI+q
                                                                                                                                                                  MD5:6CD5AC30394DE4FBF76FC9234869E6D4
                                                                                                                                                                  SHA1:2FD67121DB671763DA05BCD6A4B73074EC213A08
                                                                                                                                                                  SHA-256:A8AFFAB48C131EC4292EE5E185482E76149A1ECEA5270FEC60256723D1BF43FE
                                                                                                                                                                  SHA-512:4A52DB41E3AA831330E857B11BB383F1E6EAE6F2598739364B3B5B024071669E5EE8BF23AB5A74400283AF977232AEA751B898D8175760AFCBD63F8DCC28E45D
                                                                                                                                                                  Malicious:false
                                                                                                                                                                  Preview:regfE...E....\.Z.................... ....@......\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm.9..............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                  Static File Info

                                                                                                                                                                  General

                                                                                                                                                                  File type:HTML document, ASCII text, with very long lines (9184)
                                                                                                                                                                  Entropy (8bit):5.319674058191563
                                                                                                                                                                  TrID:
                                                                                                                                                                  • HyperText Markup Language (12502/1) 100.00%
                                                                                                                                                                  File name:default.hta
                                                                                                                                                                  File size:33'602 bytes
                                                                                                                                                                  MD5:69884c859563d6a1bbd9dbaeb4a69db4
                                                                                                                                                                  SHA1:ae0d8f75985832eba5f1903707b4175e344785b9
                                                                                                                                                                  SHA256:d5a4eb04650aa9ca958eb782b175d613b52285e1f17caef218be30aad1a6432b
                                                                                                                                                                  SHA512:fe9c0a9f138c461e47788b2ed68a7b4c392ad6813d3bb064afed15ce3dfd1f33820b069ca8d88d971d36479a47831b683c1b267999cec44723e5053ec35bd705
                                                                                                                                                                  SSDEEP:768:M5Rdm1TxMzHqrds/BozKiBbK6Kf3ISe27x/Y:M5Rdm1TAH5BoLbjc3IKx/Y
                                                                                                                                                                  TLSH:AEE2F922FDA5903602674199F7BBA709F371404BCA08CA10F2FC866A6FD9E46CC579DD
                                                                                                                                                                  File Content Preview: <!DOCTYPE html> <html lang="en-US" xmlns:fb="http://www.facebook.com/2008/fbml" xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />.<title>File sharing and storage made simple</title>.<

                                                                                                                                                                  Network Behavior

                                                                                                                                                                  Download Network PCAP: filteredfull

                                                                                                                                                                  Network Port Distribution

                                                                                                                                                                  • Total Packets: 31
                                                                                                                                                                  • 445 (Microsoft-DS)
                                                                                                                                                                  • 443 (HTTPS)
                                                                                                                                                                  • 80 (HTTP)
                                                                                                                                                                  • 53 (DNS)
                                                                                                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                  Apr 28, 2025 08:56:08.080549002 CEST49682445192.168.2.8104.17.151.117
                                                                                                                                                                  Apr 28, 2025 08:56:09.077924013 CEST49682445192.168.2.8104.17.151.117
                                                                                                                                                                  Apr 28, 2025 08:56:11.077903032 CEST49682445192.168.2.8104.17.151.117
                                                                                                                                                                  Apr 28, 2025 08:56:15.077897072 CEST49682445192.168.2.8104.17.151.117
                                                                                                                                                                  Apr 28, 2025 08:56:23.077989101 CEST49682445192.168.2.8104.17.151.117
                                                                                                                                                                  Apr 28, 2025 08:56:30.668271065 CEST49692443192.168.2.8192.178.49.196
                                                                                                                                                                  Apr 28, 2025 08:56:30.668278933 CEST44349692192.178.49.196192.168.2.8
                                                                                                                                                                  Apr 28, 2025 08:56:30.668337107 CEST49692443192.168.2.8192.178.49.196
                                                                                                                                                                  Apr 28, 2025 08:56:30.670742035 CEST4969480192.168.2.8104.17.151.117
                                                                                                                                                                  Apr 28, 2025 08:56:30.702117920 CEST49692443192.168.2.8192.178.49.196
                                                                                                                                                                  Apr 28, 2025 08:56:30.702151060 CEST44349692192.178.49.196192.168.2.8
                                                                                                                                                                  Apr 28, 2025 08:56:30.811752081 CEST8049694104.17.151.117192.168.2.8
                                                                                                                                                                  Apr 28, 2025 08:56:30.811840057 CEST4969480192.168.2.8104.17.151.117
                                                                                                                                                                  Apr 28, 2025 08:56:30.812088013 CEST4969480192.168.2.8104.17.151.117
                                                                                                                                                                  Apr 28, 2025 08:56:30.951991081 CEST8049694104.17.151.117192.168.2.8
                                                                                                                                                                  Apr 28, 2025 08:56:30.980840921 CEST8049694104.17.151.117192.168.2.8
                                                                                                                                                                  Apr 28, 2025 08:56:30.982558966 CEST4969480192.168.2.8104.17.151.117
                                                                                                                                                                  Apr 28, 2025 08:56:31.021308899 CEST44349692192.178.49.196192.168.2.8
                                                                                                                                                                  Apr 28, 2025 08:56:31.021378994 CEST49692443192.168.2.8192.178.49.196
                                                                                                                                                                  Apr 28, 2025 08:56:31.103121996 CEST49692443192.168.2.8192.178.49.196
                                                                                                                                                                  Apr 28, 2025 08:56:31.103140116 CEST44349692192.178.49.196192.168.2.8
                                                                                                                                                                  Apr 28, 2025 08:56:31.103410006 CEST44349692192.178.49.196192.168.2.8
                                                                                                                                                                  Apr 28, 2025 08:56:31.103578091 CEST49692443192.168.2.8192.178.49.196
                                                                                                                                                                  Apr 28, 2025 08:56:31.109061956 CEST49692443192.168.2.8192.178.49.196
                                                                                                                                                                  Apr 28, 2025 08:56:31.156272888 CEST44349692192.178.49.196192.168.2.8
                                                                                                                                                                  Apr 28, 2025 08:56:31.349231958 CEST44349692192.178.49.196192.168.2.8
                                                                                                                                                                  Apr 28, 2025 08:56:31.349322081 CEST49692443192.168.2.8192.178.49.196
                                                                                                                                                                  Apr 28, 2025 08:56:31.349344969 CEST44349692192.178.49.196192.168.2.8
                                                                                                                                                                  Apr 28, 2025 08:56:31.349380970 CEST49692443192.168.2.8192.178.49.196
                                                                                                                                                                  Apr 28, 2025 08:56:31.349386930 CEST44349692192.178.49.196192.168.2.8
                                                                                                                                                                  Apr 28, 2025 08:56:31.349397898 CEST44349692192.178.49.196192.168.2.8
                                                                                                                                                                  Apr 28, 2025 08:56:31.349436045 CEST49692443192.168.2.8192.178.49.196
                                                                                                                                                                  Apr 28, 2025 08:56:31.351819992 CEST49692443192.168.2.8192.178.49.196
                                                                                                                                                                  Apr 28, 2025 08:56:31.351840973 CEST44349692192.178.49.196192.168.2.8
                                                                                                                                                                  Apr 28, 2025 08:56:31.589112997 CEST49697443192.168.2.813.33.21.29
                                                                                                                                                                  Apr 28, 2025 08:56:31.589147091 CEST4434969713.33.21.29192.168.2.8
                                                                                                                                                                  Apr 28, 2025 08:56:31.589200020 CEST49697443192.168.2.813.33.21.29
                                                                                                                                                                  Apr 28, 2025 08:56:31.589440107 CEST49697443192.168.2.813.33.21.29
                                                                                                                                                                  Apr 28, 2025 08:56:31.589453936 CEST4434969713.33.21.29192.168.2.8
                                                                                                                                                                  Apr 28, 2025 08:56:31.894536972 CEST4434969713.33.21.29192.168.2.8
                                                                                                                                                                  Apr 28, 2025 08:56:31.894587040 CEST49697443192.168.2.813.33.21.29
                                                                                                                                                                  Apr 28, 2025 08:56:31.897799969 CEST49697443192.168.2.813.33.21.29
                                                                                                                                                                  Apr 28, 2025 08:56:31.897809029 CEST4434969713.33.21.29192.168.2.8
                                                                                                                                                                  Apr 28, 2025 08:56:31.898056984 CEST4434969713.33.21.29192.168.2.8
                                                                                                                                                                  Apr 28, 2025 08:56:31.898117065 CEST49697443192.168.2.813.33.21.29
                                                                                                                                                                  Apr 28, 2025 08:56:31.898520947 CEST49697443192.168.2.813.33.21.29
                                                                                                                                                                  Apr 28, 2025 08:56:31.940275908 CEST4434969713.33.21.29192.168.2.8
                                                                                                                                                                  Apr 28, 2025 08:56:32.248266935 CEST4434969713.33.21.29192.168.2.8
                                                                                                                                                                  Apr 28, 2025 08:56:32.248364925 CEST49697443192.168.2.813.33.21.29
                                                                                                                                                                  Apr 28, 2025 08:56:32.269094944 CEST4434969713.33.21.29192.168.2.8
                                                                                                                                                                  Apr 28, 2025 08:56:32.269104004 CEST4434969713.33.21.29192.168.2.8
                                                                                                                                                                  Apr 28, 2025 08:56:32.269128084 CEST4434969713.33.21.29192.168.2.8
                                                                                                                                                                  Apr 28, 2025 08:56:32.269151926 CEST49697443192.168.2.813.33.21.29
                                                                                                                                                                  Apr 28, 2025 08:56:32.269181967 CEST4434969713.33.21.29192.168.2.8
                                                                                                                                                                  Apr 28, 2025 08:56:32.269196987 CEST49697443192.168.2.813.33.21.29
                                                                                                                                                                  Apr 28, 2025 08:56:32.269202948 CEST4434969713.33.21.29192.168.2.8
                                                                                                                                                                  Apr 28, 2025 08:56:32.269223928 CEST49697443192.168.2.813.33.21.29
                                                                                                                                                                  Apr 28, 2025 08:56:32.269247055 CEST49697443192.168.2.813.33.21.29
                                                                                                                                                                  Apr 28, 2025 08:56:32.276954889 CEST4434969713.33.21.29192.168.2.8
                                                                                                                                                                  Apr 28, 2025 08:56:32.277014971 CEST49697443192.168.2.813.33.21.29
                                                                                                                                                                  Apr 28, 2025 08:56:32.277024984 CEST4434969713.33.21.29192.168.2.8
                                                                                                                                                                  Apr 28, 2025 08:56:32.277038097 CEST4434969713.33.21.29192.168.2.8
                                                                                                                                                                  Apr 28, 2025 08:56:32.277061939 CEST49697443192.168.2.813.33.21.29
                                                                                                                                                                  Apr 28, 2025 08:56:32.277096987 CEST49697443192.168.2.813.33.21.29
                                                                                                                                                                  Apr 28, 2025 08:56:32.277299881 CEST49697443192.168.2.813.33.21.29
                                                                                                                                                                  Apr 28, 2025 08:56:32.277317047 CEST4434969713.33.21.29192.168.2.8
                                                                                                                                                                  Apr 28, 2025 08:56:32.277328014 CEST49697443192.168.2.813.33.21.29
                                                                                                                                                                  Apr 28, 2025 08:56:32.277364016 CEST49697443192.168.2.813.33.21.29
                                                                                                                                                                  Apr 28, 2025 08:56:59.711781979 CEST4969480192.168.2.8104.17.151.117
                                                                                                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                  Apr 28, 2025 08:56:30.519629955 CEST5175353192.168.2.81.1.1.1
                                                                                                                                                                  Apr 28, 2025 08:56:30.529293060 CEST5270253192.168.2.81.1.1.1
                                                                                                                                                                  Apr 28, 2025 08:56:30.659944057 CEST53517531.1.1.1192.168.2.8
                                                                                                                                                                  Apr 28, 2025 08:56:30.670144081 CEST53527021.1.1.1192.168.2.8
                                                                                                                                                                  Apr 28, 2025 08:56:31.429121971 CEST5381053192.168.2.81.1.1.1
                                                                                                                                                                  Apr 28, 2025 08:56:31.588337898 CEST53538101.1.1.1192.168.2.8

                                                                                                                                                                  DNS Queries

                                                                                                                                                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                                                                  Apr 28, 2025 08:56:30.519629955 CEST192.168.2.81.1.1.10x2ea6Standard query (0)www.google.comA (IP address)IN (0x0001)false
                                                                                                                                                                  Apr 28, 2025 08:56:30.529293060 CEST192.168.2.81.1.1.10x1b14Standard query (0)www.mediafire.comA (IP address)IN (0x0001)false
                                                                                                                                                                  Apr 28, 2025 08:56:31.429121971 CEST192.168.2.81.1.1.10x2d12Standard query (0)cdn.amplitude.comA (IP address)IN (0x0001)false

                                                                                                                                                                  DNS Answers

                                                                                                                                                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                                                                  Apr 28, 2025 08:56:30.659944057 CEST1.1.1.1192.168.2.80x2ea6No error (0)www.google.com192.178.49.196A (IP address)IN (0x0001)false
                                                                                                                                                                  Apr 28, 2025 08:56:30.670144081 CEST1.1.1.1192.168.2.80x1b14No error (0)www.mediafire.com104.17.151.117A (IP address)IN (0x0001)false
                                                                                                                                                                  Apr 28, 2025 08:56:30.670144081 CEST1.1.1.1192.168.2.80x1b14No error (0)www.mediafire.com104.17.150.117A (IP address)IN (0x0001)false
                                                                                                                                                                  Apr 28, 2025 08:56:31.588337898 CEST1.1.1.1192.168.2.80x2d12No error (0)cdn.amplitude.com13.33.21.29A (IP address)IN (0x0001)false
                                                                                                                                                                  Apr 28, 2025 08:56:31.588337898 CEST1.1.1.1192.168.2.80x2d12No error (0)cdn.amplitude.com13.33.21.39A (IP address)IN (0x0001)false
                                                                                                                                                                  Apr 28, 2025 08:56:31.588337898 CEST1.1.1.1192.168.2.80x2d12No error (0)cdn.amplitude.com13.33.21.95A (IP address)IN (0x0001)false
                                                                                                                                                                  Apr 28, 2025 08:56:31.588337898 CEST1.1.1.1192.168.2.80x2d12No error (0)cdn.amplitude.com13.33.21.19A (IP address)IN (0x0001)false

                                                                                                                                                                  HTTP Request Dependency Graph

                                                                                                                                                                  • www.google.com
                                                                                                                                                                  • cdn.amplitude.com
                                                                                                                                                                  • www.mediafire.com

                                                                                                                                                                  HTTP Packets

                                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                  0192.168.2.849694104.17.151.117806640C:\Windows\SysWOW64\mshta.exe
                                                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                                                  Apr 28, 2025 08:56:30.812088013 CEST333OUTGET /images/icons/myfiles/default.png HTTP/1.1
                                                                                                                                                                  Accept: */*
                                                                                                                                                                  Accept-Language: en-CH
                                                                                                                                                                  Accept-Encoding: gzip, deflate
                                                                                                                                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
                                                                                                                                                                  Host: www.mediafire.com
                                                                                                                                                                  Connection: Keep-Alive
                                                                                                                                                                  Apr 28, 2025 08:56:30.980840921 CEST1224INHTTP/1.1 200 OK
                                                                                                                                                                  Date: Mon, 28 Apr 2025 06:56:30 GMT
                                                                                                                                                                  Content-Type: image/png
                                                                                                                                                                  Content-Length: 364
                                                                                                                                                                  Connection: keep-alive
                                                                                                                                                                  CF-Ray: 9374a9010bb11937-PHX
                                                                                                                                                                  CF-Cache-Status: HIT
                                                                                                                                                                  Accept-Ranges: bytes
                                                                                                                                                                  Access-Control-Allow-Origin: *
                                                                                                                                                                  Age: 8857
                                                                                                                                                                  Cache-Control: max-age=2592000
                                                                                                                                                                  ETag: "62deda56-1a8"
                                                                                                                                                                  Expires: Wed, 28 May 2025 01:16:05 GMT
                                                                                                                                                                  Last-Modified: Mon, 25 Jul 2022 18:00:54 GMT
                                                                                                                                                                  Vary: Accept-Encoding
                                                                                                                                                                  access-control-allow-methods: OPTIONS, POST, GET
                                                                                                                                                                  alt-svc: h3=":443"; ma=86400
                                                                                                                                                                  Cf-Bgj: imgq:100,h2pri
                                                                                                                                                                  Cf-Polished: origSize=424
                                                                                                                                                                  x-mf-env: liveApi
                                                                                                                                                                  x-mf-fe: mf1
                                                                                                                                                                  Set-Cookie: __cf_bm=Huy_7M93HL0w_egGIR4_POG20zd7flbTUzbkTd.WbkQ-1745823390-1.0.1.1-dA8F6iyh9hBtyFr.w8Al..n0Kh_E8FhwNM5wjJGPLz5iF8LV9qG6qL2z8jUqLn2RpCN743ljx3uFexvDp_xNqywnL42OogmtzkpmoUan9cg; path=/; expires=Mon, 28-Apr-25 07:26:30 GMT; domain=.mediafire.com; HttpOnly
                                                                                                                                                                  Server: cloudflare
                                                                                                                                                                  Data Raw: 89 50 4e 47 0d 0a 1a 0a 00 00 00 0d 49 48 44 52 00 00 00 2a 00 00 00 2a 08 04 00 00 00 6f ca 01 d0 00 00 01 33 49 44 41 54 78 da ed d5 2f 4b 43 71 14 87 f1 6f 5a 14 41 30 4c a6 82 c1 20 22 a8 51 8c 16 83 8c 35 ab 58 64 13 0c 7b 07 06 c1 e9 1b 90 59 0c c2 dc 82 20 e2 d0 b6 2a 26 b1 0f 2d 2e f9 27 8c cd 7b f7 18 07 97 7b 7f f3 9e bb 24 fb bc 80 a7 9c 73 38 1a 19 f9 0f 48 91 a3 46 93 36 6d 9a d4 c8 91 52 32 cc f3 44 d0 0b 0b b2 63 86 16 61 5a 64 64 c5 35 51 2a b2 61 8e 1e 51 7c 66 65 41 1e 97 3d 59 50 c6 e5 4c 16 d4 71 b9 95 05 0d 5c 1a b2 e0 0e 97 1b 4b f2 00 1f 17 8f 0d c5 c5 15 83 14 15 17 47 0c b2 ad b8 58 c6 ed 87 b4 e2 e3 04 9f 28 3e 87 b2 e1 92 28 17 b2 62 97 28 3b b2 62 92 0e 61 3a 4c c8 8e 73 c2 94 95 04 d3 7c 13 f4 45 46 c9 b0 4f 50 41 49 51 22 a8 a4 24 58 e2 18 8f a0 1e a7 2c da e6 5e e4 19 97 47 f2 31 76 80 55 2a 74 f9 8b 2e 15 56 34 08 eb 3c 10 d7 3d 6b 8a 42 9a 2a 56 55 a6 c2 92 59 3e 48 e2 93 6c 30 b9 85 47 52 1e 9b ea 63 9c 16 c3 f0 ce 98 e3 6a cc 0a 8e 0f 6f 56 ef 47 df 18 96 d7 7e b4 [TRUNCATED]
                                                                                                                                                                  Data Ascii: PNGIHDR**o3IDATx/KCqoZA0L "Q5Xd{Y *&-.'{{$s8HF6mR2DcaZdd5Q*aQ|feA=YPLq\KGX(>(b(;ba:Ls|EFOPAIQ"$X,^G1vU*t.V4<=kB*VUY>Hl0GRcjoVG~%d_>KgIENDB`


                                                                                                                                                                  HTTPS Proxied Packets

                                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                  0192.168.2.849692192.178.49.1964436640C:\Windows\SysWOW64\mshta.exe
                                                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                                                  2025-04-28 06:56:31 UTC314OUTGET /recaptcha/api.js HTTP/1.1
                                                                                                                                                                  Accept: */*
                                                                                                                                                                  Accept-Language: en-CH
                                                                                                                                                                  Accept-Encoding: gzip, deflate
                                                                                                                                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
                                                                                                                                                                  Host: www.google.com
                                                                                                                                                                  Connection: Keep-Alive
                                                                                                                                                                  2025-04-28 06:56:31 UTC749INHTTP/1.1 200 OK
                                                                                                                                                                  Content-Type: text/javascript; charset=utf-8
                                                                                                                                                                  Expires: Mon, 28 Apr 2025 06:56:31 GMT
                                                                                                                                                                  Date: Mon, 28 Apr 2025 06:56:31 GMT
                                                                                                                                                                  Cache-Control: private, max-age=300
                                                                                                                                                                  Cross-Origin-Resource-Policy: cross-origin
                                                                                                                                                                  Cross-Origin-Opener-Policy-Report-Only: same-origin; report-to="coop_38fac9d5b82543fc4729580d18ff2d3d"
                                                                                                                                                                  Report-To: {"group":"coop_38fac9d5b82543fc4729580d18ff2d3d","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/38fac9d5b82543fc4729580d18ff2d3d"}]}
                                                                                                                                                                  Server: ESF
                                                                                                                                                                  X-XSS-Protection: 0
                                                                                                                                                                  X-Frame-Options: SAMEORIGIN
                                                                                                                                                                  X-Content-Type-Options: nosniff
                                                                                                                                                                  Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                                                                                                                  Accept-Ranges: none
                                                                                                                                                                  Vary: Accept-Encoding
                                                                                                                                                                  Connection: close
                                                                                                                                                                  Transfer-Encoding: chunked
                                                                                                                                                                  2025-04-28 06:56:31 UTC575INData Raw: 33 38 66 0d 0a 2f 2a 20 50 4c 45 41 53 45 20 44 4f 20 4e 4f 54 20 43 4f 50 59 20 41 4e 44 20 50 41 53 54 45 20 54 48 49 53 20 43 4f 44 45 2e 20 2a 2f 28 66 75 6e 63 74 69 6f 6e 28 29 7b 76 61 72 20 77 3d 77 69 6e 64 6f 77 2c 43 3d 27 5f 5f 5f 67 72 65 63 61 70 74 63 68 61 5f 63 66 67 27 2c 63 66 67 3d 77 5b 43 5d 3d 77 5b 43 5d 7c 7c 7b 7d 2c 4e 3d 27 67 72 65 63 61 70 74 63 68 61 27 3b 76 61 72 20 67 72 3d 77 5b 4e 5d 3d 77 5b 4e 5d 7c 7c 7b 7d 3b 67 72 2e 72 65 61 64 79 3d 67 72 2e 72 65 61 64 79 7c 7c 66 75 6e 63 74 69 6f 6e 28 66 29 7b 28 63 66 67 5b 27 66 6e 73 27 5d 3d 63 66 67 5b 27 66 6e 73 27 5d 7c 7c 5b 5d 29 2e 70 75 73 68 28 66 29 3b 7d 3b 77 5b 27 5f 5f 72 65 63 61 70 74 63 68 61 5f 61 70 69 27 5d 3d 27 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67
                                                                                                                                                                  Data Ascii: 38f/* PLEASE DO NOT COPY AND PASTE THIS CODE. */(function(){var w=window,C='___grecaptcha_cfg',cfg=w[C]=w[C]||{},N='grecaptcha';var gr=w[N]=w[N]||{};gr.ready=gr.ready||function(f){(cfg['fns']=cfg['fns']||[]).push(f);};w['__recaptcha_api']='https://www.g
                                                                                                                                                                  2025-04-28 06:56:31 UTC343INData Raw: 6b 58 72 42 77 59 64 39 64 54 46 37 2f 72 65 63 61 70 74 63 68 61 5f 5f 65 6e 2e 6a 73 27 3b 70 6f 2e 63 72 6f 73 73 4f 72 69 67 69 6e 3d 27 61 6e 6f 6e 79 6d 6f 75 73 27 3b 70 6f 2e 69 6e 74 65 67 72 69 74 79 3d 27 73 68 61 33 38 34 2d 6b 45 73 69 69 6c 36 66 4c 56 69 75 72 4d 38 34 38 31 45 58 64 4a 51 51 6b 48 51 55 75 71 37 41 36 4f 59 37 54 75 68 6b 58 79 53 72 61 45 2f 39 6b 2f 78 63 37 62 50 79 6e 4e 45 46 77 6c 72 33 27 3b 76 61 72 20 65 3d 64 2e 71 75 65 72 79 53 65 6c 65 63 74 6f 72 28 27 73 63 72 69 70 74 5b 6e 6f 6e 63 65 5d 27 29 2c 6e 3d 65 26 26 28 65 5b 27 6e 6f 6e 63 65 27 5d 7c 7c 65 2e 67 65 74 41 74 74 72 69 62 75 74 65 28 27 6e 6f 6e 63 65 27 29 29 3b 69 66 28 6e 29 7b 70 6f 2e 73 65 74 41 74 74 72 69 62 75 74 65 28 27 6e 6f 6e 63 65
                                                                                                                                                                  Data Ascii: kXrBwYd9dTF7/recaptcha__en.js';po.crossOrigin='anonymous';po.integrity='sha384-kEsiil6fLViurM8481EXdJQQkHQUuq7A6OY7TuhkXySraE/9k/xc7bPynNEFwlr3';var e=d.querySelector('script[nonce]'),n=e&&(e['nonce']||e.getAttribute('nonce'));if(n){po.setAttribute('nonce
                                                                                                                                                                  2025-04-28 06:56:31 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                                  Data Ascii: 0


                                                                                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                  1192.168.2.84969713.33.21.294436640C:\Windows\SysWOW64\mshta.exe
                                                                                                                                                                  TimestampBytes transferredDirectionData
                                                                                                                                                                  2025-04-28 06:56:31 UTC346OUTGET /libs/amplitude-8.5.0-min.gz.js HTTP/1.1
                                                                                                                                                                  Accept: */*
                                                                                                                                                                  Accept-Language: en-CH
                                                                                                                                                                  Origin: file:
                                                                                                                                                                  Accept-Encoding: gzip, deflate
                                                                                                                                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
                                                                                                                                                                  Host: cdn.amplitude.com
                                                                                                                                                                  Connection: Keep-Alive
                                                                                                                                                                  2025-04-28 06:56:32 UTC786INHTTP/1.1 200 OK
                                                                                                                                                                  Content-Type: application/javascript
                                                                                                                                                                  Content-Length: 22154
                                                                                                                                                                  Connection: close
                                                                                                                                                                  Date: Mon, 28 Apr 2025 06:56:33 GMT
                                                                                                                                                                  Access-Control-Allow-Origin: *
                                                                                                                                                                  Access-Control-Allow-Methods: GET, HEAD
                                                                                                                                                                  Access-Control-Max-Age: 3000
                                                                                                                                                                  Last-Modified: Fri, 13 Aug 2021 22:37:42 GMT
                                                                                                                                                                  ETag: "660c3b546f2a131de50b69b91f26c636"
                                                                                                                                                                  x-amz-server-side-encryption: AES256
                                                                                                                                                                  Cache-Control: max-age=31536000
                                                                                                                                                                  Content-Encoding: gzip
                                                                                                                                                                  x-amz-version-id: NY8_7uBz3xoXYJBVsMSBAGHOz8ixMBS3
                                                                                                                                                                  Accept-Ranges: bytes
                                                                                                                                                                  Server: AmazonS3
                                                                                                                                                                  Vary: Origin,Access-Control-Request-Headers,Access-Control-Request-Method
                                                                                                                                                                  X-Cache: Miss from cloudfront
                                                                                                                                                                  Via: 1.1 e4e9f958f2aecd2a30698721fc907076.cloudfront.net (CloudFront)
                                                                                                                                                                  X-Amz-Cf-Pop: LAX53-P2
                                                                                                                                                                  X-Amz-Cf-Id: 3acohyIGHHOUbeAVtsYKihTZp9SkPrgbba2PV6gQY9Z-n3UjLij5Cg==
                                                                                                                                                                  2025-04-28 06:56:32 UTC16384INData Raw: 1f 8b 08 00 2d f4 16 61 00 03 cc 3b 8d 73 e2 b6 f2 ff 8a e3 76 88 5d 14 17 48 9a be 9a a8 0c 49 b8 2b 6d 02 94 8f eb 5d 39 1e e3 80 42 dc 80 c5 d9 72 72 34 f0 bf bf 5d 49 fe e0 23 d7 4e df ef cd fc 66 6e 82 bd 5a af 56 bb ab fd 92 ee c9 0b 0d 6f b1 9c fb 22 9e 32 7a 1f 07 13 e1 f3 c0 b2 5f cc 38 62 46 24 42 7f 22 cc 6a 02 37 84 c5 ec 97 90 89 38 0c 2c 41 cd 04 6e 52 2a 56 4b c6 ef 8d de 6a 71 c7 e7 85 82 19 c9 87 dd 01 c7 17 2c f4 04 0f 6b e9 54 29 41 43 63 b2 8d 7b 60 90 01 cd d7 a7 63 ce 84 07 c0 6d 3c 01 da 94 d2 14 7e 94 3c 3b cb 90 0b 8e 9f d5 12 de dc 74 42 1b 26 da a4 8b f4 2d 46 84 fd 72 cf 43 eb 09 c4 13 d0 52 35 b8 10 ce 9c 05 33 f1 50 0d 8a 45 fb 05 e1 3e 15 c3 60 54 f5 1d 16 c4 0b 58 d5 dd 9c d1 fc cb 7a 7d 54 26 3e 32 76 ef cf 62 35 7e 54 22
                                                                                                                                                                  Data Ascii: -a;sv]HI+m]9Brr4]I#NfnZVo"2z_8bF$B"j78,AnR*VKjq,kT)ACc{`cm<~<;tB&-FrCR53PE>`TXz}T&>2vb5~T"
                                                                                                                                                                  2025-04-28 06:56:32 UTC5770INData Raw: 54 7e 3d 4d d1 5b d5 8b a1 2c cc cc e0 40 47 2f 48 ee 79 6f 4f 61 d7 9b 90 4a f6 be 22 aa 56 60 2a 31 24 d0 0e 9e 0f 1b 9a 95 df 89 88 21 32 20 15 6f 1c 46 d8 5e c5 9b f1 b8 35 60 ec 49 22 21 d0 ea 06 02 42 14 54 58 be 17 a9 88 1e f1 be dd aa 83 01 2d 49 4d 2b 89 0b 82 c9 ba 36 83 82 74 ab 30 84 a0 c6 76 71 bd 0c fa f3 c7 8e 8a c7 d6 30 4e 54 11 30 62 42 55 a2 2a e9 ec a0 55 ad 04 5c 21 d8 08 4f a8 9a af 9b be fe cb aa 39 c5 52 06 22 f7 f9 1d 50 19 aa 40 27 91 cc ec e5 fe e1 ea 97 6f df 6b 19 85 36 a8 51 12 a2 44 b5 ad 6d 66 ec 2e a1 4b e6 c9 18 f9 14 67 c5 14 d8 85 24 67 c5 ac d6 82 ea 1b 29 cf d2 22 05 ef 47 85 53 79 09 c8 cc c1 08 64 2a a2 0a ba 95 13 a2 bd 65 b9 c9 5a 9b f4 d8 74 83 8a 48 16 53 f9 fe bf ea 74 6a a3 8b 65 c4 cb b5 9a ab 7f f8 50 c2 c5
                                                                                                                                                                  Data Ascii: T~=M[,@G/HyoOaJ"V`*1$!2 oF^5`I"!BTX-IM+6t0vq0NT0bBU*U\!O9R"P@'ok6QDmf.Kg$g)"GSyd*eZtHStjeP


                                                                                                                                                                  Statistics

                                                                                                                                                                  CPU Usage

                                                                                                                                                                  050100s020406080100

                                                                                                                                                                  Click to jump to process

                                                                                                                                                                  Memory Usage

                                                                                                                                                                  050100s0.0010203040MB

                                                                                                                                                                  Click to jump to process

                                                                                                                                                                  High Level Behavior Distribution

                                                                                                                                                                  • File
                                                                                                                                                                  • Registry

                                                                                                                                                                  Click to dive into process behavior distribution

                                                                                                                                                                  Behavior

                                                                                                                                                                  Click to jump to process

                                                                                                                                                                  System Behavior

                                                                                                                                                                  General

                                                                                                                                                                  Target ID:0
                                                                                                                                                                  Start time:02:56:06
                                                                                                                                                                  Start date:28/04/2025
                                                                                                                                                                  Path:C:\Windows\SysWOW64\mshta.exe
                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                  Commandline:mshta.exe "C:\Users\user\Desktop\default.hta"
                                                                                                                                                                  Imagebase:0x260000
                                                                                                                                                                  File size:13'312 bytes
                                                                                                                                                                  MD5 hash:06B02D5C097C7DB1F109749C45F3F505
                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                  Reputation:high
                                                                                                                                                                  Has exited:true
                                                                                                                                                                  There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                                                                                                                                  Show Windows behavior

                                                                                                                                                                  Section Activities

                                                                                                                                                                  Show Windows behavior

                                                                                                                                                                  Registry Activities

                                                                                                                                                                  Show Windows behavior

                                                                                                                                                                  COM Activities

                                                                                                                                                                  There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                                                                                                                                  There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                                                                                                                                  Show Windows behavior

                                                                                                                                                                  Thread Activities

                                                                                                                                                                  Show Windows behavior

                                                                                                                                                                  Memory Activities

                                                                                                                                                                  There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                                                                                                                                  There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                                                                                                                                  Show Windows behavior

                                                                                                                                                                  Windows UI Activities

                                                                                                                                                                  There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                                                                                                                                  There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                                                                                                                                  There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                                                                                                                                                                  General

                                                                                                                                                                  Target ID:10
                                                                                                                                                                  Start time:02:56:53
                                                                                                                                                                  Start date:28/04/2025
                                                                                                                                                                  Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                  Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 6640 -s 2804
                                                                                                                                                                  Imagebase:0xd80000
                                                                                                                                                                  File size:483'680 bytes
                                                                                                                                                                  MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                  Reputation:high
                                                                                                                                                                  Has exited:true
                                                                                                                                                                  Show Windows behavior

                                                                                                                                                                  File Activities

                                                                                                                                                                  Show Windows behavior

                                                                                                                                                                  Section Activities

                                                                                                                                                                  Show Windows behavior

                                                                                                                                                                  Registry Activities

                                                                                                                                                                  Show Windows behavior

                                                                                                                                                                  Mutex Activities

                                                                                                                                                                  Show Windows behavior

                                                                                                                                                                  Process Activities

                                                                                                                                                                  Show Windows behavior

                                                                                                                                                                  Thread Activities

                                                                                                                                                                  Show Windows behavior

                                                                                                                                                                  Memory Activities

                                                                                                                                                                  Show Windows behavior

                                                                                                                                                                  System Activities

                                                                                                                                                                  There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                                                                                                                                  Show Windows behavior

                                                                                                                                                                  Windows UI Activities

                                                                                                                                                                  There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                                                                                                                                  There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                                                                                                                                                                  Disassembly

                                                                                                                                                                  Executed Functions

                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.1319182981.0000000006D10000.00000010.00000800.00020000.00000000.sdmp, Offset: 06D10000, based on PE: false
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_0_2_6d10000_mshta.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID:
                                                                                                                                                                  • Opcode ID: cf6ee7856b84a4a8d4631d32b18d8183abfbce570c03f09bc385aae6d1a445e2
                                                                                                                                                                  • Instruction ID: 35995d3e29620358a58665d8078bb98a5404015f723170602ba38c2f9ad5ab9d
                                                                                                                                                                  • Opcode Fuzzy Hash: cf6ee7856b84a4a8d4631d32b18d8183abfbce570c03f09bc385aae6d1a445e2
                                                                                                                                                                  • Instruction Fuzzy Hash: BB41AF71A04314EFEBA0EF54E580A6AB3B1FF84314F158059E9556F251CBB1ECC2CB91
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.1317601713.0000000006AC0000.00000010.00000800.00020000.00000000.sdmp, Offset: 06AC0000, based on PE: false
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_0_2_6ac0000_mshta.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID:
                                                                                                                                                                  • Opcode ID: 4167c324804ba3f868a8cee4855bb03a2a400dd5f85c10f827c51135a8551447
                                                                                                                                                                  • Instruction ID: 4871fb3847c7ec7f8c024195693478b55b1f4f0d43f1f78699b368bf565daf59
                                                                                                                                                                  • Opcode Fuzzy Hash: 4167c324804ba3f868a8cee4855bb03a2a400dd5f85c10f827c51135a8551447
                                                                                                                                                                  • Instruction Fuzzy Hash:
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.1317601713.0000000006AC0000.00000010.00000800.00020000.00000000.sdmp, Offset: 06AC0000, based on PE: false
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_0_2_6ac0000_mshta.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID:
                                                                                                                                                                  • Opcode ID: 4167c324804ba3f868a8cee4855bb03a2a400dd5f85c10f827c51135a8551447
                                                                                                                                                                  • Instruction ID: 4871fb3847c7ec7f8c024195693478b55b1f4f0d43f1f78699b368bf565daf59
                                                                                                                                                                  • Opcode Fuzzy Hash: 4167c324804ba3f868a8cee4855bb03a2a400dd5f85c10f827c51135a8551447
                                                                                                                                                                  • Instruction Fuzzy Hash:
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.1317601713.0000000006AC0000.00000010.00000800.00020000.00000000.sdmp, Offset: 06AC0000, based on PE: false
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_0_2_6ac0000_mshta.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID:
                                                                                                                                                                  • Opcode ID: 4167c324804ba3f868a8cee4855bb03a2a400dd5f85c10f827c51135a8551447
                                                                                                                                                                  • Instruction ID: 4871fb3847c7ec7f8c024195693478b55b1f4f0d43f1f78699b368bf565daf59
                                                                                                                                                                  • Opcode Fuzzy Hash: 4167c324804ba3f868a8cee4855bb03a2a400dd5f85c10f827c51135a8551447
                                                                                                                                                                  • Instruction Fuzzy Hash:
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.1317601713.0000000006AC0000.00000010.00000800.00020000.00000000.sdmp, Offset: 06AC0000, based on PE: false
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_0_2_6ac0000_mshta.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID:
                                                                                                                                                                  • Opcode ID: 4167c324804ba3f868a8cee4855bb03a2a400dd5f85c10f827c51135a8551447
                                                                                                                                                                  • Instruction ID: 4871fb3847c7ec7f8c024195693478b55b1f4f0d43f1f78699b368bf565daf59
                                                                                                                                                                  • Opcode Fuzzy Hash: 4167c324804ba3f868a8cee4855bb03a2a400dd5f85c10f827c51135a8551447
                                                                                                                                                                  • Instruction Fuzzy Hash:
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.1317601713.0000000006AC0000.00000010.00000800.00020000.00000000.sdmp, Offset: 06AC0000, based on PE: false
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_0_2_6ac0000_mshta.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID:
                                                                                                                                                                  • Opcode ID: 4167c324804ba3f868a8cee4855bb03a2a400dd5f85c10f827c51135a8551447
                                                                                                                                                                  • Instruction ID: 4871fb3847c7ec7f8c024195693478b55b1f4f0d43f1f78699b368bf565daf59
                                                                                                                                                                  • Opcode Fuzzy Hash: 4167c324804ba3f868a8cee4855bb03a2a400dd5f85c10f827c51135a8551447
                                                                                                                                                                  • Instruction Fuzzy Hash:
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.1317601713.0000000006AC0000.00000010.00000800.00020000.00000000.sdmp, Offset: 06AC0000, based on PE: false
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_0_2_6ac0000_mshta.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID:
                                                                                                                                                                  • Opcode ID: 4167c324804ba3f868a8cee4855bb03a2a400dd5f85c10f827c51135a8551447
                                                                                                                                                                  • Instruction ID: 4871fb3847c7ec7f8c024195693478b55b1f4f0d43f1f78699b368bf565daf59
                                                                                                                                                                  • Opcode Fuzzy Hash: 4167c324804ba3f868a8cee4855bb03a2a400dd5f85c10f827c51135a8551447
                                                                                                                                                                  • Instruction Fuzzy Hash:
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.1317601713.0000000006AC0000.00000010.00000800.00020000.00000000.sdmp, Offset: 06AC0000, based on PE: false
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_0_2_6ac0000_mshta.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID:
                                                                                                                                                                  • Opcode ID: 4167c324804ba3f868a8cee4855bb03a2a400dd5f85c10f827c51135a8551447
                                                                                                                                                                  • Instruction ID: 4871fb3847c7ec7f8c024195693478b55b1f4f0d43f1f78699b368bf565daf59
                                                                                                                                                                  • Opcode Fuzzy Hash: 4167c324804ba3f868a8cee4855bb03a2a400dd5f85c10f827c51135a8551447
                                                                                                                                                                  • Instruction Fuzzy Hash:
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.1317601713.0000000006AC0000.00000010.00000800.00020000.00000000.sdmp, Offset: 06AC0000, based on PE: false
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_0_2_6ac0000_mshta.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID:
                                                                                                                                                                  • Opcode ID: 4167c324804ba3f868a8cee4855bb03a2a400dd5f85c10f827c51135a8551447
                                                                                                                                                                  • Instruction ID: 4871fb3847c7ec7f8c024195693478b55b1f4f0d43f1f78699b368bf565daf59
                                                                                                                                                                  • Opcode Fuzzy Hash: 4167c324804ba3f868a8cee4855bb03a2a400dd5f85c10f827c51135a8551447
                                                                                                                                                                  • Instruction Fuzzy Hash:
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.1317601713.0000000006AC0000.00000010.00000800.00020000.00000000.sdmp, Offset: 06AC0000, based on PE: false
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_0_2_6ac0000_mshta.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID:
                                                                                                                                                                  • Opcode ID: 4167c324804ba3f868a8cee4855bb03a2a400dd5f85c10f827c51135a8551447
                                                                                                                                                                  • Instruction ID: 4871fb3847c7ec7f8c024195693478b55b1f4f0d43f1f78699b368bf565daf59
                                                                                                                                                                  • Opcode Fuzzy Hash: 4167c324804ba3f868a8cee4855bb03a2a400dd5f85c10f827c51135a8551447
                                                                                                                                                                  • Instruction Fuzzy Hash:
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.1317601713.0000000006AC0000.00000010.00000800.00020000.00000000.sdmp, Offset: 06AC0000, based on PE: false
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_0_2_6ac0000_mshta.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID:
                                                                                                                                                                  • Opcode ID: 4167c324804ba3f868a8cee4855bb03a2a400dd5f85c10f827c51135a8551447
                                                                                                                                                                  • Instruction ID: 4871fb3847c7ec7f8c024195693478b55b1f4f0d43f1f78699b368bf565daf59
                                                                                                                                                                  • Opcode Fuzzy Hash: 4167c324804ba3f868a8cee4855bb03a2a400dd5f85c10f827c51135a8551447
                                                                                                                                                                  • Instruction Fuzzy Hash:
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.1317601713.0000000006AC0000.00000010.00000800.00020000.00000000.sdmp, Offset: 06AC0000, based on PE: false
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_0_2_6ac0000_mshta.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID:
                                                                                                                                                                  • Opcode ID: 4167c324804ba3f868a8cee4855bb03a2a400dd5f85c10f827c51135a8551447
                                                                                                                                                                  • Instruction ID: 4871fb3847c7ec7f8c024195693478b55b1f4f0d43f1f78699b368bf565daf59
                                                                                                                                                                  • Opcode Fuzzy Hash: 4167c324804ba3f868a8cee4855bb03a2a400dd5f85c10f827c51135a8551447
                                                                                                                                                                  • Instruction Fuzzy Hash:
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.1317601713.0000000006AC0000.00000010.00000800.00020000.00000000.sdmp, Offset: 06AC0000, based on PE: false
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_0_2_6ac0000_mshta.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID:
                                                                                                                                                                  • Opcode ID: 4167c324804ba3f868a8cee4855bb03a2a400dd5f85c10f827c51135a8551447
                                                                                                                                                                  • Instruction ID: 4871fb3847c7ec7f8c024195693478b55b1f4f0d43f1f78699b368bf565daf59
                                                                                                                                                                  • Opcode Fuzzy Hash: 4167c324804ba3f868a8cee4855bb03a2a400dd5f85c10f827c51135a8551447
                                                                                                                                                                  • Instruction Fuzzy Hash:
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.1317601713.0000000006AC0000.00000010.00000800.00020000.00000000.sdmp, Offset: 06AC0000, based on PE: false
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_0_2_6ac0000_mshta.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID:
                                                                                                                                                                  • Opcode ID: 4167c324804ba3f868a8cee4855bb03a2a400dd5f85c10f827c51135a8551447
                                                                                                                                                                  • Instruction ID: 4871fb3847c7ec7f8c024195693478b55b1f4f0d43f1f78699b368bf565daf59
                                                                                                                                                                  • Opcode Fuzzy Hash: 4167c324804ba3f868a8cee4855bb03a2a400dd5f85c10f827c51135a8551447
                                                                                                                                                                  • Instruction Fuzzy Hash:
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.1317601713.0000000006AC0000.00000010.00000800.00020000.00000000.sdmp, Offset: 06AC0000, based on PE: false
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_0_2_6ac0000_mshta.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID:
                                                                                                                                                                  • Opcode ID: 4167c324804ba3f868a8cee4855bb03a2a400dd5f85c10f827c51135a8551447
                                                                                                                                                                  • Instruction ID: 4871fb3847c7ec7f8c024195693478b55b1f4f0d43f1f78699b368bf565daf59
                                                                                                                                                                  • Opcode Fuzzy Hash: 4167c324804ba3f868a8cee4855bb03a2a400dd5f85c10f827c51135a8551447
                                                                                                                                                                  • Instruction Fuzzy Hash:
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.1317601713.0000000006AC0000.00000010.00000800.00020000.00000000.sdmp, Offset: 06AC0000, based on PE: false
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_0_2_6ac0000_mshta.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID:
                                                                                                                                                                  • Opcode ID: 4167c324804ba3f868a8cee4855bb03a2a400dd5f85c10f827c51135a8551447
                                                                                                                                                                  • Instruction ID: 4871fb3847c7ec7f8c024195693478b55b1f4f0d43f1f78699b368bf565daf59
                                                                                                                                                                  • Opcode Fuzzy Hash: 4167c324804ba3f868a8cee4855bb03a2a400dd5f85c10f827c51135a8551447
                                                                                                                                                                  • Instruction Fuzzy Hash:
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.1317601713.0000000006AC0000.00000010.00000800.00020000.00000000.sdmp, Offset: 06AC0000, based on PE: false
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_0_2_6ac0000_mshta.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID:
                                                                                                                                                                  • Opcode ID: 4167c324804ba3f868a8cee4855bb03a2a400dd5f85c10f827c51135a8551447
                                                                                                                                                                  • Instruction ID: 4871fb3847c7ec7f8c024195693478b55b1f4f0d43f1f78699b368bf565daf59
                                                                                                                                                                  • Opcode Fuzzy Hash: 4167c324804ba3f868a8cee4855bb03a2a400dd5f85c10f827c51135a8551447
                                                                                                                                                                  • Instruction Fuzzy Hash:
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.1317601713.0000000006AC0000.00000010.00000800.00020000.00000000.sdmp, Offset: 06AC0000, based on PE: false
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_0_2_6ac0000_mshta.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID:
                                                                                                                                                                  • Opcode ID: 4167c324804ba3f868a8cee4855bb03a2a400dd5f85c10f827c51135a8551447
                                                                                                                                                                  • Instruction ID: 4871fb3847c7ec7f8c024195693478b55b1f4f0d43f1f78699b368bf565daf59
                                                                                                                                                                  • Opcode Fuzzy Hash: 4167c324804ba3f868a8cee4855bb03a2a400dd5f85c10f827c51135a8551447
                                                                                                                                                                  • Instruction Fuzzy Hash:
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.1317601713.0000000006AC0000.00000010.00000800.00020000.00000000.sdmp, Offset: 06AC0000, based on PE: false
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_0_2_6ac0000_mshta.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID:
                                                                                                                                                                  • Opcode ID: 4167c324804ba3f868a8cee4855bb03a2a400dd5f85c10f827c51135a8551447
                                                                                                                                                                  • Instruction ID: 4871fb3847c7ec7f8c024195693478b55b1f4f0d43f1f78699b368bf565daf59
                                                                                                                                                                  • Opcode Fuzzy Hash: 4167c324804ba3f868a8cee4855bb03a2a400dd5f85c10f827c51135a8551447
                                                                                                                                                                  • Instruction Fuzzy Hash:
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.1317601713.0000000006AC0000.00000010.00000800.00020000.00000000.sdmp, Offset: 06AC0000, based on PE: false
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_0_2_6ac0000_mshta.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID:
                                                                                                                                                                  • Opcode ID: 4167c324804ba3f868a8cee4855bb03a2a400dd5f85c10f827c51135a8551447
                                                                                                                                                                  • Instruction ID: 4871fb3847c7ec7f8c024195693478b55b1f4f0d43f1f78699b368bf565daf59
                                                                                                                                                                  • Opcode Fuzzy Hash: 4167c324804ba3f868a8cee4855bb03a2a400dd5f85c10f827c51135a8551447
                                                                                                                                                                  • Instruction Fuzzy Hash:
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.1317601713.0000000006AC0000.00000010.00000800.00020000.00000000.sdmp, Offset: 06AC0000, based on PE: false
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_0_2_6ac0000_mshta.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID:
                                                                                                                                                                  • Opcode ID: 4167c324804ba3f868a8cee4855bb03a2a400dd5f85c10f827c51135a8551447
                                                                                                                                                                  • Instruction ID: 4871fb3847c7ec7f8c024195693478b55b1f4f0d43f1f78699b368bf565daf59
                                                                                                                                                                  • Opcode Fuzzy Hash: 4167c324804ba3f868a8cee4855bb03a2a400dd5f85c10f827c51135a8551447
                                                                                                                                                                  • Instruction Fuzzy Hash:
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.1317601713.0000000006AC0000.00000010.00000800.00020000.00000000.sdmp, Offset: 06AC0000, based on PE: false
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_0_2_6ac0000_mshta.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID:
                                                                                                                                                                  • Opcode ID: 4167c324804ba3f868a8cee4855bb03a2a400dd5f85c10f827c51135a8551447
                                                                                                                                                                  • Instruction ID: 4871fb3847c7ec7f8c024195693478b55b1f4f0d43f1f78699b368bf565daf59
                                                                                                                                                                  • Opcode Fuzzy Hash: 4167c324804ba3f868a8cee4855bb03a2a400dd5f85c10f827c51135a8551447
                                                                                                                                                                  • Instruction Fuzzy Hash:
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.1317601713.0000000006AC0000.00000010.00000800.00020000.00000000.sdmp, Offset: 06AC0000, based on PE: false
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_0_2_6ac0000_mshta.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID:
                                                                                                                                                                  • Opcode ID: 4167c324804ba3f868a8cee4855bb03a2a400dd5f85c10f827c51135a8551447
                                                                                                                                                                  • Instruction ID: 4871fb3847c7ec7f8c024195693478b55b1f4f0d43f1f78699b368bf565daf59
                                                                                                                                                                  • Opcode Fuzzy Hash: 4167c324804ba3f868a8cee4855bb03a2a400dd5f85c10f827c51135a8551447
                                                                                                                                                                  • Instruction Fuzzy Hash:
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.1317601713.0000000006AC0000.00000010.00000800.00020000.00000000.sdmp, Offset: 06AC0000, based on PE: false
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_0_2_6ac0000_mshta.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID:
                                                                                                                                                                  • Opcode ID: 4167c324804ba3f868a8cee4855bb03a2a400dd5f85c10f827c51135a8551447
                                                                                                                                                                  • Instruction ID: 4871fb3847c7ec7f8c024195693478b55b1f4f0d43f1f78699b368bf565daf59
                                                                                                                                                                  • Opcode Fuzzy Hash: 4167c324804ba3f868a8cee4855bb03a2a400dd5f85c10f827c51135a8551447
                                                                                                                                                                  • Instruction Fuzzy Hash:
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.1317601713.0000000006AC0000.00000010.00000800.00020000.00000000.sdmp, Offset: 06AC0000, based on PE: false
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_0_2_6ac0000_mshta.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID:
                                                                                                                                                                  • Opcode ID: 4167c324804ba3f868a8cee4855bb03a2a400dd5f85c10f827c51135a8551447
                                                                                                                                                                  • Instruction ID: 4871fb3847c7ec7f8c024195693478b55b1f4f0d43f1f78699b368bf565daf59
                                                                                                                                                                  • Opcode Fuzzy Hash: 4167c324804ba3f868a8cee4855bb03a2a400dd5f85c10f827c51135a8551447
                                                                                                                                                                  • Instruction Fuzzy Hash:
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.1317601713.0000000006AC0000.00000010.00000800.00020000.00000000.sdmp, Offset: 06AC0000, based on PE: false
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_0_2_6ac0000_mshta.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID:
                                                                                                                                                                  • Opcode ID: 4167c324804ba3f868a8cee4855bb03a2a400dd5f85c10f827c51135a8551447
                                                                                                                                                                  • Instruction ID: 4871fb3847c7ec7f8c024195693478b55b1f4f0d43f1f78699b368bf565daf59
                                                                                                                                                                  • Opcode Fuzzy Hash: 4167c324804ba3f868a8cee4855bb03a2a400dd5f85c10f827c51135a8551447
                                                                                                                                                                  • Instruction Fuzzy Hash:
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.1317601713.0000000006AC0000.00000010.00000800.00020000.00000000.sdmp, Offset: 06AC0000, based on PE: false
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_0_2_6ac0000_mshta.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID:
                                                                                                                                                                  • Opcode ID: 4167c324804ba3f868a8cee4855bb03a2a400dd5f85c10f827c51135a8551447
                                                                                                                                                                  • Instruction ID: 4871fb3847c7ec7f8c024195693478b55b1f4f0d43f1f78699b368bf565daf59
                                                                                                                                                                  • Opcode Fuzzy Hash: 4167c324804ba3f868a8cee4855bb03a2a400dd5f85c10f827c51135a8551447
                                                                                                                                                                  • Instruction Fuzzy Hash:
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.1317601713.0000000006AC0000.00000010.00000800.00020000.00000000.sdmp, Offset: 06AC0000, based on PE: false
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_0_2_6ac0000_mshta.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID:
                                                                                                                                                                  • Opcode ID: 4167c324804ba3f868a8cee4855bb03a2a400dd5f85c10f827c51135a8551447
                                                                                                                                                                  • Instruction ID: 4871fb3847c7ec7f8c024195693478b55b1f4f0d43f1f78699b368bf565daf59
                                                                                                                                                                  • Opcode Fuzzy Hash: 4167c324804ba3f868a8cee4855bb03a2a400dd5f85c10f827c51135a8551447
                                                                                                                                                                  • Instruction Fuzzy Hash:
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.1317601713.0000000006AC0000.00000010.00000800.00020000.00000000.sdmp, Offset: 06AC0000, based on PE: false
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_0_2_6ac0000_mshta.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID:
                                                                                                                                                                  • Opcode ID: 4167c324804ba3f868a8cee4855bb03a2a400dd5f85c10f827c51135a8551447
                                                                                                                                                                  • Instruction ID: 4871fb3847c7ec7f8c024195693478b55b1f4f0d43f1f78699b368bf565daf59
                                                                                                                                                                  • Opcode Fuzzy Hash: 4167c324804ba3f868a8cee4855bb03a2a400dd5f85c10f827c51135a8551447
                                                                                                                                                                  • Instruction Fuzzy Hash:
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.1317601713.0000000006AC0000.00000010.00000800.00020000.00000000.sdmp, Offset: 06AC0000, based on PE: false
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_0_2_6ac0000_mshta.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID:
                                                                                                                                                                  • Opcode ID: 4167c324804ba3f868a8cee4855bb03a2a400dd5f85c10f827c51135a8551447
                                                                                                                                                                  • Instruction ID: 4871fb3847c7ec7f8c024195693478b55b1f4f0d43f1f78699b368bf565daf59
                                                                                                                                                                  • Opcode Fuzzy Hash: 4167c324804ba3f868a8cee4855bb03a2a400dd5f85c10f827c51135a8551447
                                                                                                                                                                  • Instruction Fuzzy Hash:
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.1317601713.0000000006AC0000.00000010.00000800.00020000.00000000.sdmp, Offset: 06AC0000, based on PE: false
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_0_2_6ac0000_mshta.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID:
                                                                                                                                                                  • Opcode ID: 4167c324804ba3f868a8cee4855bb03a2a400dd5f85c10f827c51135a8551447
                                                                                                                                                                  • Instruction ID: 4871fb3847c7ec7f8c024195693478b55b1f4f0d43f1f78699b368bf565daf59
                                                                                                                                                                  • Opcode Fuzzy Hash: 4167c324804ba3f868a8cee4855bb03a2a400dd5f85c10f827c51135a8551447
                                                                                                                                                                  • Instruction Fuzzy Hash:
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.1317601713.0000000006AC0000.00000010.00000800.00020000.00000000.sdmp, Offset: 06AC0000, based on PE: false
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_0_2_6ac0000_mshta.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID:
                                                                                                                                                                  • Opcode ID: 4167c324804ba3f868a8cee4855bb03a2a400dd5f85c10f827c51135a8551447
                                                                                                                                                                  • Instruction ID: 4871fb3847c7ec7f8c024195693478b55b1f4f0d43f1f78699b368bf565daf59
                                                                                                                                                                  • Opcode Fuzzy Hash: 4167c324804ba3f868a8cee4855bb03a2a400dd5f85c10f827c51135a8551447
                                                                                                                                                                  • Instruction Fuzzy Hash:
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.1317601713.0000000006AC0000.00000010.00000800.00020000.00000000.sdmp, Offset: 06AC0000, based on PE: false
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_0_2_6ac0000_mshta.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID:
                                                                                                                                                                  • Opcode ID: 4167c324804ba3f868a8cee4855bb03a2a400dd5f85c10f827c51135a8551447
                                                                                                                                                                  • Instruction ID: 4871fb3847c7ec7f8c024195693478b55b1f4f0d43f1f78699b368bf565daf59
                                                                                                                                                                  • Opcode Fuzzy Hash: 4167c324804ba3f868a8cee4855bb03a2a400dd5f85c10f827c51135a8551447
                                                                                                                                                                  • Instruction Fuzzy Hash:
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.1317601713.0000000006AC0000.00000010.00000800.00020000.00000000.sdmp, Offset: 06AC0000, based on PE: false
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_0_2_6ac0000_mshta.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID:
                                                                                                                                                                  • Opcode ID: 4167c324804ba3f868a8cee4855bb03a2a400dd5f85c10f827c51135a8551447
                                                                                                                                                                  • Instruction ID: 4871fb3847c7ec7f8c024195693478b55b1f4f0d43f1f78699b368bf565daf59
                                                                                                                                                                  • Opcode Fuzzy Hash: 4167c324804ba3f868a8cee4855bb03a2a400dd5f85c10f827c51135a8551447
                                                                                                                                                                  • Instruction Fuzzy Hash:
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.1317601713.0000000006AC0000.00000010.00000800.00020000.00000000.sdmp, Offset: 06AC0000, based on PE: false
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_0_2_6ac0000_mshta.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID:
                                                                                                                                                                  • Opcode ID: 4167c324804ba3f868a8cee4855bb03a2a400dd5f85c10f827c51135a8551447
                                                                                                                                                                  • Instruction ID: 4871fb3847c7ec7f8c024195693478b55b1f4f0d43f1f78699b368bf565daf59
                                                                                                                                                                  • Opcode Fuzzy Hash: 4167c324804ba3f868a8cee4855bb03a2a400dd5f85c10f827c51135a8551447
                                                                                                                                                                  • Instruction Fuzzy Hash:
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.1317601713.0000000006AC0000.00000010.00000800.00020000.00000000.sdmp, Offset: 06AC0000, based on PE: false
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_0_2_6ac0000_mshta.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID:
                                                                                                                                                                  • Opcode ID: 4167c324804ba3f868a8cee4855bb03a2a400dd5f85c10f827c51135a8551447
                                                                                                                                                                  • Instruction ID: 4871fb3847c7ec7f8c024195693478b55b1f4f0d43f1f78699b368bf565daf59
                                                                                                                                                                  • Opcode Fuzzy Hash: 4167c324804ba3f868a8cee4855bb03a2a400dd5f85c10f827c51135a8551447
                                                                                                                                                                  • Instruction Fuzzy Hash:
                                                                                                                                                                  Memory Dump Source
                                                                                                                                                                  • Source File: 00000000.00000002.1317601713.0000000006AC0000.00000010.00000800.00020000.00000000.sdmp, Offset: 06AC0000, based on PE: false
                                                                                                                                                                  Joe Sandbox IDA Plugin
                                                                                                                                                                  • Snapshot File: hcaresult_0_2_6ac0000_mshta.jbxd
                                                                                                                                                                  Similarity
                                                                                                                                                                  • API ID:
                                                                                                                                                                  • String ID:
                                                                                                                                                                  • API String ID:
                                                                                                                                                                  • Opcode ID: 4167c324804ba3f868a8cee4855bb03a2a400dd5f85c10f827c51135a8551447
                                                                                                                                                                  • Instruction ID: 4871fb3847c7ec7f8c024195693478b55b1f4f0d43f1f78699b368bf565daf59
                                                                                                                                                                  • Opcode Fuzzy Hash: 4167c324804ba3f868a8cee4855bb03a2a400dd5f85c10f827c51135a8551447
                                                                                                                                                                  • Instruction Fuzzy Hash: