Joe Sandbox Cloud Basic Analysis Report
Edit tour

Windows Analysis Report
hyirn.hta

Overview

General Information

Sample name:hyirn.hta
Analysis ID:1676149
MD5:677744e61095af1985740d4867a7799f
SHA1:81d1d4982501cd50a12599554a7efb570852d37b
SHA256:ec3b78ff8656414003e6fd72f6c84d05824c15b8b9c75737baaa25f35b064362
Tags:htauser-abuse_ch
Infos:

Detection

Score:48
Range:0 - 100
Confidence:100%

Signatures

Antivirus detection for URL or domain
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Searches for the Microsoft Outlook file path
Sigma detected: Use Short Name Path in Command Line

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious

Process Tree

  • System is w10x64
  • mshta.exe (PID: 7200 cmdline: mshta.exe "C:\Users\user\Desktop\hyirn.hta" MD5: 06B02D5C097C7DB1F109749C45F3F505)
  • iexplore.exe (PID: 7380 cmdline: "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding MD5: CFE2E6942AC1B72981B3105E22D3224E)
    • iexplore.exe (PID: 7644 cmdline: "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:7380 CREDAT:17410 /prefetch:2 MD5: 6F0F06D6AB125A99E43335427066A4A1)
      • ssvagent.exe (PID: 6140 cmdline: "C:\PROGRA~2\Java\jre-1.8\bin\ssvagent.exe" -new MD5: F9A898A606E7F5A1CD7CFFA8079253A0)
    • iexplore.exe (PID: 6148 cmdline: "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:7380 CREDAT:17414 /prefetch:2 MD5: 6F0F06D6AB125A99E43335427066A4A1)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

Source: Process startedAuthor: frack113, Nasreddine Bencherchali: Data: Command: "C:\PROGRA~2\Java\jre-1.8\bin\ssvagent.exe" -new, CommandLine: "C:\PROGRA~2\Java\jre-1.8\bin\ssvagent.exe" -new, CommandLine|base64offset|contains: w, Image: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe, NewProcessName: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe, OriginalFileName: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe, ParentCommandLine: "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:7380 CREDAT:17410 /prefetch:2, ParentImage: C:\Program Files (x86)\Internet Explorer\iexplore.exe, ParentProcessId: 7644, ParentProcessName: iexplore.exe, ProcessCommandLine: "C:\PROGRA~2\Java\jre-1.8\bin\ssvagent.exe" -new, ProcessId: 6140, ProcessName: ssvagent.exe
Source: Registry Key setAuthor: frack113: Data: Details: 1, EventID: 13, EventType: SetValue, Image: C:\Program Files\Internet Explorer\iexplore.exe, ProcessId: 7380, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\SecuritySafe

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

  • AV Detection
  • Compliance
  • Networking
  • System Summary
  • Hooking and other Techniques for Hiding and Protection
  • Malware Analysis System Evasion

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Source: https://d.coka.la/hyirn.hta?ch=1&js=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJKb2tlbiIsImV4cCIAvira URL Cloud: Label: phishing
Source: https://d.coka.la/hyirn.hta?ch=1&js=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJKb2tlbiIsImV4cCI6MTc0NTg0MDM3OSwiaWF0IjoxNzQ1ODMzMTc5LCJpc3MiOiJKb2tlbiIsImpzIjoxLCJqdGkiOiIzMHQ3NDFucGhocnMzY2x2cjQ2NWluOGYiLCJuYmYiOjE3NDU4MzMxNzksInRzIjoxNzQ1ODMzMTc5ODQxNTY4fQ.GYLOhJXC8zJbsKkAHL2HtmiFmaZXfQoNnQNRgm8dg1g&sid=b4b84987-2414-11f0-b8f9-08c64eff8f7cAvira URL Cloud: Label: phishing
Source: unknownHTTPS traffic detected: 162.210.199.87:443 -> 192.168.2.5:49692 version: TLS 1.2
Source: unknownHTTPS traffic detected: 162.210.199.87:443 -> 192.168.2.5:49693 version: TLS 1.2
Source: Joe Sandbox ViewIP Address: 199.59.243.228 199.59.243.228
Source: Joe Sandbox ViewJA3 fingerprint: 6271f898ce5be7dd52b0fc260d0662b3
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficHTTP traffic detected: GET /hyirn.hta?ch=1&js=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJKb2tlbiIsImV4cCI6MTc0NTg0MDM3OSwiaWF0IjoxNzQ1ODMzMTc5LCJpc3MiOiJKb2tlbiIsImpzIjoxLCJqdGkiOiIzMHQ3NDFucGhocnMzY2x2cjQ2NWluOGYiLCJuYmYiOjE3NDU4MzMxNzksInRzIjoxNzQ1ODMzMTc5ODQxNTY4fQ.GYLOhJXC8zJbsKkAHL2HtmiFmaZXfQoNnQNRgm8dg1g&sid=b4b84987-2414-11f0-b8f9-08c64eff8f7c HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-CHUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: d.coka.laConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET / HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-CHUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateConnection: Keep-AliveHost: ww1.coka.la
Source: global trafficHTTP traffic detected: GET /bdEpZXZjv.js HTTP/1.1Accept: application/javascript, */*;q=0.8Referer: http://ww1.coka.la/Accept-Language: en-CHUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: ww1.coka.laConnection: Keep-AliveCookie: parking_session=64a4f9ee-eaf9-4ee1-8de3-58be0c67309f
Source: msapplication.xml0.2.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x0b51d73b,0x01dbb822</date><accdate>0x0b51d73b,0x01dbb822</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Facebook.url"/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
Source: msapplication.xml5.2.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x0b569bf1,0x01dbb822</date><accdate>0x0b569bf1,0x01dbb822</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Twitter.url"/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
Source: msapplication.xml7.2.drString found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x0b569bf1,0x01dbb822</date><accdate>0x0b58fe7a,0x01dbb822</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Youtube.url"/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
Source: global trafficDNS traffic detected: DNS query: c.pki.goog
Source: global trafficDNS traffic detected: DNS query: d.coka.la
Source: global trafficDNS traffic detected: DNS query: ww1.coka.la
Source: ~DFBB61539C07C1C0F5.TMP.2.dr, {33227F06-2415-11F0-8C30-ECF4BB570DC9}.dat.2.drString found in binary or memory: http://ww1.coka.la/irn.hta?ch=1&js=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJKb2tlbiIsImV4cCI6
Source: msapplication.xml8.2.drString found in binary or memory: http://www.amazon.com/
Source: msapplication.xml1.2.drString found in binary or memory: http://www.google.com/
Source: msapplication.xml2.2.drString found in binary or memory: http://www.live.com/
Source: msapplication.xml3.2.drString found in binary or memory: http://www.nytimes.com/
Source: msapplication.xml4.2.drString found in binary or memory: http://www.reddit.com/
Source: msapplication.xml5.2.drString found in binary or memory: http://www.twitter.com/
Source: msapplication.xml6.2.drString found in binary or memory: http://www.wikipedia.com/
Source: msapplication.xml7.2.drString found in binary or memory: http://www.youtube.com/
Source: mshta.exe, 00000000.00000003.1385533745.00000000032C0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.2570721542.0000000003307000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1395080550.00000000064C3000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1385409555.00000000032E7000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.2570721542.00000000032E7000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.2571519007.00000000064C1000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1385409555.0000000003303000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1395004313.00000000064C2000.00000004.00000800.00020000.00000000.sdmp, hyirn.htaString found in binary or memory: https://d.coka.la/hyirn.hta?ch=1&js=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJKb2tlbiIsImV4cCI
Source: E8YOUFQ6.htm.5.drString found in binary or memory: https://www.google.com
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49693
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49692
Source: unknownNetwork traffic detected: HTTP traffic on port 49692 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49693 -> 443
Source: unknownHTTPS traffic detected: 162.210.199.87:443 -> 192.168.2.5:49692 version: TLS 1.2
Source: unknownHTTPS traffic detected: 162.210.199.87:443 -> 192.168.2.5:49693 version: TLS 1.2
Source: C:\Windows\SysWOW64\mshta.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXEJump to behavior
Source: classification engineClassification label: mal48.winHTA@8/21@3/2
Source: C:\Program Files\Internet Explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\RecoveryJump to behavior
Source: C:\Program Files\Internet Explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Temp\~DFAD68770A5238FA45.TMPJump to behavior
Source: C:\Program Files\Internet Explorer\iexplore.exeFile read: C:\Users\desktop.iniJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: unknownProcess created: C:\Windows\SysWOW64\mshta.exe mshta.exe "C:\Users\user\Desktop\hyirn.hta"
Source: unknownProcess created: C:\Program Files\Internet Explorer\iexplore.exe "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
Source: C:\Program Files\Internet Explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:7380 CREDAT:17410 /prefetch:2
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeProcess created: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe "C:\PROGRA~2\Java\jre-1.8\bin\ssvagent.exe" -new
Source: C:\Program Files\Internet Explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:7380 CREDAT:17414 /prefetch:2
Source: C:\Program Files\Internet Explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:7380 CREDAT:17410 /prefetch:2Jump to behavior
Source: C:\Program Files\Internet Explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:7380 CREDAT:17414 /prefetch:2Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeProcess created: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe "C:\PROGRA~2\Java\jre-1.8\bin\ssvagent.exe" -newJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: mshtml.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: powrprof.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wkscli.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: umpdc.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: msiso.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: srpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: msimtf.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: dxgi.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: resourcepolicyclient.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: jscript9.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wininet.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: ieframe.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: ieproxy.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: sxs.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: onecorecommonproxystub.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: dataexchange.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: d3d11.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: dcomp.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: twinapi.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: msls31.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: d2d1.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: dwrite.dllJump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exeSection loaded: vcruntime140.dllJump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exeSection loaded: wininet.dllJump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exeSection loaded: version.dllJump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exeSection loaded: msvcp140.dllJump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exeSection loaded: netutils.dllJump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{25336920-03F9-11CF-8FD0-00AA00686F13}\InProcServer32Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SettingsJump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\LyncJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeWindow / User API: threadDelayed 7344Jump to behavior

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
DLL Side-Loading		1
Process Injection		1
Masquerading		OS Credential Dumping1
Application Window Discovery		Remote Services1
Email Collection		1
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
DLL Side-Loading		1
Process Injection		LSASS Memory1
File and Directory Discovery		Remote Desktop ProtocolData from Removable Media2
Non-Application Layer Protocol		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
DLL Side-Loading		Security Account Manager3
System Information Discovery		SMB/Windows Admin SharesData from Network Shared Drive3
Application Layer Protocol		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin HookBinary PaddingNTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput Capture1
Ingress Tool Transfer		Traffic DuplicationData Destruction

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1676149 Sample: hyirn.hta Startdate: 28/04/2025 Architecture: WINDOWS Score: 48 19 ww1.coka.la 2->19 21 pki-goog.l.google.com 2->21 23 3 other IPs or domains 2->23 29 Antivirus detection for URL or domain 2->29 8 iexplore.exe 74 102 2->8         started        10 mshta.exe 2->10         started        signatures3 process4 process5 12 iexplore.exe 14 8->12         started        14 iexplore.exe 25 8->14         started        dnsIp6 17 ssvagent.exe 501 12->17         started        25 d.coka.la 162.210.199.87, 443, 49692, 49693 LEASEWEB-USA-WDCUS United States 14->25 27 12065.bodis.com 199.59.243.228, 49694, 49695, 80 BODIS-NJUS United States 14->27 process7

Screenshots

Download Video

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
hyirn.hta0%ReversingLabs

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://ww1.coka.la/0%Avira URL Cloudsafe
https://d.coka.la/hyirn.hta?ch=1&js=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJKb2tlbiIsImV4cCI100%Avira URL Cloudphishing
https://d.coka.la/hyirn.hta?ch=1&js=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJKb2tlbiIsImV4cCI6MTc0NTg0MDM3OSwiaWF0IjoxNzQ1ODMzMTc5LCJpc3MiOiJKb2tlbiIsImpzIjoxLCJqdGkiOiIzMHQ3NDFucGhocnMzY2x2cjQ2NWluOGYiLCJuYmYiOjE3NDU4MzMxNzksInRzIjoxNzQ1ODMzMTc5ODQxNTY4fQ.GYLOhJXC8zJbsKkAHL2HtmiFmaZXfQoNnQNRgm8dg1g&sid=b4b84987-2414-11f0-b8f9-08c64eff8f7c100%Avira URL Cloudphishing
http://ww1.coka.la/bdEpZXZjv.js0%Avira URL Cloudsafe
http://ww1.coka.la/irn.hta?ch=1&js=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJKb2tlbiIsImV4cCI60%Avira URL Cloudsafe

Domains and IPs

Download Network PCAP: filteredfull

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
bg.microsoft.map.fastly.net
199.232.210.172
truefalse
    		high
    d.coka.la
    		162.210.199.87
    		truefalse
      		unknown
      12065.bodis.com
      		199.59.243.228
      		truefalse
        		high
        pki-goog.l.google.com
        		192.178.49.195
        		truefalse
          		high
          ww1.coka.la
          		unknown
          		unknownfalse
            		unknown
            c.pki.goog
            		unknown
            		unknownfalse
              		high

              Contacted URLs

              NameMaliciousAntivirus DetectionReputation
              https://d.coka.la/hyirn.hta?ch=1&js=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJKb2tlbiIsImV4cCI6MTc0NTg0MDM3OSwiaWF0IjoxNzQ1ODMzMTc5LCJpc3MiOiJKb2tlbiIsImpzIjoxLCJqdGkiOiIzMHQ3NDFucGhocnMzY2x2cjQ2NWluOGYiLCJuYmYiOjE3NDU4MzMxNzksInRzIjoxNzQ1ODMzMTc5ODQxNTY4fQ.GYLOhJXC8zJbsKkAHL2HtmiFmaZXfQoNnQNRgm8dg1g&sid=b4b84987-2414-11f0-b8f9-08c64eff8f7cfalse
              • Avira URL Cloud: phishing
              		unknown
              http://ww1.coka.la/bdEpZXZjv.jsfalse
              • Avira URL Cloud: safe
              		unknown
              http://ww1.coka.la/false
              • Avira URL Cloud: safe
              		unknown
              NameSourceMaliciousAntivirus DetectionReputation
              https://www.google.comE8YOUFQ6.htm.5.drfalse
                		high
                http://www.nytimes.com/msapplication.xml3.2.drfalse
                  		high
                  http://ww1.coka.la/irn.hta?ch=1&js=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJKb2tlbiIsImV4cCI6~DFBB61539C07C1C0F5.TMP.2.dr, {33227F06-2415-11F0-8C30-ECF4BB570DC9}.dat.2.drfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.youtube.com/msapplication.xml7.2.drfalse
                    		high
                    http://www.wikipedia.com/msapplication.xml6.2.drfalse
                      		high
                      http://www.amazon.com/msapplication.xml8.2.drfalse
                        		high
                        https://d.coka.la/hyirn.hta?ch=1&js=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJKb2tlbiIsImV4cCImshta.exe, 00000000.00000003.1385533745.00000000032C0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.2570721542.0000000003307000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1395080550.00000000064C3000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1385409555.00000000032E7000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.2570721542.00000000032E7000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.2571519007.00000000064C1000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1385409555.0000000003303000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1395004313.00000000064C2000.00000004.00000800.00020000.00000000.sdmp, hyirn.htafalse
                        • Avira URL Cloud: phishing
                        		unknown
                        http://www.live.com/msapplication.xml2.2.drfalse
                          		high
                          http://www.reddit.com/msapplication.xml4.2.drfalse
                            		high
                            http://www.twitter.com/msapplication.xml5.2.drfalse
                              		high
                              http://www.google.com/msapplication.xml1.2.drfalse
                                		high

                                World Map of Contacted IPs

                                • No. of IPs < 25%
                                • 25% < No. of IPs < 50%
                                • 50% < No. of IPs < 75%
                                • 75% < No. of IPs

                                Public IPs

                                IPDomainCountryFlagASNASN NameMalicious
                                199.59.243.228
                                		12065.bodis.comUnited States
                                		395082BODIS-NJUSfalse
                                162.210.199.87
                                		d.coka.laUnited States
                                		30633LEASEWEB-USA-WDCUSfalse

                                General Information

                                Joe Sandbox version:42.0.0 Malachite
                                Analysis ID:1676149
                                Start date and time:2025-04-28 11:42:14 +02:00
                                Joe Sandbox product:CloudBasic
                                Overall analysis duration:0h 4m 44s
                                Hypervisor based Inspection enabled:false
                                Report type:full
                                Cookbook file name:default.jbs
                                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 134, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                Number of analysed new started processes analysed:10
                                Number of new started drivers analysed:0
                                Number of existing processes analysed:0
                                Number of existing drivers analysed:0
                                Number of injected processes analysed:0
                                Technologies:
                                • HCA enabled
                                • EGA enabled
                                • AMSI enabled
                                Analysis Mode:default
                                Analysis stop reason:Timeout
                                Sample name:hyirn.hta
                                Detection:MAL
                                Classification:mal48.winHTA@8/21@3/2
                                EGA Information:Failed
                                HCA Information:
                                • Successful, ratio: 100%
                                • Number of executed functions: 1
                                • Number of non-executed functions: 0
                                Cookbook Comments:
                                • Found application associated with file extension: .hta
                                • Exclude process from analysis (whitelisted): MpCmdRun.exe, ielowutil.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                                • Excluded IPs from analysis (whitelisted): 23.194.101.222, 23.43.51.137, 23.43.51.134, 150.171.27.10, 150.171.28.10, 20.109.210.53
                                • Excluded domains from analysis (whitelisted): www.bing.com, slscr.update.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, ctldl.windowsupdate.com, www-www.bing.com.trafficmanager.net, fe3cr.delivery.mp.microsoft.com, e11290.dspg.akamaiedge.net, c2a9c95e369881c67228a6591cac2686.clo.footprintdns.com, ax-ring.msedge.net, go.microsoft.com, e86303.dscx.akamaiedge.net, any.edge.bing.com, www.bing.com.edgekey.net, go.microsoft.com.edgekey.net, ieonline.microsoft.com, wu-b-net.trafficmanager.net
                                • Execution Graph export aborted for target mshta.exe, PID 7200 because it is empty
                                • Not all processes where analyzed, report is missing behavior information
                                • Report size getting too big, too many NtCreateKey calls found.
                                • Report size getting too big, too many NtOpenKeyEx calls found.
                                • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                • Report size getting too big, too many NtQueryValueKey calls found.
                                • Report size getting too big, too many NtSetValueKey calls found.
                                • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                                Simulations

                                Behavior and APIs

                                No simulations

                                Joe Sandbox View / Context

                                IPs

                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                199.59.243.228DogfHe.htaGet hashmaliciousUnknownBrowse
                                • ww1.coka.la/bSwVfnMIK.js
                                250428-eer34s1tdv.bin.exeGet hashmaliciousUnknownBrowse
                                • cmdcmdcmd.php0h.com/4.jpg
                                250428-dfq2rsyzbv.bin.exeGet hashmaliciousWannacryBrowse
                                • ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250428-1310-41a4-a0a3-cb317642d741
                                250428-dfq2rsyzbv.bin.exeGet hashmaliciousWannacryBrowse
                                • ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250428-1306-1349-a02f-e045d0610ec4
                                250428-c8zzpsywhx.bin.exeGet hashmaliciousWannacryBrowse
                                • ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250428-1259-285e-80ba-2498deb4e760
                                250428-c8zzpsywhx.bin.exeGet hashmaliciousWannacryBrowse
                                • ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250428-1253-04da-8ff0-bf55fec89eb4
                                hyirn.htaGet hashmaliciousUnknownBrowse
                                • ww1.coka.la/boxSBjMTT.js
                                YEN#U0130 S#U0130PAR#U0130#U015e -- NUMARA 001www.vbsGet hashmaliciousFormBookBrowse
                                • www.nkq.info/q311/
                                Quotation.exeGet hashmaliciousFormBookBrowse
                                • www.rtvs-sk.sbs/kn3k/
                                ungziped_file.exeGet hashmaliciousFormBookBrowse
                                • www.nkq.info/q311/
                                162.210.199.876STrd2WC88FOIND.exeGet hashmaliciousFormBook, zgRATBrowse
                                • www.vsini.com/ch82/?ZjRtm=eSR5URyOC1ibFYRAESkxmwXT4gwzlLAGV/QYhwDkH4AjzZel5LRGAK4ni0laDnaq2OiWWdXqEy0KVle7jTpwFNgqxXoqc3FwUw==&atNlc=MvY8l
                                8319.exeGet hashmaliciousFormBookBrowse
                                • www.vsini.com/ch82/?KfAHy=qhgLGbzp7HV0QZ&P45tYhW8=eSR5URyOC1ibFYRAESkxmwXT4gwzlLAGV/QYhwDkH4AjzZel5LRGAK4ni0laDnaq2OiWWdXqEy0KVle7jTpwFNgqxXoqc3FwUw==

                                Domains

                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                bg.microsoft.map.fastly.netPending_Post_Tax_Payments_Detail.pdf.vbsGet hashmaliciousGuLoaderBrowse
                                • 199.232.210.172
                                GLS- Notifica spedizione 99133137YL.vbeGet hashmaliciousXWormBrowse
                                • 199.232.210.172
                                cYRX4HPdCS.exeGet hashmaliciousLummaC StealerBrowse
                                • 199.232.214.172
                                Jonathan Hope_Revised_Executed_Docs.pdfGet hashmaliciousUnknownBrowse
                                • 199.232.210.172
                                c57s18lwKh.exeGet hashmaliciousAmadey, LummaC Stealer, RHADAMANTHYS, Vidar, XmrigBrowse
                                • 199.232.214.172
                                4QwoDIoVBZ.exeGet hashmaliciousXmrigBrowse
                                • 199.232.214.172
                                8tXTOlPbMn.exeGet hashmaliciousLummaC StealerBrowse
                                • 199.232.210.172
                                4QwoDIoVBZ.exeGet hashmaliciousUnknownBrowse
                                • 199.232.214.172
                                2IUYZJS3ld.exeGet hashmaliciousLummaC StealerBrowse
                                • 199.232.214.172
                                oTl8rHdxTJ.exeGet hashmaliciousAsyncRAT, DcRat, GlorySprout, StormKittyBrowse
                                • 199.232.210.172
                                d.coka.lahyirn.htaGet hashmaliciousUnknownBrowse
                                • 69.162.95.6
                                pki-goog.l.google.comiiii Drawings_Tender No. UAE-UCPC-4389761110-2025.vbsGet hashmaliciousRemcosBrowse
                                • 192.178.49.195
                                GLS- Notifica spedizione 99133137YL.vbeGet hashmaliciousXWormBrowse
                                • 172.217.14.67
                                cYRX4HPdCS.exeGet hashmaliciousLummaC StealerBrowse
                                • 142.251.40.35
                                QygHqof2vm.exeGet hashmaliciousRHADAMANTHYSBrowse
                                • 192.178.49.195
                                c57s18lwKh.exeGet hashmaliciousAmadey, LummaC Stealer, RHADAMANTHYS, Vidar, XmrigBrowse
                                • 192.178.49.195
                                8tXTOlPbMn.exeGet hashmaliciousLummaC StealerBrowse
                                • 192.178.49.195
                                2IUYZJS3ld.exeGet hashmaliciousLummaC StealerBrowse
                                • 192.178.49.195
                                Y1RM4e3gSP.exeGet hashmaliciousUnknownBrowse
                                • 192.178.49.195
                                250428-g22xyaxl19.bin.exeGet hashmaliciousTofseeBrowse
                                • 192.178.49.195
                                250428-fhlaeasvhz.bin.exeGet hashmaliciousAmadey, LummaC Stealer, Vidar, XmrigBrowse
                                • 192.178.49.195
                                12065.bodis.comDogfHe.htaGet hashmaliciousUnknownBrowse
                                • 199.59.243.228
                                hyirn.htaGet hashmaliciousUnknownBrowse
                                • 199.59.243.228
                                FGiemTL26H.exeGet hashmaliciousUnknownBrowse
                                • 199.59.243.228
                                FGiemTL26H.exeGet hashmaliciousUnknownBrowse
                                • 199.59.243.228
                                https://onlinekey.bizGet hashmaliciousUnknownBrowse
                                • 199.59.243.228
                                http://ww1.tryd.proGet hashmaliciousUnknownBrowse
                                • 199.59.243.228
                                THE COSTS INCURRED PENDING (1).pdfGet hashmaliciousUnknownBrowse
                                • 199.59.243.227
                                MghGQuv1pq.exeGet hashmaliciousUnruyBrowse
                                • 199.59.243.226
                                http://ww1.gove.ukGet hashmaliciousUnknownBrowse
                                • 199.59.243.225
                                RDF842l.htmlGet hashmaliciousUnknownBrowse
                                • 199.59.243.225

                                ASNs

                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                BODIS-NJUSDogfHe.htaGet hashmaliciousUnknownBrowse
                                • 199.59.243.228
                                250428-eer34s1tdv.bin.exeGet hashmaliciousUnknownBrowse
                                • 199.59.243.228
                                hyirn.htaGet hashmaliciousUnknownBrowse
                                • 199.59.243.228
                                YEN#U0130 S#U0130PAR#U0130#U015e -- NUMARA 001www.vbsGet hashmaliciousFormBookBrowse
                                • 199.59.243.228
                                Quotation.exeGet hashmaliciousFormBookBrowse
                                • 199.59.243.228
                                ungziped_file.exeGet hashmaliciousFormBookBrowse
                                • 199.59.243.228
                                Bank Details.exeGet hashmaliciousFormBookBrowse
                                • 199.59.243.228
                                #U0110#U01a0N H#U00c0NG M#U1edaI 112.vbsGet hashmaliciousFormBookBrowse
                                • 199.59.243.228
                                tender No. 404CMT01.exeGet hashmaliciousFormBookBrowse
                                • 199.59.243.160
                                Aluminiumprofile.LNK.lnkGet hashmaliciousDBatLoader, FormBookBrowse
                                • 199.59.243.228
                                LEASEWEB-USA-WDCUShttp://www.timesofisrael.com/young-sephardic-jews-embrace-an-old-musical-tradition/Get hashmaliciousUnknownBrowse
                                • 216.22.16.53
                                https://girlsphotosonlinexxjpg.netGet hashmaliciousUnknownBrowse
                                • 23.105.12.121
                                https://girlsphotosonlinexxjpg.net/Get hashmaliciousUnknownBrowse
                                • 23.105.12.137
                                https://deareports.online/?p=1444Get hashmaliciousUnknownBrowse
                                • 23.105.12.121
                                https://slave.tobeshiesty.shop/680a3d6037238bb58483fa1f?utm_source=%7Br%7D&utm_medium=%7Br%7D&utm_campaign=%7Br%7DGet hashmaliciousUnknownBrowse
                                • 23.105.163.27
                                Ad15xUpdateTool.exeGet hashmaliciousUnknownBrowse
                                • 23.105.12.117
                                swift copy.exeGet hashmaliciousFormBookBrowse
                                • 162.210.195.105
                                Comprobante-TransferenciasInmediatasOtrasEntidades.exeGet hashmaliciousFormBookBrowse
                                • 162.210.195.105
                                inquiry for chemical supply-RFQ-0982240.jsGet hashmaliciousFormBookBrowse
                                • 207.244.126.106
                                Invoice002372.pdfGet hashmaliciousRedLineBrowse
                                • 207.244.76.146

                                JA3 Fingerprints

                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                6271f898ce5be7dd52b0fc260d0662b3DogfHe.htaGet hashmaliciousUnknownBrowse
                                • 162.210.199.87
                                250428-ft4acswjs2.bin.exeGet hashmaliciousUnknownBrowse
                                • 162.210.199.87
                                250427-2kc8gavp14.bin.exeGet hashmaliciousRamnitBrowse
                                • 162.210.199.87
                                hyirn.htaGet hashmaliciousUnknownBrowse
                                • 162.210.199.87
                                250427-v4dvsav1ew.bin.exeGet hashmaliciousProRatBrowse
                                • 162.210.199.87
                                JJsploit.exeGet hashmaliciousSheetRat, SpyBotBrowse
                                • 162.210.199.87
                                v8888_Remastered.exeGet hashmaliciousUnknownBrowse
                                • 162.210.199.87
                                MLO Ltr (AF-02)04152025_0015.docx.docGet hashmaliciousUnknownBrowse
                                • 162.210.199.87
                                what the fuck.exeGet hashmaliciousUnknownBrowse
                                • 162.210.199.87
                                oh my pc.exeGet hashmaliciousUnknownBrowse
                                • 162.210.199.87

                                Dropped Files

                                No context

                                Created / dropped Files

                                C:\Users\user\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico

                                Download File
                                Process:C:\Program Files\Internet Explorer\iexplore.exe
                                File Type:MS Windows icon resource - 1 icon, 32x32, 32 bits/pixel
                                Category:dropped
                                Size (bytes):4286
                                Entropy (8bit):3.8046022951415335
                                Encrypted:false
                                SSDEEP:24:suZOWcCXPRS4QAUs/KBy3TYI42Apvl6wheXpktCH2Yn4KgISQggggFpz1k9PAYHu:HBRh+sCBykteatiBn4KWi1+Ne
                                MD5:DA597791BE3B6E732F0BC8B20E38EE62
                                SHA1:1125C45D285C360542027D7554A5C442288974DE
                                SHA-256:5B2C34B3C4E8DD898B664DBA6C3786E2FF9869EFF55D673AA48361F11325ED07
                                SHA-512:D8DC8358727590A1ED74DC70356AEDC0499552C2DC0CD4F7A01853DD85CEB3AEAD5FBDC7C75D7DA36DB6AF2448CE5ABDFF64CEBDCA3533ECAD953C061A9B338E
                                Malicious:false
                                Reputation:moderate, very likely benign file
                                Preview:...... .... .........(... ...@..... ...................................................................................................................................................................................................N...Sz..R...R...P...N..L..H..DG..........................................................................................R6..U...U...S...R...P...N..L..I..F..B...7...............................................................................S6..V...V...U...S...R...P...N..L..I..F..C...?..:z......................................................................O...W...V...V...U...S...R...P...N..L..I..E..C...?...;..{7..q2$..............................................................T..D..]...S)..p6..J...R...P...N..L..I..E..B..>..;..z7..p2..f,X.........................................................A..O#..N!..N!..N!..P$..q:...P...N..K..I..E..A..=..9..x5..n0..e,...5...................................................Ea.Z,..T$..T$..T

                                C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{33227F02-2415-11F0-8C30-ECF4BB570DC9}.dat

                                Download File
                                Process:C:\Program Files\Internet Explorer\iexplore.exe
                                File Type:Composite Document File V2 Document, Cannot read section info
                                Category:dropped
                                Size (bytes):5632
                                Entropy (8bit):2.4178746048513897
                                Encrypted:false
                                SSDEEP:48:r5GI4yGIh+/Jq8iJWJcJFJoJRJRJE8iJWJaJDJ15JRJRJDJSJ:mo848
                                MD5:714A0A46B83411FF023C41C6F2D52039
                                SHA1:1A078F09D033172B23A9F40D64C126F499FD91D2
                                SHA-256:10739011456F8EB54B504C6BDB2C2A2618507F540AFDB9E6E27DA28BC473B361
                                SHA-512:5EC212D050E4329ABB73BEE7C59BA651210D2C45F8295949E9792F8C372B2EF120601C26163FDDF88B8C355DB5FD2B2E7D444B75453C9BE6CEFDEE8A536969CD
                                Malicious:false
                                Reputation:low
                                Preview:......................>.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.........................................................................................0p..!.......@.........K.j.j.a.q.f.a.j.N.2.c.0.u.z.g.v.1.l.4.q.y.5.n.f.W.e...........8...............................................................F.r.a.m.e.L.i.s.t.......................................................................................................0.......O._.T.S.A.3.8.i.M.x.U.k.8.B.G.M.M.O.z.0.u.1.c.N.y.Q.=.=.........:.......................................

                                C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{33227F04-2415-11F0-8C30-ECF4BB570DC9}.dat

                                Download File
                                Process:C:\Program Files\Internet Explorer\iexplore.exe
                                File Type:Composite Document File V2 Document, Cannot read section info
                                Category:dropped
                                Size (bytes):4096
                                Entropy (8bit):1.7202748076300893
                                Encrypted:false
                                SSDEEP:12:rl0oXGFatXDrEgm8Gf76FlslXDrEgm8Gn7qw9lgOjg0tJlE/9lLahd0tJl/C:rBZG8ilTG8m9l28S9la8L
                                MD5:9CF2D1D5F18E1F567BB033E8FAD498BA
                                SHA1:0429FABE169A97B5A5DDEF28ACB06F6BF9593709
                                SHA-256:E03072262B30C8054B30023CED8F4A8185A43BB652BB34B6D00C51B4A7A3170A
                                SHA-512:789B6043C0BCDADC3F2AF1770CDD4A529F3CF40474C325A7B46B9A03C994321E9C3D29F3E58F2E276789889D2BF1710C4CF21AF1F29E792D4CEC2AEC2EB95DCD
                                Malicious:false
                                Reputation:low
                                Preview:......................>.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.........................................................................................@...!.................K.j.j.a.q.f.a.j.N.2.c.0.u.z.g.v.1.l.4.q.y.5.n.f.W.e...........8.......................................................................................................................................................................................................................................................................................................

                                C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{33227F06-2415-11F0-8C30-ECF4BB570DC9}.dat

                                Download File
                                Process:C:\Program Files\Internet Explorer\iexplore.exe
                                File Type:Composite Document File V2 Document, Cannot read section info
                                Category:dropped
                                Size (bytes):4096
                                Entropy (8bit):2.3847146622715742
                                Encrypted:false
                                SSDEEP:12:rlxAFTrEgmf07fFYNfrEgmf07qFI9lQcatQ0tUl/tPmGooNl1H3kwU1l/ANjLtdA:r4GhGG9lb8UlcW1LSAvdwoNOtw/Y+M6
                                MD5:FFF49AA67AABFA763DE4DC11542BA181
                                SHA1:C7BBD542D66665559CB819DADD0BA042134D2F54
                                SHA-256:6F757283960E381918381619D760F9D40B2DBDCEEE445566C1B5176CFCA5F511
                                SHA-512:CAA2C7731ABFB0D5E2BCBAE69CDBE3C5FB982BADCBAE6B5C0927F9E2677A0A646BD6EBACBDE9ABF05B4CAB34C75AFE6FC2E4D546F4463745B9B6C7C8BD7010C5
                                Malicious:false
                                Reputation:low
                                Preview:......................>.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................R.o.o.t. .E.n.t.r.y.........................................................................................`...!.................K.j.j.a.q.f.a.j.N.2.c.0.u.z.g.v.1.l.4.q.y.5.n.f.W.e...........8...............................................................T.r.a.v.e.l.L.o.g.......................................................................................................................................................................................................................

                                C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-17529550060\msapplication.xml

                                Download File
                                Process:C:\Program Files\Internet Explorer\iexplore.exe
                                File Type:XML 1.0 document, ASCII text, with very long lines (314), with CRLF line terminators
                                Category:dropped
                                Size (bytes):356
                                Entropy (8bit):5.13275471082324
                                Encrypted:false
                                SSDEEP:6:TMVBdc9EMdLD5Ltqc41E2LjVEyZLjVEeCTD90/QL3WIZK0QhPPFVDHkEtMjwu:TMHdNMNxOEgBEGBEeCnWimI00ONVbkEs
                                MD5:9F6414E57D1790B6DB19F551CC479DF2
                                SHA1:248FD83CDE251676842E895599FF6CE3D5EC9AF6
                                SHA-256:5A1773B86B1E5E2523F653372FC1E311D69B75D6D7B862024302E59DA6AEBBCB
                                SHA-512:33D0F6CF79E7FF6C2776A8940DA840689B3240026CA06FD05E2152373869D9C240B67490F6F5435AC4D2BD3CD7B98D74C41B6E6EC151D72824BC587470FD1861
                                Malicious:false
                                Preview:<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x0b569bf1,0x01dbb822</date><accdate>0x0b569bf1,0x01dbb822</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Twitter.url"/></tile></msapplication></browserconfig>..

                                C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-18270793970\msapplication.xml

                                Download File
                                Process:C:\Program Files\Internet Explorer\iexplore.exe
                                File Type:XML 1.0 document, ASCII text, with very long lines (312), with CRLF line terminators
                                Category:dropped
                                Size (bytes):354
                                Entropy (8bit):5.182973782255298
                                Encrypted:false
                                SSDEEP:6:TMVBdc9EMdLD5Ltqc4fLGTk2Fbd+nVEyZFbd+nVEeCTD90/QL3WIZK0QhPPFkI5n:TMHdNMNxe2kMd+VECd+VEeCnWimI00OV
                                MD5:24EA10A676B1A272C7EDDF41A3BB39BA
                                SHA1:619B53D557269B210912C85AC39E495F57D171D6
                                SHA-256:4D6AA9084D05B77647C8C7F538F7B0A0E33E1D5668388BA577C11632473822BA
                                SHA-512:C28A7E1826B1263B892A73C00A5C961AB766F019548EAF8932D75A7ADFF8CD1DAC1188C39901AB9ACD761CE11A8E3B70FD2FE68AB56A118BC450D0BBBE98765A
                                Malicious:false
                                Preview:<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.amazon.com/"/><date>0x0b4f7566,0x01dbb822</date><accdate>0x0b4f7566,0x01dbb822</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Amazon.url"/></tile></msapplication></browserconfig>..

                                C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-21706820\msapplication.xml

                                Download File
                                Process:C:\Program Files\Internet Explorer\iexplore.exe
                                File Type:XML 1.0 document, ASCII text, with very long lines (318), with CRLF line terminators
                                Category:dropped
                                Size (bytes):360
                                Entropy (8bit):5.155630617828343
                                Encrypted:false
                                SSDEEP:6:TMVBdc9EMdLD5Ltqc4GL2LjVEyZLjVEeCTD90/QL3WIZK0QhPPFyhBcEEtMjwu:TMHdNMNxvLgBEGBEeCnWimI00ONmZEty
                                MD5:2BFB9AD3AB76C78659A1D9E6F34A4A2A
                                SHA1:4D3A0934A999A96A5EC4F1251BCF04BD852BAF7C
                                SHA-256:1B5CA524CC4DA68C300FC8D09450C735E30BD93CBDA4C1AD6226201A9D6E1852
                                SHA-512:E18045B3BF9101885E76BF5859057B8AE92995189365D28439771DEC54C2A00EF1795B85C2A92E1746B7BE5F855519B921360C851CE8FBDD59A6A5BEF166FF3A
                                Malicious:false
                                Preview:<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.wikipedia.com/"/><date>0x0b569bf1,0x01dbb822</date><accdate>0x0b569bf1,0x01dbb822</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Wikipedia.url"/></tile></msapplication></browserconfig>..

                                C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-314712940\msapplication.xml

                                Download File
                                Process:C:\Program Files\Internet Explorer\iexplore.exe
                                File Type:XML 1.0 document, ASCII text, with very long lines (335), with CRLF line terminators
                                Category:dropped
                                Size (bytes):377
                                Entropy (8bit):5.20724429477645
                                Encrypted:false
                                SSDEEP:6:TMVBdc9EMdLD5Ltq08eDPOOKaihMzFbd+nVEyZxEBVEeCTD90/QL3WIZK0QhPPFN:TMHdNMNxtDPOOKatd+VEvEeCnWimI00A
                                MD5:676ACFFB4A2BDF8E9B1FF9FC90E687DC
                                SHA1:DB14BD3ABB65C9DB58DF67184A87842644F699A1
                                SHA-256:929F817E3D7DA8F0B4B09B58B82714B247EA7705599FDE2CEFCFCCD461D224FF
                                SHA-512:B76E19E609563AF91E32957A589BA90D3313D1979075AEDB6B30E0B69E5F6C359B9F265876E3E38C9ED7CF7A6020B784B12B8DB67F5216A3A31B07DEC4C59314
                                Malicious:false
                                Preview:<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://go.microsoft.com/fwlink/p/?LinkId=255142"/><date>0x0b4f7566,0x01dbb822</date><accdate>0x0b51d73b,0x01dbb822</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Bing.url"/></tile></msapplication></browserconfig>..

                                C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-4759708130\msapplication.xml

                                Download File
                                Process:C:\Program Files\Internet Explorer\iexplore.exe
                                File Type:XML 1.0 document, ASCII text, with very long lines (308), with CRLF line terminators
                                Category:dropped
                                Size (bytes):350
                                Entropy (8bit):5.159332760311877
                                Encrypted:false
                                SSDEEP:6:TMVBdc9EMdLD5Ltqc4J2/cmVEyZ/cmVEeCTD90/QL3WIZK0QhPPFgE5EtMjwu:TMHdNMNxiAcsEWcsEeCnWimI00ONd5Es
                                MD5:C31486E8C525AD7B11F60C3874ABE133
                                SHA1:5684C4E1772E3544495982189A2FDEA3BF734D40
                                SHA-256:35F4B2BA97865A73CFEAD0EA7FBA5C0E6DCAB884EA5C53C94F9EEF042C7EA2B2
                                SHA-512:9D726D0D54E6A252B919FE26A5B0BDB2FC832CAB735F59DE75E931D4EF4D2923F8692B64154D4927507CBC3F78AEEC4E8B7FEFF0ACC5B77E47D4369A3548EF0B
                                Malicious:false
                                Preview:<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.live.com/"/><date>0x0b54399a,0x01dbb822</date><accdate>0x0b54399a,0x01dbb822</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Live.url"/></tile></msapplication></browserconfig>..

                                C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-6757900\msapplication.xml

                                Download File
                                Process:C:\Program Files\Internet Explorer\iexplore.exe
                                File Type:XML 1.0 document, ASCII text, with very long lines (314), with CRLF line terminators
                                Category:dropped
                                Size (bytes):356
                                Entropy (8bit):5.148649330519127
                                Encrypted:false
                                SSDEEP:6:TMVBdc9EMdLD5Ltqc4UxGw2LjVEyZPIVEeCTD90/QL3WIZK0QhPPF8K0QU5EtMjv:TMHdNMNxhGwgBEtEeCnWimI00ON8K07/
                                MD5:D01D9D3A3697F3DAD250AD1119A1E9E9
                                SHA1:99278BB8C04B79C4230E97B419EDA48131E033AF
                                SHA-256:F9AE5BCF94E1928AE701FF790413663B2EC91A29BE813131300831681A57AC36
                                SHA-512:76607B673F7573234D353AADF2379C84196BBD7FD3CDD12695B5544EE66F48A31B3B8B1BAB6091FFD0CD9EE65C37CB389D909D39AAEFFA09E1A8642F086B59A0
                                Malicious:false
                                Preview:<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x0b569bf1,0x01dbb822</date><accdate>0x0b58fe7a,0x01dbb822</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Youtube.url"/></tile></msapplication></browserconfig>..

                                C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-8760897390\msapplication.xml

                                Download File
                                Process:C:\Program Files\Internet Explorer\iexplore.exe
                                File Type:XML 1.0 document, ASCII text, with very long lines (312), with CRLF line terminators
                                Category:dropped
                                Size (bytes):354
                                Entropy (8bit):5.150467776898778
                                Encrypted:false
                                SSDEEP:6:TMVBdc9EMdLD5Ltqc4Qun2/cmVEyZLjVEeCTD90/QL3WIZK0QhPPFAkEtMjwu:TMHdNMNx0nAcsEGBEeCnWimI00ONxEty
                                MD5:978A8F9E56196E7C0F6473CFA47CA1D0
                                SHA1:572E953557F48FF539AA06AA7D75E3312EDEF2D6
                                SHA-256:DDA1AADBD6F8BD553A21BD646B427F230F3FCA247D4AFD9A1D27362E2A56F89E
                                SHA-512:EB2FEB78DDAC2E6D9A98AFE6B8D8F64FAF51A43CF1DEB380D3EB59F2CB8BB2EB6C53A9A42EBDA89DDC68B145A4F20B3AEC2DD7BEB77FC8381C62347F56C69E1F
                                Malicious:false
                                Preview:<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.reddit.com/"/><date>0x0b54399a,0x01dbb822</date><accdate>0x0b569bf1,0x01dbb822</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Reddit.url"/></tile></msapplication></browserconfig>..

                                C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin20259167780\msapplication.xml

                                Download File
                                Process:C:\Program Files\Internet Explorer\iexplore.exe
                                File Type:XML 1.0 document, ASCII text, with very long lines (314), with CRLF line terminators
                                Category:dropped
                                Size (bytes):356
                                Entropy (8bit):5.192559649559861
                                Encrypted:false
                                SSDEEP:6:TMVBdc9EMdLD5Ltqc4oT2/cmVEyZ/cmVEeCTD90/QL3WIZK0QhPPF6Kq5EtMjwu:TMHdNMNxxAcsEWcsEeCnWimI00ON6Kq/
                                MD5:E78E908FEE40252B3A3DD9878D3F60DE
                                SHA1:555F7968FBAE8ABAA0D39FAD3193CA03418F7E8C
                                SHA-256:2399F19BF8BB59BE3E9AC0429E70CFFDA2072F4B41124EEE846EB3B04CC0046E
                                SHA-512:E2DA3C8D67904B80C0BCAD3E44B912D0239FBEAFCB5A54767B7845C3A2C2DCAB302864977911E3339568C2F16DBA812CB9A8AB0030164A3D00938C555B194C71
                                Malicious:false
                                Preview:<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.nytimes.com/"/><date>0x0b54399a,0x01dbb822</date><accdate>0x0b54399a,0x01dbb822</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\NYTimes.url"/></tile></msapplication></browserconfig>..

                                C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin20332743330\msapplication.xml

                                Download File
                                Process:C:\Program Files\Internet Explorer\iexplore.exe
                                File Type:XML 1.0 document, ASCII text, with very long lines (316), with CRLF line terminators
                                Category:dropped
                                Size (bytes):358
                                Entropy (8bit):5.11741267824123
                                Encrypted:false
                                SSDEEP:6:TMVBdc9EMdLD5Ltqc4YX2n2xEBVEyZxEBVEeCTD90/QL3WIZK0QhPPF02CqEtMjv:TMHdNMNxcBEvEeCnWimI00ONVEtMb
                                MD5:4C3BE75B4D59C43A84F540AA47B24D22
                                SHA1:6110CFB8C2B33D169119359E03FBE83A9B0AF3E2
                                SHA-256:7F2FD1EBEEFB2D46CAD0D37BA4C6D197D88179038A5C740BA0137A2729B5294A
                                SHA-512:9D7708B6C7AAE8D0DD9CAB317DFE0C6E7600407C27D96C57815F118D8EAA81DEAA608D9C11A20138EF10714753EE8B1B824949EF2AAE4BFD4807A0B705B1996F
                                Malicious:false
                                Preview:<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x0b51d73b,0x01dbb822</date><accdate>0x0b51d73b,0x01dbb822</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Facebook.url"/></tile></msapplication></browserconfig>..

                                C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin8215062560\msapplication.xml

                                Download File
                                Process:C:\Program Files\Internet Explorer\iexplore.exe
                                File Type:XML 1.0 document, ASCII text, with very long lines (312), with CRLF line terminators
                                Category:dropped
                                Size (bytes):354
                                Entropy (8bit):5.108009501350413
                                Encrypted:false
                                SSDEEP:6:TMVBdc9EMdLD5Ltqc4In2xEBVEyZxEBVEeCTD90/QL3WIZK0QhPPFiwE5EtMjwu:TMHdNMNxfnBEvEeCnWimI00ONe5EtMb
                                MD5:00476879379C8201DD434209DE21411E
                                SHA1:C6924755603C38D0F0FA1193429EC4787FC75377
                                SHA-256:800F38FDBF267255DAD5A0D408202B0ADA51D32A1B2BAC796B51578108B6AFCF
                                SHA-512:ED0F70DE4B09FE4B5596D7A940623B89F85110EAC2CAF4BCDADFDFB040A5848D0AD7CC1781BFD3E7A33D8A7970C399D586CA5FE11724C1874FED436F7E7FC95B
                                Malicious:false
                                Preview:<?xml version="1.0" encoding="utf-8"?>..<browserconfig><msapplication><config><site src="http://www.google.com/"/><date>0x0b51d73b,0x01dbb822</date><accdate>0x0b51d73b,0x01dbb822</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Google.url"/></tile></msapplication></browserconfig>..

                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\hyirn[1].hta

                                Download File
                                Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                File Type:ASCII text, with no line terminators
                                Category:dropped
                                Size (bytes):11
                                Entropy (8bit):3.0957952550009344
                                Encrypted:false
                                SSDEEP:3:0MXAG3n:0MQa
                                MD5:32682312D17C7CBF18E73594F5570319
                                SHA1:60E22121BDD0BC71CDB2BAE2A3AA577006B2EAE9
                                SHA-256:E55FB1A1D731153E943B68844AF12DCCE8BFAC917C98FFDEA64C80DA0607DD47
                                SHA-512:68337DEBB9CD659CECE621AF582AE2BC4B56B9CF06B26C45F4D9EB8BEB91D3F36BEAD287218B5AA2BB4853A1CF1A12017CA57318D7E12F489884FDC6B261DFC1
                                Malicious:false
                                Preview:Redirecting

                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\E8YOUFQ6.htm

                                Download File
                                Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                File Type:HTML document, ASCII text, with very long lines (306)
                                Category:dropped
                                Size (bytes):1038
                                Entropy (8bit):5.927239116170991
                                Encrypted:false
                                SSDEEP:24:0pY0kiTWbOLBdrE6w1Fo5N/1AVnfA+T7c1SCHSxvCV4j:0XkioO9dreq5NWVflHc1SCHStpj
                                MD5:90910B03242320D615BD1FF1B164A965
                                SHA1:0620825A53CA81670D6BA30CD706852764767466
                                SHA-256:77C49E6D8FDDD2890EE7C05AB1CD916F295907A9FF91D4E5BEBB46F281D5C166
                                SHA-512:1F764FACEE53348A8B4F816AB2A310FC1D56FCAFE98494802F25A840E51CE3922929FBEB06CAB64312A98280613485D57161E468C264100D29A14688BF6D62CC
                                Malicious:false
                                Preview:<!doctype html>.<html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_rAAKoivYZo763B3WIJc8O8hkepe3KRo6J+3/r0apFeno7xgYWFkbZ8aUIfM4aFyECHIom9lpMneKZXQmSmLSoQ==" lang="en" style="background: #2B2B2B;">.<head>. <meta charset="utf-8">. <meta name="viewport" content="width=device-width, initial-scale=1">. <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC">. <link rel="preconnect" href="https://www.google.com" crossorigin>.</head>.<body>.<div id="target" style="opacity: 0"></div>.<script>window.park = "eyJ1dWlkIjoiNjRhNGY5ZWUtZWFmOS00ZWUxLThkZTMtNThiZTBjNjczMDlmIiwicGFnZV90aW1lIjoxNzQ1ODMzNDAwLCJwYWdlX3VybCI6Imh0dHA6Ly93dzEuY29rYS5sYS8iLCJwYWdlX21ldGhvZCI6IkdFVCIsInBhZ2VfcmVxdWVzdCI6e30sInBhZ2VfaGVhZGVycyI6e30sImhvc3QiOiJ3dzEuY29rYS5sYSIsImlwIjoiMTczLjI0NC41Ni4xODYifQo=";</script>.<script src="/bd

                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\bdEpZXZjv[1].js

                                Download File
                                Process:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                File Type:Unicode text, UTF-8 text, with very long lines (35690)
                                Category:dropped
                                Size (bytes):35693
                                Entropy (8bit):5.355387647428162
                                Encrypted:false
                                SSDEEP:768:TP2y1slVcJ7n85NdxBB5gPCGIW8rnaVGexrEs0Ddem+euROvvMzLXWI+6Ch/ZXh4:rOrnSGexrECRL5
                                MD5:6DCAA605361A0F3FE3C86BB8D94B7B4D
                                SHA1:8DDB31E30F920CAFE1C9A6EA91C1910A728E3266
                                SHA-256:417A08E92EEABC6883D955241F2815566AAA2BB2433486E4A3D39640E87CAA28
                                SHA-512:0DCE78FC07D1FE8775D10C6D602D99F9ECE380DFFE34DF41B0AA9D19740F608F5458EEDD5612817808CDC5956C70E454A6ADB3A540BEC58B857A92F3F7C8D3DC
                                Malicious:false
                                Preview:!function(e,t){"object"==typeof exports&&"undefined"!=typeof module?t(exports):"function"==typeof define&&define.amd?define(["exports"],t):t((e="undefined"!=typeof globalThis?globalThis:e||self).version={})}(this,(function(exports){"use strict";function __awaiter(e,t,n,i){return new(n||(n=Promise))((function(s,a){function o(e){try{d(i.next(e))}catch(e){a(e)}}function r(e){try{d(i.throw(e))}catch(e){a(e)}}function d(e){var t;e.done?s(e.value):(t=e.value,t instanceof n?t:new n((function(e){e(t)}))).then(o,r)}d((i=i.apply(e,t||[])).next())}))}var Blocking;"function"==typeof SuppressedError&&SuppressedError,function(e){e.PENDING="pending",e.NONE="none",e.BLOCKED="blocked",e.ALLOWED="allowed"}(Blocking||(Blocking={}));class Adblock{constructor(e){this.state=Blocking.PENDING,this._mocked=!1,e?(this.state=e,this._mocked=!0):this.state=Blocking.ALLOWED}inject(){return __awaiter(this,void 0,void 0,(function*(){}))}hasAdblocker(){if(void 0===window.google)return!0;const e=document.querySelectorA

                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\favicon[1].ico

                                Download File
                                Process:C:\Program Files\Internet Explorer\iexplore.exe
                                File Type:MS Windows icon resource - 1 icon, 32x32, 32 bits/pixel
                                Category:dropped
                                Size (bytes):4286
                                Entropy (8bit):3.8046022951415335
                                Encrypted:false
                                SSDEEP:24:suZOWcCXPRS4QAUs/KBy3TYI42Apvl6wheXpktCH2Yn4KgISQggggFpz1k9PAYHu:HBRh+sCBykteatiBn4KWi1+Ne
                                MD5:DA597791BE3B6E732F0BC8B20E38EE62
                                SHA1:1125C45D285C360542027D7554A5C442288974DE
                                SHA-256:5B2C34B3C4E8DD898B664DBA6C3786E2FF9869EFF55D673AA48361F11325ED07
                                SHA-512:D8DC8358727590A1ED74DC70356AEDC0499552C2DC0CD4F7A01853DD85CEB3AEAD5FBDC7C75D7DA36DB6AF2448CE5ABDFF64CEBDCA3533ECAD953C061A9B338E
                                Malicious:false
                                Preview:...... .... .........(... ...@..... ...................................................................................................................................................................................................N...Sz..R...R...P...N..L..H..DG..........................................................................................R6..U...U...S...R...P...N..L..I..F..B...7...............................................................................S6..V...V...U...S...R...P...N..L..I..F..C...?..:z......................................................................O...W...V...V...U...S...R...P...N..L..I..E..C...?...;..{7..q2$..............................................................T..D..]...S)..p6..J...R...P...N..L..I..E..B..>..;..z7..p2..f,X.........................................................A..O#..N!..N!..N!..P$..q:...P...N..K..I..E..A..=..9..x5..n0..e,...5...................................................Ea.Z,..T$..T$..T

                                C:\Users\user\AppData\Local\Temp\~DF589DB27CC73FB2A2.TMP

                                Download File
                                Process:C:\Program Files\Internet Explorer\iexplore.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):16384
                                Entropy (8bit):0.06881200911582831
                                Encrypted:false
                                SSDEEP:3:alFXEAUolllbll1nltllNlFlVlZmllol/Hflly7l8t5tXlRsltFll2/lsllM/llO:a/vllLaluqh8tMl3+tsM6GK2K8llNW1
                                MD5:8D1691840EA6879FA637F5B98BCB4DE3
                                SHA1:92CB7DC3D1686C31B954BABE9038F917F482B73D
                                SHA-256:0067192007D15F247B08B8A7FDDB7BEB9AAC8B480C4D984C4A6B374FAAFB06F5
                                SHA-512:016077209FB481D283CCC623C0378367EA73F637450B97130215508392B50CC321266AB78D588E932DB0CDC4B72746204BCEF1690DD06655598A61650D1FE5CD
                                Malicious:false
                                Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                C:\Users\user\AppData\Local\Temp\~DFAD68770A5238FA45.TMP

                                Download File
                                Process:C:\Program Files\Internet Explorer\iexplore.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):16384
                                Entropy (8bit):0.10285087861106086
                                Encrypted:false
                                SSDEEP:6:WyJE2wMJg565JE2wMJg5vql3+ts90yJWJ7:WyJE8J15JE8JF0tiJWJ
                                MD5:B116B21338E7F343977E3223621821EA
                                SHA1:DB4B595594012051459CA46FE97C205C662BCF31
                                SHA-256:E7F0383ED2C9D90CC730015B1C1AFCC8E1594E2A07AB5FB8DE1C69407FC5C9C5
                                SHA-512:97D9F276983A402CE64668209B74F60E6FEE8699E9045C19C64537DA5CD8EF48567A67A701DA4542F3C7A5CFCBB75721D1A9CBD24B271CAC8D1A8B0FBAAB6462
                                Malicious:false
                                Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                C:\Users\user\AppData\Local\Temp\~DFBB61539C07C1C0F5.TMP

                                Download File
                                Process:C:\Program Files\Internet Explorer\iexplore.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):16384
                                Entropy (8bit):0.32545475215037056
                                Encrypted:false
                                SSDEEP:12:i9lQcatQ0tUl/tPmGooNl1H3kwU7wNjLtdwo9O0PlO/l0I+ll+Q+v+MelDy:i9lb8UlcW1L4wvdwoNOtw/Y+M6
                                MD5:BBAC28DD2CCCD2CFF5D74F0700BA83E1
                                SHA1:C40B893D9F9172C109E910C59D3D0FEEBB993BDB
                                SHA-256:6439E97B05703E45C43AACE75494FDD0AFDA7FEDB3E308648E420EE419B77069
                                SHA-512:09D3B91B657969E7EB6C261ED91576E1F3C06805ACCBAA79B0452BEC8CC3CC8D1F9553CB05EBA069D23F3E3260AFA434423376F11185443091D5762158593744
                                Malicious:false
                                Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                Static File Info

                                General

                                File type:HTML document, ASCII text, with very long lines (480), with no line terminators
                                Entropy (8bit):5.824877375020712
                                TrID:
                                • HyperText Markup Language (12001/1) 40.67%
                                • HyperText Markup Language (11501/1) 38.98%
                                • HyperText Markup Language (6006/1) 20.35%
                                File name:hyirn.hta
                                File size:480 bytes
                                MD5:677744e61095af1985740d4867a7799f
                                SHA1:81d1d4982501cd50a12599554a7efb570852d37b
                                SHA256:ec3b78ff8656414003e6fd72f6c84d05824c15b8b9c75737baaa25f35b064362
                                SHA512:6190069632db2fc83147a41193a1c97d66384f8138bc3ac9f08dc0da5071f39c2c5a60e7686a9cf85e1ffae307f4db7716262b3b31ede52b0ed1bbe4001e8cdb
                                SSDEEP:12:kxvsCk9cE3MbUT/XU7J2vmbWkdJaLDfYI:kbxb8/kwviWkdJawI
                                TLSH:76F023D70C56CC4DA1A1B50A8EAD9E4045DE05FC20A5D81E50E85C247C367EDCC052AA
                                File Content Preview:<html><head><title>Loading...</title></head><body><script type='text/javascript'>window.location.replace('https://d.coka.la/hyirn.hta?ch=1&js=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJKb2tlbiIsImV4cCI6MTc0NTg0MDM3OSwiaWF0IjoxNzQ1ODMzMTc5LCJpc3MiOiJK

                                Network Behavior

                                Download Network PCAP: filteredfull

                                Network Port Distribution

                                • Total Packets: 61
                                • 443 (HTTPS)
                                • 80 (HTTP)
                                • 53 (DNS)
                                TimestampSource PortDest PortSource IPDest IP
                                Apr 28, 2025 11:43:18.210249901 CEST49692443192.168.2.5162.210.199.87
                                Apr 28, 2025 11:43:18.210313082 CEST44349692162.210.199.87192.168.2.5
                                Apr 28, 2025 11:43:18.210422039 CEST49692443192.168.2.5162.210.199.87
                                Apr 28, 2025 11:43:18.210452080 CEST49693443192.168.2.5162.210.199.87
                                Apr 28, 2025 11:43:18.210494995 CEST44349693162.210.199.87192.168.2.5
                                Apr 28, 2025 11:43:18.211780071 CEST49693443192.168.2.5162.210.199.87
                                Apr 28, 2025 11:43:18.212750912 CEST49693443192.168.2.5162.210.199.87
                                Apr 28, 2025 11:43:18.212773085 CEST44349693162.210.199.87192.168.2.5
                                Apr 28, 2025 11:43:18.212905884 CEST49692443192.168.2.5162.210.199.87
                                Apr 28, 2025 11:43:18.212934971 CEST44349692162.210.199.87192.168.2.5
                                Apr 28, 2025 11:43:18.822026014 CEST44349692162.210.199.87192.168.2.5
                                Apr 28, 2025 11:43:18.822161913 CEST49692443192.168.2.5162.210.199.87
                                Apr 28, 2025 11:43:18.825680971 CEST44349693162.210.199.87192.168.2.5
                                Apr 28, 2025 11:43:18.825759888 CEST49693443192.168.2.5162.210.199.87
                                Apr 28, 2025 11:43:19.156852007 CEST49692443192.168.2.5162.210.199.87
                                Apr 28, 2025 11:43:19.156896114 CEST44349692162.210.199.87192.168.2.5
                                Apr 28, 2025 11:43:19.156936884 CEST49693443192.168.2.5162.210.199.87
                                Apr 28, 2025 11:43:19.156964064 CEST44349693162.210.199.87192.168.2.5
                                Apr 28, 2025 11:43:19.157123089 CEST49692443192.168.2.5162.210.199.87
                                Apr 28, 2025 11:43:19.157133102 CEST44349692162.210.199.87192.168.2.5
                                Apr 28, 2025 11:43:19.157306910 CEST44349693162.210.199.87192.168.2.5
                                Apr 28, 2025 11:43:19.157355070 CEST49693443192.168.2.5162.210.199.87
                                Apr 28, 2025 11:43:19.157649040 CEST44349692162.210.199.87192.168.2.5
                                Apr 28, 2025 11:43:19.157701969 CEST49692443192.168.2.5162.210.199.87
                                Apr 28, 2025 11:43:19.517693996 CEST44349692162.210.199.87192.168.2.5
                                Apr 28, 2025 11:43:19.517756939 CEST49692443192.168.2.5162.210.199.87
                                Apr 28, 2025 11:43:19.517786980 CEST44349692162.210.199.87192.168.2.5
                                Apr 28, 2025 11:43:19.517828941 CEST49692443192.168.2.5162.210.199.87
                                Apr 28, 2025 11:43:19.517976999 CEST44349692162.210.199.87192.168.2.5
                                Apr 28, 2025 11:43:19.518027067 CEST49692443192.168.2.5162.210.199.87
                                Apr 28, 2025 11:43:19.518047094 CEST44349692162.210.199.87192.168.2.5
                                Apr 28, 2025 11:43:19.518091917 CEST49692443192.168.2.5162.210.199.87
                                Apr 28, 2025 11:43:19.525753975 CEST49692443192.168.2.5162.210.199.87
                                Apr 28, 2025 11:43:19.525777102 CEST44349692162.210.199.87192.168.2.5
                                Apr 28, 2025 11:43:19.833889961 CEST4969480192.168.2.5199.59.243.228
                                Apr 28, 2025 11:43:19.834404945 CEST4969580192.168.2.5199.59.243.228
                                Apr 28, 2025 11:43:19.981652021 CEST8049694199.59.243.228192.168.2.5
                                Apr 28, 2025 11:43:19.981745958 CEST4969480192.168.2.5199.59.243.228
                                Apr 28, 2025 11:43:19.981966019 CEST4969480192.168.2.5199.59.243.228
                                Apr 28, 2025 11:43:19.982065916 CEST8049695199.59.243.228192.168.2.5
                                Apr 28, 2025 11:43:19.982187033 CEST4969580192.168.2.5199.59.243.228
                                Apr 28, 2025 11:43:20.129770994 CEST8049694199.59.243.228192.168.2.5
                                Apr 28, 2025 11:43:20.197915077 CEST8049694199.59.243.228192.168.2.5
                                Apr 28, 2025 11:43:20.197936058 CEST8049694199.59.243.228192.168.2.5
                                Apr 28, 2025 11:43:20.197995901 CEST4969480192.168.2.5199.59.243.228
                                Apr 28, 2025 11:43:20.197995901 CEST4969480192.168.2.5199.59.243.228
                                Apr 28, 2025 11:43:20.204744101 CEST8049694199.59.243.228192.168.2.5
                                Apr 28, 2025 11:43:20.204840899 CEST4969480192.168.2.5199.59.243.228
                                Apr 28, 2025 11:43:20.215713024 CEST4969480192.168.2.5199.59.243.228
                                Apr 28, 2025 11:43:20.363322973 CEST8049694199.59.243.228192.168.2.5
                                Apr 28, 2025 11:43:20.431549072 CEST8049694199.59.243.228192.168.2.5
                                Apr 28, 2025 11:43:20.431637049 CEST4969480192.168.2.5199.59.243.228
                                Apr 28, 2025 11:43:20.431648970 CEST8049694199.59.243.228192.168.2.5
                                Apr 28, 2025 11:43:20.431662083 CEST8049694199.59.243.228192.168.2.5
                                Apr 28, 2025 11:43:20.431674004 CEST8049694199.59.243.228192.168.2.5
                                Apr 28, 2025 11:43:20.431684971 CEST8049694199.59.243.228192.168.2.5
                                Apr 28, 2025 11:43:20.431698084 CEST8049694199.59.243.228192.168.2.5
                                Apr 28, 2025 11:43:20.431710005 CEST8049694199.59.243.228192.168.2.5
                                Apr 28, 2025 11:43:20.431720018 CEST4969480192.168.2.5199.59.243.228
                                Apr 28, 2025 11:43:20.431723118 CEST8049694199.59.243.228192.168.2.5
                                Apr 28, 2025 11:43:20.431736946 CEST8049694199.59.243.228192.168.2.5
                                Apr 28, 2025 11:43:20.431747913 CEST4969480192.168.2.5199.59.243.228
                                Apr 28, 2025 11:43:20.431752920 CEST8049694199.59.243.228192.168.2.5
                                Apr 28, 2025 11:43:20.431759119 CEST4969480192.168.2.5199.59.243.228
                                Apr 28, 2025 11:43:20.431765079 CEST8049694199.59.243.228192.168.2.5
                                Apr 28, 2025 11:43:20.431776047 CEST8049694199.59.243.228192.168.2.5
                                Apr 28, 2025 11:43:20.431788921 CEST4969480192.168.2.5199.59.243.228
                                Apr 28, 2025 11:43:20.431790113 CEST8049694199.59.243.228192.168.2.5
                                Apr 28, 2025 11:43:20.431802034 CEST8049694199.59.243.228192.168.2.5
                                Apr 28, 2025 11:43:20.431802034 CEST4969480192.168.2.5199.59.243.228
                                Apr 28, 2025 11:43:20.431813002 CEST4969480192.168.2.5199.59.243.228
                                Apr 28, 2025 11:43:20.431817055 CEST8049694199.59.243.228192.168.2.5
                                Apr 28, 2025 11:43:20.431829929 CEST8049694199.59.243.228192.168.2.5
                                Apr 28, 2025 11:43:20.431839943 CEST8049694199.59.243.228192.168.2.5
                                Apr 28, 2025 11:43:20.431843042 CEST4969480192.168.2.5199.59.243.228
                                Apr 28, 2025 11:43:20.431847095 CEST8049694199.59.243.228192.168.2.5
                                Apr 28, 2025 11:43:20.431859016 CEST8049694199.59.243.228192.168.2.5
                                Apr 28, 2025 11:43:20.431869030 CEST8049694199.59.243.228192.168.2.5
                                Apr 28, 2025 11:43:20.431869984 CEST4969480192.168.2.5199.59.243.228
                                Apr 28, 2025 11:43:20.431883097 CEST8049694199.59.243.228192.168.2.5
                                Apr 28, 2025 11:43:20.431894064 CEST8049694199.59.243.228192.168.2.5
                                Apr 28, 2025 11:43:20.431900024 CEST4969480192.168.2.5199.59.243.228
                                Apr 28, 2025 11:43:20.431904078 CEST8049694199.59.243.228192.168.2.5
                                Apr 28, 2025 11:43:20.431922913 CEST8049694199.59.243.228192.168.2.5
                                Apr 28, 2025 11:43:20.431930065 CEST8049694199.59.243.228192.168.2.5
                                Apr 28, 2025 11:43:20.431935072 CEST8049694199.59.243.228192.168.2.5
                                Apr 28, 2025 11:43:20.431942940 CEST4969480192.168.2.5199.59.243.228
                                Apr 28, 2025 11:43:20.431946039 CEST8049694199.59.243.228192.168.2.5
                                Apr 28, 2025 11:43:20.431947947 CEST8049694199.59.243.228192.168.2.5
                                Apr 28, 2025 11:43:20.431953907 CEST4969480192.168.2.5199.59.243.228
                                Apr 28, 2025 11:43:20.431957006 CEST8049694199.59.243.228192.168.2.5
                                Apr 28, 2025 11:43:20.431982994 CEST4969480192.168.2.5199.59.243.228
                                Apr 28, 2025 11:43:20.432137012 CEST4969480192.168.2.5199.59.243.228
                                Apr 28, 2025 11:43:20.472767115 CEST8049694199.59.243.228192.168.2.5
                                Apr 28, 2025 11:43:20.472870111 CEST4969480192.168.2.5199.59.243.228
                                Apr 28, 2025 11:43:23.830091953 CEST44349693162.210.199.87192.168.2.5
                                Apr 28, 2025 11:43:23.830135107 CEST44349693162.210.199.87192.168.2.5
                                Apr 28, 2025 11:43:23.830143929 CEST49693443192.168.2.5162.210.199.87
                                Apr 28, 2025 11:43:23.830194950 CEST49693443192.168.2.5162.210.199.87
                                Apr 28, 2025 11:43:30.123357058 CEST8049695199.59.243.228192.168.2.5
                                Apr 28, 2025 11:43:30.123393059 CEST8049695199.59.243.228192.168.2.5
                                Apr 28, 2025 11:43:30.123420954 CEST4969580192.168.2.5199.59.243.228
                                Apr 28, 2025 11:43:30.123461962 CEST4969580192.168.2.5199.59.243.228
                                Apr 28, 2025 11:43:30.130800009 CEST8049695199.59.243.228192.168.2.5
                                Apr 28, 2025 11:43:30.130840063 CEST4969580192.168.2.5199.59.243.228
                                Apr 28, 2025 11:43:30.431581974 CEST8049694199.59.243.228192.168.2.5
                                Apr 28, 2025 11:43:30.431651115 CEST4969480192.168.2.5199.59.243.228
                                Apr 28, 2025 11:45:07.455346107 CEST4969480192.168.2.5199.59.243.228
                                Apr 28, 2025 11:45:07.455451012 CEST4969580192.168.2.5199.59.243.228
                                Apr 28, 2025 11:45:07.455451965 CEST4969580192.168.2.5199.59.243.228
                                Apr 28, 2025 11:45:07.455713987 CEST49693443192.168.2.5162.210.199.87
                                Apr 28, 2025 11:45:07.455728054 CEST49693443192.168.2.5162.210.199.87
                                Apr 28, 2025 11:45:07.603230000 CEST8049695199.59.243.228192.168.2.5
                                Apr 28, 2025 11:45:07.782330990 CEST4969480192.168.2.5199.59.243.228
                                Apr 28, 2025 11:45:08.438622952 CEST4969480192.168.2.5199.59.243.228
                                Apr 28, 2025 11:45:09.751091957 CEST4969480192.168.2.5199.59.243.228
                                Apr 28, 2025 11:45:12.360455036 CEST4969480192.168.2.5199.59.243.228
                                Apr 28, 2025 11:45:17.579148054 CEST4969480192.168.2.5199.59.243.228
                                TimestampSource PortDest PortSource IPDest IP
                                Apr 28, 2025 11:43:10.463339090 CEST6105453192.168.2.51.1.1.1
                                Apr 28, 2025 11:43:10.603580952 CEST53610541.1.1.1192.168.2.5
                                Apr 28, 2025 11:43:17.960412025 CEST5865753192.168.2.51.1.1.1
                                Apr 28, 2025 11:43:18.202199936 CEST53586571.1.1.1192.168.2.5
                                Apr 28, 2025 11:43:19.530841112 CEST6104753192.168.2.51.1.1.1
                                Apr 28, 2025 11:43:19.829741955 CEST53610471.1.1.1192.168.2.5

                                DNS Queries

                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                Apr 28, 2025 11:43:10.463339090 CEST192.168.2.51.1.1.10xd2ebStandard query (0)c.pki.googA (IP address)IN (0x0001)false
                                Apr 28, 2025 11:43:17.960412025 CEST192.168.2.51.1.1.10x7939Standard query (0)d.coka.laA (IP address)IN (0x0001)false
                                Apr 28, 2025 11:43:19.530841112 CEST192.168.2.51.1.1.10xcf67Standard query (0)ww1.coka.laA (IP address)IN (0x0001)false

                                DNS Answers

                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                Apr 28, 2025 11:43:08.901993990 CEST1.1.1.1192.168.2.50x7f49No error (0)bg.microsoft.map.fastly.net199.232.210.172A (IP address)IN (0x0001)false
                                Apr 28, 2025 11:43:08.901993990 CEST1.1.1.1192.168.2.50x7f49No error (0)bg.microsoft.map.fastly.net199.232.214.172A (IP address)IN (0x0001)false
                                Apr 28, 2025 11:43:10.603580952 CEST1.1.1.1192.168.2.50xd2ebNo error (0)c.pki.googpki-goog.l.google.comCNAME (Canonical name)IN (0x0001)false
                                Apr 28, 2025 11:43:10.603580952 CEST1.1.1.1192.168.2.50xd2ebNo error (0)pki-goog.l.google.com192.178.49.195A (IP address)IN (0x0001)false
                                Apr 28, 2025 11:43:18.202199936 CEST1.1.1.1192.168.2.50x7939No error (0)d.coka.la162.210.199.87A (IP address)IN (0x0001)false
                                Apr 28, 2025 11:43:19.829741955 CEST1.1.1.1192.168.2.50xcf67No error (0)ww1.coka.la12065.bodis.comCNAME (Canonical name)IN (0x0001)false
                                Apr 28, 2025 11:43:19.829741955 CEST1.1.1.1192.168.2.50xcf67No error (0)12065.bodis.com199.59.243.228A (IP address)IN (0x0001)false

                                HTTP Request Dependency Graph

                                • d.coka.la
                                • ww1.coka.la

                                HTTP Packets

                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                0192.168.2.549694199.59.243.228806148C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                TimestampBytes transferredDirectionData
                                Apr 28, 2025 11:43:19.981966019 CEST258OUTGET / HTTP/1.1
                                Accept: text/html, application/xhtml+xml, image/jxr, */*
                                Accept-Language: en-CH
                                User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                                Accept-Encoding: gzip, deflate
                                Connection: Keep-Alive
                                Host: ww1.coka.la
                                Apr 28, 2025 11:43:20.197915077 CEST1358INHTTP/1.1 200 OK
                                date: Mon, 28 Apr 2025 09:43:19 GMT
                                content-type: text/html; charset=utf-8
                                content-length: 1038
                                x-request-id: 64a4f9ee-eaf9-4ee1-8de3-58be0c67309f
                                cache-control: no-store, max-age=0
                                accept-ch: sec-ch-prefers-color-scheme
                                critical-ch: sec-ch-prefers-color-scheme
                                vary: sec-ch-prefers-color-scheme
                                x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_rAAKoivYZo763B3WIJc8O8hkepe3KRo6J+3/r0apFeno7xgYWFkbZ8aUIfM4aFyECHIom9lpMneKZXQmSmLSoQ==
                                set-cookie: parking_session=64a4f9ee-eaf9-4ee1-8de3-58be0c67309f; expires=Mon, 28 Apr 2025 09:58:20 GMT; path=/
                                Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 72 41 41 4b 6f 69 76 59 5a 6f 37 36 33 42 33 57 49 4a 63 38 4f 38 68 6b 65 70 65 33 4b 52 6f 36 4a 2b 33 2f 72 30 61 70 46 65 6e 6f 37 78 67 59 57 46 6b 62 5a 38 61 55 49 66 4d 34 61 46 79 45 43 48 49 6f 6d 39 6c 70 4d 6e 65 4b 5a 58 51 6d 53 6d 4c 53 6f 51 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED]
                                Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_rAAKoivYZo763B3WIJc8O8hkepe3KRo6J+3/r0apFeno7xgYWFkbZ8aUIfM4aFyECHIom9lpMneKZXQmSmLSoQ==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"> <link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>win
                                Apr 28, 2025 11:43:20.197936058 CEST350INData Raw: 64 6f 77 2e 70 61 72 6b 20 3d 20 22 65 79 4a 31 64 57 6c 6b 49 6a 6f 69 4e 6a 52 68 4e 47 59 35 5a 57 55 74 5a 57 46 6d 4f 53 30 30 5a 57 55 78 4c 54 68 6b 5a 54 4d 74 4e 54 68 69 5a 54 42 6a 4e 6a 63 7a 4d 44 6c 6d 49 69 77 69 63 47 46 6e 5a 56
                                Data Ascii: dow.park = "eyJ1dWlkIjoiNjRhNGY5ZWUtZWFmOS00ZWUxLThkZTMtNThiZTBjNjczMDlmIiwicGFnZV90aW1lIjoxNzQ1ODMzNDAwLCJwYWdlX3VybCI6Imh0dHA6Ly93dzEuY29rYS5sYS8iLCJwYWdlX21ldGhvZCI6IkdFVCIsInBhZ2VfcmVxdWVzdCI6e30sInBhZ2VfaGVhZGVycyI6e30sImhvc3QiOiJ3dzEuY29
                                Apr 28, 2025 11:43:20.204744101 CEST350INData Raw: 64 6f 77 2e 70 61 72 6b 20 3d 20 22 65 79 4a 31 64 57 6c 6b 49 6a 6f 69 4e 6a 52 68 4e 47 59 35 5a 57 55 74 5a 57 46 6d 4f 53 30 30 5a 57 55 78 4c 54 68 6b 5a 54 4d 74 4e 54 68 69 5a 54 42 6a 4e 6a 63 7a 4d 44 6c 6d 49 69 77 69 63 47 46 6e 5a 56
                                Data Ascii: dow.park = "eyJ1dWlkIjoiNjRhNGY5ZWUtZWFmOS00ZWUxLThkZTMtNThiZTBjNjczMDlmIiwicGFnZV90aW1lIjoxNzQ1ODMzNDAwLCJwYWdlX3VybCI6Imh0dHA6Ly93dzEuY29rYS5sYS8iLCJwYWdlX21ldGhvZCI6IkdFVCIsInBhZ2VfcmVxdWVzdCI6e30sInBhZ2VfaGVhZGVycyI6e30sImhvc3QiOiJ3dzEuY29
                                Apr 28, 2025 11:43:20.215713024 CEST347OUTGET /bdEpZXZjv.js HTTP/1.1
                                Accept: application/javascript, */*;q=0.8
                                Referer: http://ww1.coka.la/
                                Accept-Language: en-CH
                                User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                                Accept-Encoding: gzip, deflate
                                Host: ww1.coka.la
                                Connection: Keep-Alive
                                Cookie: parking_session=64a4f9ee-eaf9-4ee1-8de3-58be0c67309f
                                Apr 28, 2025 11:43:20.431549072 CEST1358INHTTP/1.1 200 OK
                                date: Mon, 28 Apr 2025 09:43:19 GMT
                                content-type: application/javascript; charset=utf-8
                                content-length: 35693
                                x-request-id: f3fe6da2-07e4-4634-9e8a-69665b8c8a31
                                set-cookie: parking_session=64a4f9ee-eaf9-4ee1-8de3-58be0c67309f; expires=Mon, 28 Apr 2025 09:58:20 GMT
                                Data Raw: 21 66 75 6e 63 74 69 6f 6e 28 65 2c 74 29 7b 22 6f 62 6a 65 63 74 22 3d 3d 74 79 70 65 6f 66 20 65 78 70 6f 72 74 73 26 26 22 75 6e 64 65 66 69 6e 65 64 22 21 3d 74 79 70 65 6f 66 20 6d 6f 64 75 6c 65 3f 74 28 65 78 70 6f 72 74 73 29 3a 22 66 75 6e 63 74 69 6f 6e 22 3d 3d 74 79 70 65 6f 66 20 64 65 66 69 6e 65 26 26 64 65 66 69 6e 65 2e 61 6d 64 3f 64 65 66 69 6e 65 28 5b 22 65 78 70 6f 72 74 73 22 5d 2c 74 29 3a 74 28 28 65 3d 22 75 6e 64 65 66 69 6e 65 64 22 21 3d 74 79 70 65 6f 66 20 67 6c 6f 62 61 6c 54 68 69 73 3f 67 6c 6f 62 61 6c 54 68 69 73 3a 65 7c 7c 73 65 6c 66 29 2e 76 65 72 73 69 6f 6e 3d 7b 7d 29 7d 28 74 68 69 73 2c 28 66 75 6e 63 74 69 6f 6e 28 65 78 70 6f 72 74 73 29 7b 22 75 73 65 20 73 74 72 69 63 74 22 3b 66 75 6e 63 74 69 6f 6e 20 5f 5f 61 77 61 69 74 65 72 28 65 2c 74 2c 6e 2c 69 29 7b 72 65 74 75 72 6e 20 6e 65 77 28 6e 7c 7c 28 6e 3d 50 72 6f 6d 69 73 65 29 29 28 28 66 75 6e 63 74 69 6f 6e 28 73 2c 61 29 7b 66 75 6e 63 74 69 6f 6e 20 6f 28 65 29 7b 74 72 79 7b 64 28 69 2e 6e [TRUNCATED]
                                Data Ascii: !function(e,t){"object"==typeof exports&&"undefined"!=typeof module?t(exports):"function"==typeof define&&define.amd?define(["exports"],t):t((e="undefined"!=typeof globalThis?globalThis:e||self).version={})}(this,(function(exports){"use strict";function __awaiter(e,t,n,i){return new(n||(n=Promise))((function(s,a){function o(e){try{d(i.next(e))}catch(e){a(e)}}function r(e){try{d(i.throw(e))}catch(e){a(e)}}function d(e){var t;e.done?s(e.value):(t=e.value,t instanceof n?t:new n((function(e){e(t)}))).then(o,r)}d((i=i.apply(e,t||[])).next())}))}var Blocking;"function"==typeof SuppressedError&&SuppressedError,function(e){e.PENDING="pending",e.NONE="none",e.BLOCKED="blocked",e.ALLOWED="allowed"}(Blocking||(Blocking={}));class Adblock{constructor(e){this.state=Blocking.PENDING,this._mocked=!1,e?(this.state=e,this._mocked=!0):this.state=Blocking.ALLOWED}inject(){return __awaiter(this,void 0,void 0,(function*(){}))}hasAdblocker(){if(void 0===window.google)return!0;const e=document.querySelectorAll("style"); [TRUNCATED]
                                Apr 28, 2025 11:43:20.431648970 CEST1358INData Raw: 6c 6f 63 6b 6b 65 79 22 29 29 29 7d 68 61 6e 64 6c 65 41 64 62 6c 6f 63 6b 65 64 28 29 7b 74 68 69 73 2e 72 65 6d 6f 76 65 41 64 62 6c 6f 63 6b 4b 65 79 28 29 2c 74 68 69 73 2e 73 74 61 74 65 3d 42 6c 6f 63 6b 69 6e 67 2e 42 4c 4f 43 4b 45 44 7d
                                Data Ascii: lockkey")))}handleAdblocked(){this.removeAdblockKey(),this.state=Blocking.BLOCKED}removeAdblockKey(){var e;null===(e=document.documentElement.dataset)||void 0===e||delete e.adblockkey}get isBlocked(){return this.state===Blocking.BLOCKED}get is
                                Apr 28, 2025 11:43:20.431662083 CEST1358INData Raw: 61 73 6f 6e 73 3b 21 66 75 6e 63 74 69 6f 6e 28 65 29 7b 65 2e 43 41 46 5f 54 49 4d 45 44 4f 55 54 3d 22 63 61 66 5f 74 69 6d 65 64 6f 75 74 22 2c 65 2e 43 41 46 5f 41 44 4c 4f 41 44 5f 46 41 49 4c 5f 52 53 3d 22 63 61 66 5f 61 64 6c 6f 61 64 66
                                Data Ascii: asons;!function(e){e.CAF_TIMEDOUT="caf_timedout",e.CAF_ADLOAD_FAIL_RS="caf_adloadfail_rs",e.CAF_ADLOAD_FAIL_ADS="caf_adloadfail_ads",e.DISABLED_GB="disabled_gb",e.DISABLED_AB="disabled_ab",e.DISABLED_DS="disabled_ds",e.AD_BLOCKED="ad_blocked",
                                Apr 28, 2025 11:43:20.431674004 CEST1358INData Raw: 79 3a 20 68 69 64 64 65 6e 3b 5c 6e 7d 5c 6e 5c 6e 2f 2a 20 53 74 61 74 75 73 20 4d 65 73 73 61 67 65 73 20 2d 20 54 68 65 73 65 20 61 72 65 20 64 69 73 70 6c 61 79 65 64 20 77 68 65 6e 20 77 65 20 61 72 65 20 6e 6f 74 20 72 65 6e 64 65 72 69 6e
                                Data Ascii: y: hidden;\n}\n\n/* Status Messages - These are displayed when we are not rendering ad blocks or Related Search */\n\n#pk-status-message {\n height: 75vh;\n width: 100%;\n display: flex;\n flex-direction: column;\n align-items: center;\n
                                Apr 28, 2025 11:43:20.431684971 CEST1358INData Raw: 5c 6e 20 20 6c 65 66 74 3a 20 38 70 78 3b 5c 6e 20 20 61 6e 69 6d 61 74 69 6f 6e 3a 20 70 6b 2d 61 6e 69 6d 2d 31 20 30 2e 36 73 20 69 6e 66 69 6e 69 74 65 3b 5c 6e 7d 5c 6e 5c 6e 2e 70 6b 2d 6c 6f 61 64 65 72 20 64 69 76 3a 6e 74 68 2d 63 68 69
                                Data Ascii: \n left: 8px;\n animation: pk-anim-1 0.6s infinite;\n}\n\n.pk-loader div:nth-child(2) {\n left: 8px;\n animation: pk-anim-2 0.6s infinite;\n}\n\n.pk-loader div:nth-child(3) {\n left: 32px;\n animation: pk-anim-2 0.6s infinite;\n}\n\n.pk-
                                Apr 28, 2025 11:43:20.431698084 CEST1358INData Raw: 6d 4e 6f 64 65 2e 63 6c 61 73 73 4c 69 73 74 2e 61 64 64 28 50 41 47 45 5f 52 45 41 44 59 5f 43 4c 41 53 53 29 7d 2c 74 68 69 73 2e 68 69 64 65 53 61 6c 65 73 42 61 6e 6e 65 72 3d 28 29 3d 3e 7b 74 68 69 73 2e 64 6f 6d 4e 6f 64 65 2e 63 6c 61 73
                                Data Ascii: mNode.classList.add(PAGE_READY_CLASS)},this.hideSalesBanner=()=>{this.domNode.classList.add("hide-sales-banner")},this.revealSalesBanner=()=>{this.domNode.classList.remove("hide-sales-banner")},this.injectMetaDescription=e=>{if(!e||0===e.lengt
                                Apr 28, 2025 11:43:20.431710005 CEST200INData Raw: 3c 2f 64 69 76 3e 5c 6e 20 20 20 20 20 20 60 2c 22 42 4f 54 54 4f 4d 22 3d 3d 3d 6e 3f 28 6f 2e 73 74 79 6c 65 2e 6d 61 72 67 69 6e 54 6f 70 3d 22 33 30 70 78 22 2c 64 6f 63 75 6d 65 6e 74 2e 62 6f 64 79 2e 61 70 70 65 6e 64 43 68 69 6c 64 28 6f
                                Data Ascii: </div>\n `,"BOTTOM"===n?(o.style.marginTop="30px",document.body.appendChild(o)):document.body.prepend(o)}loading(e){let t="a few";e>0&&(t=`<span id="redirect">${e}</span>`),this.message(`\n
                                Apr 28, 2025 11:43:20.431723118 CEST1358INData Raw: 3c 64 69 76 20 63 6c 61 73 73 3d 22 70 6b 2d 6c 6f 61 64 65 72 22 3e 5c 6e 20 20 20 20 20 20 20 20 3c 64 69 76 3e 3c 2f 64 69 76 3e 5c 6e 20 20 20 20 20 20 20 20 3c 64 69 76 3e 3c 2f 64 69 76 3e 5c 6e 20 20 20 20 20 20 20 20 3c 64 69 76 3e 3c 2f
                                Data Ascii: <div class="pk-loader">\n <div></div>\n <div></div>\n <div></div>\n <div></div>\n </div>\n <div class="pk-loader-text hidden-xs">\n Page loading in ${t} seconds, please wait...\n </div>\n `)
                                Apr 28, 2025 11:43:20.431736946 CEST1358INData Raw: 26 65 76 61 6c 28 6a 73 29 7d 69 6e 6a 65 63 74 48 54 4d 4c 28 65 29 7b 74 68 69 73 2e 64 6f 6d 4e 6f 64 65 3f 28 65 26 26 28 74 68 69 73 2e 64 6f 6d 4e 6f 64 65 2e 69 6e 6e 65 72 48 54 4d 4c 3d 65 29 2c 74 68 69 73 2e 64 6f 6d 49 73 52 65 61 64
                                Data Ascii: &eval(js)}injectHTML(e){this.domNode?(e&&(this.domNode.innerHTML=e),this.domIsReady=!0):(this.domIsReady=!1,console.error("An error occurred when trying to render this page. DOM node not found."))}prerender(e){this.injectMetaDescription(e.doma


                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                1192.168.2.549695199.59.243.228806148C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                TimestampBytes transferredDirectionData
                                Apr 28, 2025 11:43:30.123357058 CEST233INHTTP/1.1 408 Request Time-out
                                Content-length: 110
                                Cache-Control: no-cache
                                Connection: close
                                Content-Type: text/html
                                Data Raw: 3c 68 74 6d 6c 3e 3c 62 6f 64 79 3e 3c 68 31 3e 34 30 38 20 52 65 71 75 65 73 74 20 54 69 6d 65 2d 6f 75 74 3c 2f 68 31 3e 0a 59 6f 75 72 20 62 72 6f 77 73 65 72 20 64 69 64 6e 27 74 20 73 65 6e 64 20 61 20 63 6f 6d 70 6c 65 74 65 20 72 65 71 75 65 73 74 20 69 6e 20 74 69 6d 65 2e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                Data Ascii: <html><body><h1>408 Request Time-out</h1>Your browser didn't send a complete request in time.</body></html>


                                HTTPS Proxied Packets

                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                0192.168.2.549692162.210.199.874436148C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                TimestampBytes transferredDirectionData
                                2025-04-28 09:43:19 UTC586OUTGET /hyirn.hta?ch=1&js=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJKb2tlbiIsImV4cCI6MTc0NTg0MDM3OSwiaWF0IjoxNzQ1ODMzMTc5LCJpc3MiOiJKb2tlbiIsImpzIjoxLCJqdGkiOiIzMHQ3NDFucGhocnMzY2x2cjQ2NWluOGYiLCJuYmYiOjE3NDU4MzMxNzksInRzIjoxNzQ1ODMzMTc5ODQxNTY4fQ.GYLOhJXC8zJbsKkAHL2HtmiFmaZXfQoNnQNRgm8dg1g&sid=b4b84987-2414-11f0-b8f9-08c64eff8f7c HTTP/1.1
                                Accept: text/html, application/xhtml+xml, image/jxr, */*
                                Accept-Language: en-CH
                                User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
                                Accept-Encoding: gzip, deflate
                                Host: d.coka.la
                                Connection: Keep-Alive
                                2025-04-28 09:43:19 UTC352INHTTP/1.1 302 Found
                                cache-control: max-age=0, private, must-revalidate
                                connection: close
                                content-length: 11
                                date: Mon, 28 Apr 2025 09:43:18 GMT
                                location: http://ww1.coka.la
                                server: Cowboy
                                set-cookie: sid=b4b84987-2414-11f0-b8f9-08c64eff8f7c; path=/; domain=.coka.la; expires=Sat, 16 May 2093 12:57:26 GMT; max-age=2147483647; secure; HttpOnly
                                2025-04-28 09:43:19 UTC11INData Raw: 52 65 64 69 72 65 63 74 69 6e 67
                                Data Ascii: Redirecting


                                Statistics

                                CPU Usage

                                Click to jump to process

                                Memory Usage

                                Click to jump to process

                                Behavior

                                Click to jump to process

                                System Behavior

                                General

                                Target ID:0
                                Start time:05:43:12
                                Start date:28/04/2025
                                Path:C:\Windows\SysWOW64\mshta.exe
                                Wow64 process (32bit):true
                                Commandline:mshta.exe "C:\Users\user\Desktop\hyirn.hta"
                                Imagebase:0xbf0000
                                File size:13'312 bytes
                                MD5 hash:06B02D5C097C7DB1F109749C45F3F505
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:high
                                Has exited:false
                                There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                Show Windows behavior

                                Section Activities

                                Show Windows behavior

                                Registry Activities

                                Show Windows behavior

                                COM Activities

                                There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                Show Windows behavior

                                Thread Activities

                                Show Windows behavior

                                Memory Activities

                                There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                Show Windows behavior

                                Windows UI Activities

                                There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                                General

                                Target ID:2
                                Start time:05:43:12
                                Start date:28/04/2025
                                Path:C:\Program Files\Internet Explorer\iexplore.exe
                                Wow64 process (32bit):false
                                Commandline:"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
                                Imagebase:0x7ff746b20000
                                File size:834'512 bytes
                                MD5 hash:CFE2E6942AC1B72981B3105E22D3224E
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:moderate
                                Has exited:false
                                There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                Show Windows behavior

                                Section Activities

                                There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                Show Windows behavior

                                Process Activities

                                Show Windows behavior

                                Thread Activities

                                Show Windows behavior

                                Memory Activities

                                There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                Show Windows behavior

                                Windows UI Activities

                                There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                                General

                                Target ID:3
                                Start time:05:43:13
                                Start date:28/04/2025
                                Path:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                Wow64 process (32bit):true
                                Commandline:"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:7380 CREDAT:17410 /prefetch:2
                                Imagebase:0x5d0000
                                File size:828'368 bytes
                                MD5 hash:6F0F06D6AB125A99E43335427066A4A1
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:moderate
                                Has exited:false
                                There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                Show Windows behavior

                                Section Activities

                                There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                Show Windows behavior

                                Process Activities

                                Show Windows behavior

                                Thread Activities

                                Show Windows behavior

                                Memory Activities

                                There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                                General

                                Target ID:4
                                Start time:05:43:13
                                Start date:28/04/2025
                                Path:C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe
                                Wow64 process (32bit):true
                                Commandline:"C:\PROGRA~2\Java\jre-1.8\bin\ssvagent.exe" -new
                                Imagebase:0x1f0000
                                File size:85'632 bytes
                                MD5 hash:F9A898A606E7F5A1CD7CFFA8079253A0
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:moderate
                                Has exited:true
                                There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                Show Windows behavior

                                Section Activities

                                There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                Show Windows behavior

                                Process Activities

                                Show Windows behavior

                                Thread Activities

                                Show Windows behavior

                                Memory Activities

                                There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                                General

                                Target ID:5
                                Start time:05:43:16
                                Start date:28/04/2025
                                Path:C:\Program Files (x86)\Internet Explorer\iexplore.exe
                                Wow64 process (32bit):true
                                Commandline:"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:7380 CREDAT:17414 /prefetch:2
                                Imagebase:0x5d0000
                                File size:828'368 bytes
                                MD5 hash:6F0F06D6AB125A99E43335427066A4A1
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:moderate
                                Has exited:false
                                There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                Show Windows behavior

                                Section Activities

                                There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                Show Windows behavior

                                Process Activities

                                Show Windows behavior

                                Thread Activities

                                Show Windows behavior

                                Memory Activities

                                There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                                Disassembly

                                Executed Functions

                                Memory Dump Source
                                • Source File: 00000000.00000002.2571700551.00000000066E0000.00000010.00000800.00020000.00000000.sdmp, Offset: 066E0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_66e0000_mshta.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 1a9ce593b8061fe11d005a8fadf4466c64fb9f615bec526e67dbe7247faadaf0
                                • Instruction ID: 5c66d6001a52e76a3e0ba55931fd1c4df277939e826c9e274b1856515548475a
                                • Opcode Fuzzy Hash: 1a9ce593b8061fe11d005a8fadf4466c64fb9f615bec526e67dbe7247faadaf0
                                • Instruction Fuzzy Hash: