Edit tour

Windows Analysis Report
hyirn.hta

Overview

General Information

Sample name:	hyirn.hta
Analysis ID:	1676268
MD5:	2bf28df3cae6ec8fd294b251f9f7dc9e
SHA1:	582da9e1b58f400b3564dfd198abaa516f0c1338
SHA256:	82c78c649bf729ce4980ec4bce974521b0949271e6d4c09860e6001e7a060b59
Tags:	htauser-abuse_ch
Infos:

Detection

Score:	48
Range:	0 - 100
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

Searches for the Microsoft Outlook file path

Sigma detected: Use Short Name Path in Command Line

Classification

Process Tree

System is w10x64

mshta.exe (PID: 5736 cmdline: mshta.exe "C:\Users\user\Desktop\hyirn.hta" MD5: 06B02D5C097C7DB1F109749C45F3F505)

iexplore.exe (PID: 1488 cmdline: "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding MD5: CFE2E6942AC1B72981B3105E22D3224E)

iexplore.exe (PID: 7952 cmdline: "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1488 CREDAT:17410 /prefetch:2 MD5: 6F0F06D6AB125A99E43335427066A4A1)

ssvagent.exe (PID: 8140 cmdline: "C:\PROGRA~2\Java\jre-1.8\bin\ssvagent.exe" -new MD5: F9A898A606E7F5A1CD7CFFA8079253A0)

iexplore.exe (PID: 7048 cmdline: "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1488 CREDAT:17414 /prefetch:2 MD5: 6F0F06D6AB125A99E43335427066A4A1)

cleanup

Sigma Signatures

Sigma detected: Use Short Name Path in Command Line

Source: Process started

Author: frack113, Nasreddine Bencherchali: Data: Command: "C:\PROGRA~2\Java\jre-1.8\bin\ssvagent.exe" -new, CommandLine: "C:\PROGRA~2\Java\jre-1.8\bin\ssvagent.exe" -new, CommandLine|base64offset|contains: w, Image: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe, NewProcessName: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe, OriginalFileName: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe, ParentCommandLine: "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1488 CREDAT:17410 /prefetch:2, ParentImage: C:\Program Files (x86)\Internet Explorer\iexplore.exe, ParentProcessId: 7952, ParentProcessName: iexplore.exe, ProcessCommandLine: "C:\PROGRA~2\Java\jre-1.8\bin\ssvagent.exe" -new, ProcessId: 8140, ProcessName: ssvagent.exe

Sigma detected: Modification of IE Registry Settings

Source: Registry Key set

Author: frack113: Data: Details: 1, EventID: 13, EventType: SetValue, Image: C:\Program Files\Internet Explorer\iexplore.exe, ProcessId: 1488, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\SecuritySafe

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

• AV Detection
• Compliance
• Networking
• System Summary
• Hooking and other Techniques for Hiding and Protection
• Malware Analysis System Evasion

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: https://d.coka.la/hyirn.hta?ch=1&js=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJKb2tlbiIsImV4cCI6MTc0NTg1MTg3NCwiaWF0IjoxNzQ1ODQ0Njc0LCJpc3MiOiJKb2tlbiIsImpzIjoxLCJqdGkiOiIzMHQ3b3VyMWg0cWNpbXBjOThhMDhpODYiLCJuYmYiOjE3NDU4NDQ2NzQsInRzIjoxNzQ1ODQ0Njc0OTE4NjIwfQ.GI_YPwbWdpRvsfw_D8XkPikj7MZDOzelICwzole8gjQ&sid=7851b02e-242f-11f0-bce7-d69d2fb93891	Avira URL Cloud: Label: phishing
Source: https://d.coka.la/hyirn.hta?ch=1&js=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJKb2tlbiIsImV4cCI	Avira URL Cloud: Label: phishing

Source: unknown	HTTPS traffic detected: 74.63.241.29:443 -> 192.168.2.5:49693 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 74.63.241.29:443 -> 192.168.2.5:49692 version: TLS 1.2

Source: Joe Sandbox View

IP Address: 199.59.243.228 199.59.243.228

Source: Joe Sandbox View

JA3 fingerprint: 6271f898ce5be7dd52b0fc260d0662b3

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /hyirn.hta?ch=1&js=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJKb2tlbiIsImV4cCI6MTc0NTg1MTg3NCwiaWF0IjoxNzQ1ODQ0Njc0LCJpc3MiOiJKb2tlbiIsImpzIjoxLCJqdGkiOiIzMHQ3b3VyMWg0cWNpbXBjOThhMDhpODYiLCJuYmYiOjE3NDU4NDQ2NzQsInRzIjoxNzQ1ODQ0Njc0OTE4NjIwfQ.GI_YPwbWdpRvsfw_D8XkPikj7MZDOzelICwzole8gjQ&sid=7851b02e-242f-11f0-bce7-d69d2fb93891 HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-CHUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: d.coka.laConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, /Accept-Language: en-CHUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateConnection: Keep-AliveHost: ww1.coka.la
Source: global traffic	HTTP traffic detected: GET /bLEzTQZNU.js HTTP/1.1Accept: application/javascript, /;q=0.8Referer: http://ww1.coka.la/Accept-Language: en-CHUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: ww1.coka.laConnection: Keep-AliveCookie: parking_session=54d8a0a4-814b-4979-9911-559f931a9d73

Source: msapplication.xml0.2.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x499aa96d,0x01dbb83d</date><accdate>0x499d0bef,0x01dbb83d</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Facebook.url"/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
Source: msapplication.xml5.2.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x49a1d0a1,0x01dbb83d</date><accdate>0x49a1d0a1,0x01dbb83d</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Twitter.url"/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
Source: msapplication.xml7.2.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x49a432c5,0x01dbb83d</date><accdate>0x49a432c5,0x01dbb83d</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Youtube.url"/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)

Source: global traffic	DNS traffic detected: DNS query: d.coka.la
Source: global traffic	DNS traffic detected: DNS query: ww1.coka.la

Source: {71851B2F-2430-11F0-8C30-ECF4BB570DC9}.dat.2.dr, ~DF67298C79B64E95AD.TMP.2.dr	String found in binary or memory: http://ww1.coka.la/irn.hta?ch=1&js=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJKb2tlbiIsImV4cCI6
Source: msapplication.xml8.2.dr	String found in binary or memory: http://www.amazon.com/
Source: msapplication.xml1.2.dr	String found in binary or memory: http://www.google.com/
Source: msapplication.xml2.2.dr	String found in binary or memory: http://www.live.com/
Source: msapplication.xml3.2.dr	String found in binary or memory: http://www.nytimes.com/
Source: msapplication.xml4.2.dr	String found in binary or memory: http://www.reddit.com/
Source: msapplication.xml5.2.dr	String found in binary or memory: http://www.twitter.com/
Source: msapplication.xml6.2.dr	String found in binary or memory: http://www.wikipedia.com/
Source: msapplication.xml7.2.dr	String found in binary or memory: http://www.youtube.com/
Source: mshta.exe, 00000000.00000003.1408291455.000000000343A000.00000004.00000020.00020000.00000000.sdmp, hyirn.hta	String found in binary or memory: https://d.coka.la/hyirn.hta?ch=1&js=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJKb2tlbiIsImV4cCI
Source: UVO4M0JR.htm.5.dr	String found in binary or memory: https://www.google.com

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49693
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49692
Source: unknown	Network traffic detected: HTTP traffic on port 49692 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49693 -> 443

Source: unknown	HTTPS traffic detected: 74.63.241.29:443 -> 192.168.2.5:49693 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 74.63.241.29:443 -> 192.168.2.5:49692 version: TLS 1.2

Source: C:\Windows\SysWOW64\mshta.exe

Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE

Jump to behavior

Source: classification engine

Classification label: mal48.winHTA@8/21@2/2

Source: C:\Program Files\Internet Explorer\iexplore.exe

File created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery

Jump to behavior

Source: C:\Program Files\Internet Explorer\iexplore.exe

File created: C:\Users\user\AppData\Local\Temp\~DFC310EA29AC4B93F9.TMP

Jump to behavior

Source: C:\Program Files\Internet Explorer\iexplore.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\SysWOW64\mshta.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Windows\SysWOW64\mshta.exe mshta.exe "C:\Users\user\Desktop\hyirn.hta"
Source: unknown	Process created: C:\Program Files\Internet Explorer\iexplore.exe "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
Source: C:\Program Files\Internet Explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1488 CREDAT:17410 /prefetch:2
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Process created: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe "C:\PROGRA~2\Java\jre-1.8\bin\ssvagent.exe" -new
Source: C:\Program Files\Internet Explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1488 CREDAT:17414 /prefetch:2
Source: C:\Program Files\Internet Explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1488 CREDAT:17410 /prefetch:2	Jump to behavior
Source: C:\Program Files\Internet Explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1488 CREDAT:17414 /prefetch:2	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe	Process created: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe "C:\PROGRA~2\Java\jre-1.8\bin\ssvagent.exe" -new	Jump to behavior

Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: mshtml.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: msiso.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: srpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: msimtf.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: dataexchange.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: dcomp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: jscript9.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: ieproxy.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: d2d1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe	Section loaded: uxtheme.dll	Jump to behavior

Source: C:\Windows\SysWOW64\mshta.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{25336920-03F9-11CF-8FD0-00AA00686F13}\InProcServer32

Jump to behavior

Source: C:\Windows\SysWOW64\mshta.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Settings

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Lync

Jump to behavior

Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\ssvagent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\SysWOW64\mshta.exe

Window / User API: threadDelayed 7273

Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	1 Process Injection	1 Masquerading	OS Credential Dumping	1 Application Window Discovery	Remote Services	1 Email Collection	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Process Injection	LSASS Memory	1 File and Directory Discovery	Remote Desktop Protocol	Data from Removable Media	2 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 DLL Side-Loading	Security Account Manager	3 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	3 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	Binary Padding	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	1 Ingress Tool Transfer	Traffic Duplication	Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
hyirn.hta	0%	ReversingLabs

Source	Detection	Scanner	Label
http://ww1.coka.la/bLEzTQZNU.js	0%	Avira URL Cloud	safe
https://d.coka.la/hyirn.hta?ch=1&js=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJKb2tlbiIsImV4cCI6MTc0NTg1MTg3NCwiaWF0IjoxNzQ1ODQ0Njc0LCJpc3MiOiJKb2tlbiIsImpzIjoxLCJqdGkiOiIzMHQ3b3VyMWg0cWNpbXBjOThhMDhpODYiLCJuYmYiOjE3NDU4NDQ2NzQsInRzIjoxNzQ1ODQ0Njc0OTE4NjIwfQ.GI_YPwbWdpRvsfw_D8XkPikj7MZDOzelICwzole8gjQ&sid=7851b02e-242f-11f0-bce7-d69d2fb93891	100%	Avira URL Cloud	phishing
https://d.coka.la/hyirn.hta?ch=1&js=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJKb2tlbiIsImV4cCI	100%	Avira URL Cloud	phishing
http://ww1.coka.la/irn.hta?ch=1&js=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJKb2tlbiIsImV4cCI6	0%	Avira URL Cloud	safe
http://ww1.coka.la/	0%	Avira URL Cloud	safe

Domains and IPs

Download Network PCAP: filtered – full

Contacted Domains

Name	IP	Active	Malicious	Reputation
d.coka.la	74.63.241.29	true	false	high
12065.bodis.com	199.59.243.228	true	false	high
ww1.coka.la	unknown	unknown	false	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://d.coka.la/hyirn.hta?ch=1&js=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJKb2tlbiIsImV4cCI6MTc0NTg1MTg3NCwiaWF0IjoxNzQ1ODQ0Njc0LCJpc3MiOiJKb2tlbiIsImpzIjoxLCJqdGkiOiIzMHQ3b3VyMWg0cWNpbXBjOThhMDhpODYiLCJuYmYiOjE3NDU4NDQ2NzQsInRzIjoxNzQ1ODQ0Njc0OTE4NjIwfQ.GI_YPwbWdpRvsfw_D8XkPikj7MZDOzelICwzole8gjQ&sid=7851b02e-242f-11f0-bce7-d69d2fb93891	false	Avira URL Cloud: phishing	unknown
http://ww1.coka.la/	false	Avira URL Cloud: safe	unknown
http://ww1.coka.la/bLEzTQZNU.js	false	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://www.google.com	UVO4M0JR.htm.5.dr	false		high
http://www.nytimes.com/	msapplication.xml3.2.dr	false		high
http://ww1.coka.la/irn.hta?ch=1&js=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJKb2tlbiIsImV4cCI6	{71851B2F-2430-11F0-8C30-ECF4BB570DC9}.dat.2.dr, ~DF67298C79B64E95AD.TMP.2.dr	false	Avira URL Cloud: safe	unknown
http://www.youtube.com/	msapplication.xml7.2.dr	false		high
http://www.wikipedia.com/	msapplication.xml6.2.dr	false		high
http://www.amazon.com/	msapplication.xml8.2.dr	false		high
https://d.coka.la/hyirn.hta?ch=1&js=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJKb2tlbiIsImV4cCI	mshta.exe, 00000000.00000003.1408291455.000000000343A000.00000004.00000020.00020000.00000000.sdmp, hyirn.hta	false	Avira URL Cloud: phishing	unknown
http://www.live.com/	msapplication.xml2.2.dr	false		high
http://www.reddit.com/	msapplication.xml4.2.dr	false		high
http://www.twitter.com/	msapplication.xml5.2.dr	false		high
http://www.google.com/	msapplication.xml1.2.dr	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
74.63.241.29	d.coka.la	United States		46475	LIMESTONENETWORKSUS	false
199.59.243.228	12065.bodis.com	United States		395082	BODIS-NJUS	false

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1676268
Start date and time:	2025-04-28 14:57:13 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 59s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 134, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	10
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	hyirn.hta
Detection:	MAL
Classification:	mal48.winHTA@8/21@2/2
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 1 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .hta

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, ielowutil.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 23.194.101.222, 23.62.226.8, 23.62.226.62, 23.62.226.4, 23.62.226.46, 23.62.226.57, 23.62.226.49, 23.62.226.45, 23.62.226.64, 23.62.226.65, 150.171.27.10, 150.171.28.10, 184.29.183.29, 172.202.163.200
Excluded domains from analysis (whitelisted): www.bing.com, fs.microsoft.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, www-www.bing.com.trafficmanager.net, fe3cr.delivery.mp.microsoft.com, e11290.dspg.akamaiedge.net, c2a9c95e369881c67228a6591cac2686.clo.footprintdns.com, ax-ring.msedge.net, go.microsoft.com, e86303.dscx.akamaiedge.net, any.edge.bing.com, www.bing.com.edgekey.net, go.microsoft.com.edgekey.net, ieonline.microsoft.com, c.pki.goog
Execution Graph export aborted for target mshta.exe, PID 5736 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtSetValueKey calls found.
Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
199.59.243.228	DogfHe.hta	Get hash	malicious	Unknown	Browse	ww1.coka.la/bVIrnpSbo.js
	hyirn.hta	Get hash	malicious	Unknown	Browse	ww1.coka.la/bcfjkbavA.js
	DogfHe.hta	Get hash	malicious	Unknown	Browse	ww1.coka.la/bggSrBaas.js
	hyirn.hta	Get hash	malicious	Unknown	Browse	ww1.coka.la/bdEpZXZjv.js
	DogfHe.hta	Get hash	malicious	Unknown	Browse	ww1.coka.la/bSwVfnMIK.js
	250428-eer34s1tdv.bin.exe	Get hash	malicious	Unknown	Browse	cmdcmdcmd.php0h.com/4.jpg
	250428-dfq2rsyzbv.bin.exe	Get hash	malicious	Wannacry	Browse	ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250428-1310-41a4-a0a3-cb317642d741
	250428-dfq2rsyzbv.bin.exe	Get hash	malicious	Wannacry	Browse	ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250428-1306-1349-a02f-e045d0610ec4
	250428-c8zzpsywhx.bin.exe	Get hash	malicious	Wannacry	Browse	ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250428-1259-285e-80ba-2498deb4e760
	250428-c8zzpsywhx.bin.exe	Get hash	malicious	Wannacry	Browse	ww25.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com/?subid1=20250428-1253-04da-8ff0-bf55fec89eb4

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
d.coka.la	QchnRz.hta	Get hash	malicious	Unknown	Browse	74.63.241.30
	hyirn.hta	Get hash	malicious	Unknown	Browse	69.162.95.6
	hyirn.hta	Get hash	malicious	Unknown	Browse	162.210.199.87
	hyirn.hta	Get hash	malicious	Unknown	Browse	69.162.95.6
12065.bodis.com	DogfHe.hta	Get hash	malicious	Unknown	Browse	199.59.243.228
	hyirn.hta	Get hash	malicious	Unknown	Browse	199.59.243.228
	DogfHe.hta	Get hash	malicious	Unknown	Browse	199.59.243.228
	hyirn.hta	Get hash	malicious	Unknown	Browse	199.59.243.228
	DogfHe.hta	Get hash	malicious	Unknown	Browse	199.59.243.228
	hyirn.hta	Get hash	malicious	Unknown	Browse	199.59.243.228
	FGiemTL26H.exe	Get hash	malicious	Unknown	Browse	199.59.243.228
	FGiemTL26H.exe	Get hash	malicious	Unknown	Browse	199.59.243.228
	https://onlinekey.biz	Get hash	malicious	Unknown	Browse	199.59.243.228
	http://ww1.tryd.pro	Get hash	malicious	Unknown	Browse	199.59.243.228

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
LIMESTONENETWORKSUS	QchnRz.hta	Get hash	malicious	Unknown	Browse	74.63.241.30
	DogfHe.hta	Get hash	malicious	Unknown	Browse	69.162.95.6
	hyirn.hta	Get hash	malicious	Unknown	Browse	69.162.95.6
	DogfHe.hta	Get hash	malicious	Unknown	Browse	69.162.95.6
	hyirn.hta	Get hash	malicious	Unknown	Browse	69.162.95.6
	mqppc.elf	Get hash	malicious	Mirai	Browse	64.31.35.20
	44xVAnBq4t.msi	Get hash	malicious	GhostRat	Browse	64.31.23.30
	44xVAnBq4t.msi	Get hash	malicious	GhostRat	Browse	64.31.35.242
	https://novelfullplus.com	Get hash	malicious	Unknown	Browse	208.115.233.54
	http://roadmapeducation.online	Get hash	malicious	Unknown	Browse	74.63.241.22
BODIS-NJUS	DogfHe.hta	Get hash	malicious	Unknown	Browse	199.59.243.228
	hyirn.hta	Get hash	malicious	Unknown	Browse	199.59.243.228
	DogfHe.hta	Get hash	malicious	Unknown	Browse	199.59.243.228
	hyirn.hta	Get hash	malicious	Unknown	Browse	199.59.243.228
	DogfHe.hta	Get hash	malicious	Unknown	Browse	199.59.243.228
	250428-eer34s1tdv.bin.exe	Get hash	malicious	Unknown	Browse	199.59.243.228
	hyirn.hta	Get hash	malicious	Unknown	Browse	199.59.243.228
	YEN#U0130 S#U0130PAR#U0130#U015e -- NUMARA 001www.vbs	Get hash	malicious	FormBook	Browse	199.59.243.228
	Quotation.exe	Get hash	malicious	FormBook	Browse	199.59.243.228
	ungziped_file.exe	Get hash	malicious	FormBook	Browse	199.59.243.228

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
6271f898ce5be7dd52b0fc260d0662b3	DogfHe.hta	Get hash	malicious	Unknown	Browse	74.63.241.29
	hyirn.hta	Get hash	malicious	Unknown	Browse	74.63.241.29
	DogfHe.hta	Get hash	malicious	Unknown	Browse	74.63.241.29
	hyirn.hta	Get hash	malicious	Unknown	Browse	74.63.241.29
	DogfHe.hta	Get hash	malicious	Unknown	Browse	74.63.241.29
	250428-ft4acswjs2.bin.exe	Get hash	malicious	Unknown	Browse	74.63.241.29
	250427-2kc8gavp14.bin.exe	Get hash	malicious	Ramnit	Browse	74.63.241.29
	hyirn.hta	Get hash	malicious	Unknown	Browse	74.63.241.29
	250427-v4dvsav1ew.bin.exe	Get hash	malicious	ProRat	Browse	74.63.241.29
	JJsploit.exe	Get hash	malicious	SheetRat, SpyBot	Browse	74.63.241.29

Process:	C:\Program Files\Internet Explorer\iexplore.exe
File Type:	MS Windows icon resource - 1 icon, 32x32, 32 bits/pixel
Category:	dropped
Size (bytes):	4286
Entropy (8bit):	3.8046022951415335
Encrypted:	false
SSDEEP:	24:suZOWcCXPRS4QAUs/KBy3TYI42Apvl6wheXpktCH2Yn4KgISQggggFpz1k9PAYHu:HBRh+sCBykteatiBn4KWi1+Ne
MD5:	DA597791BE3B6E732F0BC8B20E38EE62
SHA1:	1125C45D285C360542027D7554A5C442288974DE
SHA-256:	5B2C34B3C4E8DD898B664DBA6C3786E2FF9869EFF55D673AA48361F11325ED07
SHA-512:	D8DC8358727590A1ED74DC70356AEDC0499552C2DC0CD4F7A01853DD85CEB3AEAD5FBDC7C75D7DA36DB6AF2448CE5ABDFF64CEBDCA3533ECAD953C061A9B338E
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	...... .... .........(... ...@..... ...................................................................................................................................................................................................N...Sz..R...R...P...N..L..H..DG..........................................................................................R6..U...U...S...R...P...N..L..I..F..B...7...............................................................................S6..V...V...U...S...R...P...N..L..I..F..C...?..:z......................................................................O...W...V...V...U...S...R...P...N..L..I..E..C...?...;..{7..q2$..............................................................T..D..]...S)..p6..J...R...P...N..L..I..E..B..>..;..z7..p2..f,X.........................................................A..O#..N!..N!..N!..P$..q:...P...N..K..I..E..A..=..9..x5..n0..e,...5...................................................Ea.Z,..T$..T$..T

Process:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	11
Entropy (8bit):	3.0957952550009344
Encrypted:	false
SSDEEP:	3:0MXAG3n:0MQa
MD5:	32682312D17C7CBF18E73594F5570319
SHA1:	60E22121BDD0BC71CDB2BAE2A3AA577006B2EAE9
SHA-256:	E55FB1A1D731153E943B68844AF12DCCE8BFAC917C98FFDEA64C80DA0607DD47
SHA-512:	68337DEBB9CD659CECE621AF582AE2BC4B56B9CF06B26C45F4D9EB8BEB91D3F36BEAD287218B5AA2BB4853A1CF1A12017CA57318D7E12F489884FDC6B261DFC1
Malicious:	false
Preview:	Redirecting

File type:	HTML document, ASCII text, with very long lines (480), with no line terminators
Entropy (8bit):	5.815725534121472
TrID:	HyperText Markup Language (12001/1) 40.67% HyperText Markup Language (11501/1) 38.98% HyperText Markup Language (6006/1) 20.35%
File name:	hyirn.hta
File size:	480 bytes
MD5:	2bf28df3cae6ec8fd294b251f9f7dc9e
SHA1:	582da9e1b58f400b3564dfd198abaa516f0c1338
SHA256:	82c78c649bf729ce4980ec4bce974521b0949271e6d4c09860e6001e7a060b59
SHA512:	fd1eb99079c8e6c60b5db41211618282abb0f6f903da3d773c89aecaf6d312ed36b6cd3b77e1684f86aa832bbfe690c01c48132ab28e4593984c41a3f5fcff86
SSDEEP:	12:kxvsCk9cE3MbUT/XU5bjlJjdJ9/X6rD9YMBYI:kbxb8/kV9/X6rDWFI
TLSH:	BFF0DCE78C96CCCCE2C0185D8EA8421C05C886A8199CD86D40DCE8A4FCF938FCD06136
File Content Preview:	<html><head><title>Loading...</title></head><body><script type='text/javascript'>window.location.replace('https://d.coka.la/hyirn.hta?ch=1&js=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJKb2tlbiIsImV4cCI6MTc0NTg1MTg3NCwiaWF0IjoxNzQ1ODQ0Njc0LCJpc3MiOiJK

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 28, 2025 14:58:19.405308008 CEST	49692	443	192.168.2.5	74.63.241.29
Apr 28, 2025 14:58:19.405356884 CEST	49693	443	192.168.2.5	74.63.241.29
Apr 28, 2025 14:58:19.405363083 CEST	443	49692	74.63.241.29	192.168.2.5
Apr 28, 2025 14:58:19.405392885 CEST	443	49693	74.63.241.29	192.168.2.5
Apr 28, 2025 14:58:19.405468941 CEST	49692	443	192.168.2.5	74.63.241.29
Apr 28, 2025 14:58:19.405503035 CEST	49693	443	192.168.2.5	74.63.241.29
Apr 28, 2025 14:58:19.413417101 CEST	49692	443	192.168.2.5	74.63.241.29
Apr 28, 2025 14:58:19.413427114 CEST	443	49692	74.63.241.29	192.168.2.5
Apr 28, 2025 14:58:19.413619995 CEST	49693	443	192.168.2.5	74.63.241.29
Apr 28, 2025 14:58:19.413635969 CEST	443	49693	74.63.241.29	192.168.2.5
Apr 28, 2025 14:58:19.929974079 CEST	443	49693	74.63.241.29	192.168.2.5
Apr 28, 2025 14:58:19.930066109 CEST	49693	443	192.168.2.5	74.63.241.29
Apr 28, 2025 14:58:19.959311008 CEST	443	49692	74.63.241.29	192.168.2.5
Apr 28, 2025 14:58:19.959400892 CEST	49692	443	192.168.2.5	74.63.241.29
Apr 28, 2025 14:58:19.968805075 CEST	49692	443	192.168.2.5	74.63.241.29
Apr 28, 2025 14:58:19.968820095 CEST	443	49692	74.63.241.29	192.168.2.5
Apr 28, 2025 14:58:19.969018936 CEST	49693	443	192.168.2.5	74.63.241.29
Apr 28, 2025 14:58:19.969018936 CEST	49693	443	192.168.2.5	74.63.241.29
Apr 28, 2025 14:58:19.969036102 CEST	443	49693	74.63.241.29	192.168.2.5
Apr 28, 2025 14:58:19.969043970 CEST	443	49693	74.63.241.29	192.168.2.5
Apr 28, 2025 14:58:19.969332933 CEST	443	49693	74.63.241.29	192.168.2.5
Apr 28, 2025 14:58:19.969439983 CEST	49693	443	192.168.2.5	74.63.241.29
Apr 28, 2025 14:58:19.969583035 CEST	443	49692	74.63.241.29	192.168.2.5
Apr 28, 2025 14:58:19.969643116 CEST	49692	443	192.168.2.5	74.63.241.29
Apr 28, 2025 14:58:20.233139992 CEST	443	49693	74.63.241.29	192.168.2.5
Apr 28, 2025 14:58:20.233293056 CEST	49693	443	192.168.2.5	74.63.241.29
Apr 28, 2025 14:58:20.233308077 CEST	443	49693	74.63.241.29	192.168.2.5
Apr 28, 2025 14:58:20.233318090 CEST	443	49693	74.63.241.29	192.168.2.5
Apr 28, 2025 14:58:20.233386040 CEST	49693	443	192.168.2.5	74.63.241.29
Apr 28, 2025 14:58:20.257188082 CEST	49693	443	192.168.2.5	74.63.241.29
Apr 28, 2025 14:58:20.257215977 CEST	443	49693	74.63.241.29	192.168.2.5
Apr 28, 2025 14:58:20.464560032 CEST	49695	80	192.168.2.5	199.59.243.228
Apr 28, 2025 14:58:20.464627028 CEST	49696	80	192.168.2.5	199.59.243.228
Apr 28, 2025 14:58:20.611923933 CEST	80	49695	199.59.243.228	192.168.2.5
Apr 28, 2025 14:58:20.611942053 CEST	80	49696	199.59.243.228	192.168.2.5
Apr 28, 2025 14:58:20.612000942 CEST	49695	80	192.168.2.5	199.59.243.228
Apr 28, 2025 14:58:20.612047911 CEST	49696	80	192.168.2.5	199.59.243.228
Apr 28, 2025 14:58:20.612483978 CEST	49695	80	192.168.2.5	199.59.243.228
Apr 28, 2025 14:58:20.759690046 CEST	80	49695	199.59.243.228	192.168.2.5
Apr 28, 2025 14:58:20.830123901 CEST	80	49695	199.59.243.228	192.168.2.5
Apr 28, 2025 14:58:20.830144882 CEST	80	49695	199.59.243.228	192.168.2.5
Apr 28, 2025 14:58:20.830219984 CEST	49695	80	192.168.2.5	199.59.243.228
Apr 28, 2025 14:58:20.837383032 CEST	80	49695	199.59.243.228	192.168.2.5
Apr 28, 2025 14:58:20.837551117 CEST	49695	80	192.168.2.5	199.59.243.228
Apr 28, 2025 14:58:21.011673927 CEST	49695	80	192.168.2.5	199.59.243.228
Apr 28, 2025 14:58:21.158967018 CEST	80	49695	199.59.243.228	192.168.2.5
Apr 28, 2025 14:58:21.229041100 CEST	80	49695	199.59.243.228	192.168.2.5
Apr 28, 2025 14:58:21.229059935 CEST	80	49695	199.59.243.228	192.168.2.5
Apr 28, 2025 14:58:21.229079008 CEST	80	49695	199.59.243.228	192.168.2.5
Apr 28, 2025 14:58:21.229090929 CEST	80	49695	199.59.243.228	192.168.2.5
Apr 28, 2025 14:58:21.229106903 CEST	80	49695	199.59.243.228	192.168.2.5
Apr 28, 2025 14:58:21.229108095 CEST	49695	80	192.168.2.5	199.59.243.228
Apr 28, 2025 14:58:21.229116917 CEST	80	49695	199.59.243.228	192.168.2.5
Apr 28, 2025 14:58:21.229141951 CEST	80	49695	199.59.243.228	192.168.2.5
Apr 28, 2025 14:58:21.229157925 CEST	80	49695	199.59.243.228	192.168.2.5
Apr 28, 2025 14:58:21.229170084 CEST	80	49695	199.59.243.228	192.168.2.5
Apr 28, 2025 14:58:21.229178905 CEST	49695	80	192.168.2.5	199.59.243.228
Apr 28, 2025 14:58:21.229178905 CEST	49695	80	192.168.2.5	199.59.243.228
Apr 28, 2025 14:58:21.229187965 CEST	80	49695	199.59.243.228	192.168.2.5
Apr 28, 2025 14:58:21.229197025 CEST	49695	80	192.168.2.5	199.59.243.228
Apr 28, 2025 14:58:21.229202986 CEST	49695	80	192.168.2.5	199.59.243.228
Apr 28, 2025 14:58:21.229206085 CEST	80	49695	199.59.243.228	192.168.2.5
Apr 28, 2025 14:58:21.229234934 CEST	49695	80	192.168.2.5	199.59.243.228
Apr 28, 2025 14:58:21.229243994 CEST	80	49695	199.59.243.228	192.168.2.5
Apr 28, 2025 14:58:21.229254961 CEST	80	49695	199.59.243.228	192.168.2.5
Apr 28, 2025 14:58:21.229270935 CEST	80	49695	199.59.243.228	192.168.2.5
Apr 28, 2025 14:58:21.229296923 CEST	49695	80	192.168.2.5	199.59.243.228
Apr 28, 2025 14:58:21.229305983 CEST	80	49695	199.59.243.228	192.168.2.5
Apr 28, 2025 14:58:21.229296923 CEST	49695	80	192.168.2.5	199.59.243.228
Apr 28, 2025 14:58:21.229360104 CEST	80	49695	199.59.243.228	192.168.2.5
Apr 28, 2025 14:58:21.229370117 CEST	49695	80	192.168.2.5	199.59.243.228
Apr 28, 2025 14:58:21.229374886 CEST	80	49695	199.59.243.228	192.168.2.5
Apr 28, 2025 14:58:21.229393959 CEST	49695	80	192.168.2.5	199.59.243.228
Apr 28, 2025 14:58:21.229410887 CEST	80	49695	199.59.243.228	192.168.2.5
Apr 28, 2025 14:58:21.229432106 CEST	80	49695	199.59.243.228	192.168.2.5
Apr 28, 2025 14:58:21.229448080 CEST	80	49695	199.59.243.228	192.168.2.5
Apr 28, 2025 14:58:21.229451895 CEST	49695	80	192.168.2.5	199.59.243.228
Apr 28, 2025 14:58:21.229451895 CEST	49695	80	192.168.2.5	199.59.243.228
Apr 28, 2025 14:58:21.229487896 CEST	49695	80	192.168.2.5	199.59.243.228
Apr 28, 2025 14:58:21.229509115 CEST	80	49695	199.59.243.228	192.168.2.5
Apr 28, 2025 14:58:21.229517937 CEST	49695	80	192.168.2.5	199.59.243.228
Apr 28, 2025 14:58:21.229528904 CEST	80	49695	199.59.243.228	192.168.2.5
Apr 28, 2025 14:58:21.229552984 CEST	49695	80	192.168.2.5	199.59.243.228
Apr 28, 2025 14:58:21.229578018 CEST	49695	80	192.168.2.5	199.59.243.228
Apr 28, 2025 14:58:21.229587078 CEST	80	49695	199.59.243.228	192.168.2.5
Apr 28, 2025 14:58:21.229623079 CEST	80	49695	199.59.243.228	192.168.2.5
Apr 28, 2025 14:58:21.229650974 CEST	80	49695	199.59.243.228	192.168.2.5
Apr 28, 2025 14:58:21.229660034 CEST	80	49695	199.59.243.228	192.168.2.5
Apr 28, 2025 14:58:21.229669094 CEST	49695	80	192.168.2.5	199.59.243.228
Apr 28, 2025 14:58:21.229696035 CEST	49695	80	192.168.2.5	199.59.243.228
Apr 28, 2025 14:58:21.233453035 CEST	80	49695	199.59.243.228	192.168.2.5
Apr 28, 2025 14:58:21.233499050 CEST	80	49695	199.59.243.228	192.168.2.5
Apr 28, 2025 14:58:21.233515024 CEST	80	49695	199.59.243.228	192.168.2.5
Apr 28, 2025 14:58:21.233561993 CEST	49695	80	192.168.2.5	199.59.243.228
Apr 28, 2025 14:58:24.956334114 CEST	443	49692	74.63.241.29	192.168.2.5
Apr 28, 2025 14:58:24.956398010 CEST	443	49692	74.63.241.29	192.168.2.5
Apr 28, 2025 14:58:24.956403971 CEST	49692	443	192.168.2.5	74.63.241.29
Apr 28, 2025 14:58:24.956502914 CEST	49692	443	192.168.2.5	74.63.241.29
Apr 28, 2025 14:58:30.745316029 CEST	80	49696	199.59.243.228	192.168.2.5
Apr 28, 2025 14:58:30.745331049 CEST	80	49696	199.59.243.228	192.168.2.5
Apr 28, 2025 14:58:30.745368004 CEST	49696	80	192.168.2.5	199.59.243.228
Apr 28, 2025 14:58:30.745408058 CEST	49696	80	192.168.2.5	199.59.243.228
Apr 28, 2025 14:58:30.751415014 CEST	80	49696	199.59.243.228	192.168.2.5
Apr 28, 2025 14:58:30.751471043 CEST	49696	80	192.168.2.5	199.59.243.228
Apr 28, 2025 14:58:31.229223013 CEST	80	49695	199.59.243.228	192.168.2.5
Apr 28, 2025 14:58:31.229427099 CEST	49695	80	192.168.2.5	199.59.243.228
Apr 28, 2025 15:00:08.782247066 CEST	49695	80	192.168.2.5	199.59.243.228
Apr 28, 2025 15:00:08.782293081 CEST	49696	80	192.168.2.5	199.59.243.228
Apr 28, 2025 15:00:08.782358885 CEST	49696	80	192.168.2.5	199.59.243.228
Apr 28, 2025 15:00:08.782563925 CEST	49692	443	192.168.2.5	74.63.241.29
Apr 28, 2025 15:00:08.782604933 CEST	49692	443	192.168.2.5	74.63.241.29
Apr 28, 2025 15:00:08.929927111 CEST	80	49696	199.59.243.228	192.168.2.5
Apr 28, 2025 15:00:09.093873024 CEST	49695	80	192.168.2.5	199.59.243.228
Apr 28, 2025 15:00:09.718885899 CEST	49695	80	192.168.2.5	199.59.243.228
Apr 28, 2025 15:00:10.952984095 CEST	49695	80	192.168.2.5	199.59.243.228
Apr 28, 2025 15:00:13.408622026 CEST	49695	80	192.168.2.5	199.59.243.228
Apr 28, 2025 15:00:18.312356949 CEST	49695	80	192.168.2.5	199.59.243.228

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 28, 2025 14:58:19.229968071 CEST	49246	53	192.168.2.5	1.1.1.1
Apr 28, 2025 14:58:19.399807930 CEST	53	49246	1.1.1.1	192.168.2.5
Apr 28, 2025 14:58:20.260471106 CEST	61520	53	192.168.2.5	1.1.1.1
Apr 28, 2025 14:58:20.463639975 CEST	53	61520	1.1.1.1	192.168.2.5

Timestamp	Bytes transferred	Direction	Data
Apr 28, 2025 14:58:20.612483978 CEST	258	OUT	GET / HTTP/1.1 Accept: text/html, application/xhtml+xml, image/jxr, / Accept-Language: en-CH User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Accept-Encoding: gzip, deflate Connection: Keep-Alive Host: ww1.coka.la
Apr 28, 2025 14:58:20.830123901 CEST	1358	IN	HTTP/1.1 200 OK date: Mon, 28 Apr 2025 12:58:20 GMT content-type: text/html; charset=utf-8 content-length: 1038 x-request-id: 54d8a0a4-814b-4979-9911-559f931a9d73 cache-control: no-store, max-age=0 accept-ch: sec-ch-prefers-color-scheme critical-ch: sec-ch-prefers-color-scheme vary: sec-ch-prefers-color-scheme x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_rAAKoivYZo763B3WIJc8O8hkepe3KRo6J+3/r0apFeno7xgYWFkbZ8aUIfM4aFyECHIom9lpMneKZXQmSmLSoQ== set-cookie: parking_session=54d8a0a4-814b-4979-9911-559f931a9d73; expires=Mon, 28 Apr 2025 13:13:20 GMT; path=/ Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 22 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 44 72 70 32 6c 7a 37 41 4f 6d 41 44 61 4e 38 74 41 35 30 4c 73 57 63 6a 4c 46 79 51 46 63 62 2f 50 32 54 78 63 35 38 6f 59 4f 65 49 4c 62 33 76 42 77 37 4a 36 66 34 70 61 6d 6b 41 51 56 53 51 75 71 59 73 4b 78 33 59 7a 64 55 48 43 76 62 56 5a 76 46 55 73 43 41 77 45 41 41 51 3d 3d 5f 72 41 41 4b 6f 69 76 59 5a 6f 37 36 33 42 33 57 49 4a 63 38 4f 38 68 6b 65 70 65 33 4b 52 6f 36 4a 2b 33 2f 72 30 61 70 46 65 6e 6f 37 78 67 59 57 46 6b 62 5a 38 61 55 49 66 4d 34 61 46 79 45 43 48 49 6f 6d 39 6c 70 4d 6e 65 4b 5a 58 51 6d 53 6d 4c 53 6f 51 3d 3d 22 20 6c 61 6e 67 3d 22 65 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 3a 20 23 32 42 32 42 32 42 3b 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d [TRUNCATED] Data Ascii: <!doctype html><html data-adblockkey="MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANDrp2lz7AOmADaN8tA50LsWcjLFyQFcb/P2Txc58oYOeILb3vBw7J6f4pamkAQVSQuqYsKx3YzdUHCvbVZvFUsCAwEAAQ==_rAAKoivYZo763B3WIJc8O8hkepe3KRo6J+3/r0apFeno7xgYWFkbZ8aUIfM4aFyECHIom9lpMneKZXQmSmLSoQ==" lang="en" style="background: #2B2B2B;"><head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1"> <link rel="icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAIAAACQd1PeAAAADElEQVQI12P4//8/AAX+Av7czFnnAAAAAElFTkSuQmCC"> <link rel="preconnect" href="https://www.google.com" crossorigin></head><body><div id="target" style="opacity: 0"></div><script>win
Apr 28, 2025 14:58:20.830144882 CEST	350	IN	Data Raw: 64 6f 77 2e 70 61 72 6b 20 3d 20 22 65 79 4a 31 64 57 6c 6b 49 6a 6f 69 4e 54 52 6b 4f 47 45 77 59 54 51 74 4f 44 45 30 59 69 30 30 4f 54 63 35 4c 54 6b 35 4d 54 45 74 4e 54 55 35 5a 6a 6b 7a 4d 57 45 35 5a 44 63 7a 49 69 77 69 63 47 46 6e 5a 56 Data Ascii: dow.park = "eyJ1dWlkIjoiNTRkOGEwYTQtODE0Yi00OTc5LTk5MTEtNTU5ZjkzMWE5ZDczIiwicGFnZV90aW1lIjoxNzQ1ODQ1MTAwLCJwYWdlX3VybCI6Imh0dHA6Ly93dzEuY29rYS5sYS8iLCJwYWdlX21ldGhvZCI6IkdFVCIsInBhZ2VfcmVxdWVzdCI6e30sInBhZ2VfaGVhZGVycyI6e30sImhvc3QiOiJ3dzEuY29
Apr 28, 2025 14:58:20.837383032 CEST	350	IN	Data Raw: 64 6f 77 2e 70 61 72 6b 20 3d 20 22 65 79 4a 31 64 57 6c 6b 49 6a 6f 69 4e 54 52 6b 4f 47 45 77 59 54 51 74 4f 44 45 30 59 69 30 30 4f 54 63 35 4c 54 6b 35 4d 54 45 74 4e 54 55 35 5a 6a 6b 7a 4d 57 45 35 5a 44 63 7a 49 69 77 69 63 47 46 6e 5a 56 Data Ascii: dow.park = "eyJ1dWlkIjoiNTRkOGEwYTQtODE0Yi00OTc5LTk5MTEtNTU5ZjkzMWE5ZDczIiwicGFnZV90aW1lIjoxNzQ1ODQ1MTAwLCJwYWdlX3VybCI6Imh0dHA6Ly93dzEuY29rYS5sYS8iLCJwYWdlX21ldGhvZCI6IkdFVCIsInBhZ2VfcmVxdWVzdCI6e30sInBhZ2VfaGVhZGVycyI6e30sImhvc3QiOiJ3dzEuY29
Apr 28, 2025 14:58:21.011673927 CEST	347	OUT	GET /bLEzTQZNU.js HTTP/1.1 Accept: application/javascript, /;q=0.8 Referer: http://ww1.coka.la/ Accept-Language: en-CH User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Accept-Encoding: gzip, deflate Host: ww1.coka.la Connection: Keep-Alive Cookie: parking_session=54d8a0a4-814b-4979-9911-559f931a9d73
Apr 28, 2025 14:58:21.229041100 CEST	1358	IN	HTTP/1.1 200 OK date: Mon, 28 Apr 2025 12:58:20 GMT content-type: application/javascript; charset=utf-8 content-length: 35693 x-request-id: c3b9c169-9b24-4348-b512-153f4a6314f5 set-cookie: parking_session=54d8a0a4-814b-4979-9911-559f931a9d73; expires=Mon, 28 Apr 2025 13:13:21 GMT Data Raw: 21 66 75 6e 63 74 69 6f 6e 28 65 2c 74 29 7b 22 6f 62 6a 65 63 74 22 3d 3d 74 79 70 65 6f 66 20 65 78 70 6f 72 74 73 26 26 22 75 6e 64 65 66 69 6e 65 64 22 21 3d 74 79 70 65 6f 66 20 6d 6f 64 75 6c 65 3f 74 28 65 78 70 6f 72 74 73 29 3a 22 66 75 6e 63 74 69 6f 6e 22 3d 3d 74 79 70 65 6f 66 20 64 65 66 69 6e 65 26 26 64 65 66 69 6e 65 2e 61 6d 64 3f 64 65 66 69 6e 65 28 5b 22 65 78 70 6f 72 74 73 22 5d 2c 74 29 3a 74 28 28 65 3d 22 75 6e 64 65 66 69 6e 65 64 22 21 3d 74 79 70 65 6f 66 20 67 6c 6f 62 61 6c 54 68 69 73 3f 67 6c 6f 62 61 6c 54 68 69 73 3a 65 7c 7c 73 65 6c 66 29 2e 76 65 72 73 69 6f 6e 3d 7b 7d 29 7d 28 74 68 69 73 2c 28 66 75 6e 63 74 69 6f 6e 28 65 78 70 6f 72 74 73 29 7b 22 75 73 65 20 73 74 72 69 63 74 22 3b 66 75 6e 63 74 69 6f 6e 20 5f 5f 61 77 61 69 74 65 72 28 65 2c 74 2c 6e 2c 69 29 7b 72 65 74 75 72 6e 20 6e 65 77 28 6e 7c 7c 28 6e 3d 50 72 6f 6d 69 73 65 29 29 28 28 66 75 6e 63 74 69 6f 6e 28 73 2c 61 29 7b 66 75 6e 63 74 69 6f 6e 20 6f 28 65 29 7b 74 72 79 7b 64 28 69 2e 6e [TRUNCATED] Data Ascii: !function(e,t){"object"==typeof exports&&"undefined"!=typeof module?t(exports):"function"==typeof define&&define.amd?define(["exports"],t):t((e="undefined"!=typeof globalThis?globalThis:e\|\|self).version={})}(this,(function(exports){"use strict";function __awaiter(e,t,n,i){return new(n\|\|(n=Promise))((function(s,a){function o(e){try{d(i.next(e))}catch(e){a(e)}}function r(e){try{d(i.throw(e))}catch(e){a(e)}}function d(e){var t;e.done?s(e.value):(t=e.value,t instanceof n?t:new n((function(e){e(t)}))).then(o,r)}d((i=i.apply(e,t\|\|[])).next())}))}var Blocking;"function"==typeof SuppressedError&&SuppressedError,function(e){e.PENDING="pending",e.NONE="none",e.BLOCKED="blocked",e.ALLOWED="allowed"}(Blocking\|\|(Blocking={}));class Adblock{constructor(e){this.state=Blocking.PENDING,this._mocked=!1,e?(this.state=e,this._mocked=!0):this.state=Blocking.ALLOWED}inject(){return __awaiter(this,void 0,void 0,(function*(){}))}hasAdblocker(){if(void 0===window.google)return!0;const e=document.querySelectorAll("style"); [TRUNCATED]
Apr 28, 2025 14:58:21.229059935 CEST	1358	IN	Data Raw: 6c 6f 63 6b 6b 65 79 22 29 29 29 7d 68 61 6e 64 6c 65 41 64 62 6c 6f 63 6b 65 64 28 29 7b 74 68 69 73 2e 72 65 6d 6f 76 65 41 64 62 6c 6f 63 6b 4b 65 79 28 29 2c 74 68 69 73 2e 73 74 61 74 65 3d 42 6c 6f 63 6b 69 6e 67 2e 42 4c 4f 43 4b 45 44 7d Data Ascii: lockkey")))}handleAdblocked(){this.removeAdblockKey(),this.state=Blocking.BLOCKED}removeAdblockKey(){var e;null===(e=document.documentElement.dataset)\|\|void 0===e\|\|delete e.adblockkey}get isBlocked(){return this.state===Blocking.BLOCKED}get is
Apr 28, 2025 14:58:21.229079008 CEST	1358	IN	Data Raw: 61 73 6f 6e 73 3b 21 66 75 6e 63 74 69 6f 6e 28 65 29 7b 65 2e 43 41 46 5f 54 49 4d 45 44 4f 55 54 3d 22 63 61 66 5f 74 69 6d 65 64 6f 75 74 22 2c 65 2e 43 41 46 5f 41 44 4c 4f 41 44 5f 46 41 49 4c 5f 52 53 3d 22 63 61 66 5f 61 64 6c 6f 61 64 66 Data Ascii: asons;!function(e){e.CAF_TIMEDOUT="caf_timedout",e.CAF_ADLOAD_FAIL_RS="caf_adloadfail_rs",e.CAF_ADLOAD_FAIL_ADS="caf_adloadfail_ads",e.DISABLED_GB="disabled_gb",e.DISABLED_AB="disabled_ab",e.DISABLED_DS="disabled_ds",e.AD_BLOCKED="ad_blocked",
Apr 28, 2025 14:58:21.229090929 CEST	1358	IN	Data Raw: 79 3a 20 68 69 64 64 65 6e 3b 5c 6e 7d 5c 6e 5c 6e 2f 2a 20 53 74 61 74 75 73 20 4d 65 73 73 61 67 65 73 20 2d 20 54 68 65 73 65 20 61 72 65 20 64 69 73 70 6c 61 79 65 64 20 77 68 65 6e 20 77 65 20 61 72 65 20 6e 6f 74 20 72 65 6e 64 65 72 69 6e Data Ascii: y: hidden;\n}\n\n/* Status Messages - These are displayed when we are not rendering ad blocks or Related Search */\n\n#pk-status-message {\n height: 75vh;\n width: 100%;\n display: flex;\n flex-direction: column;\n align-items: center;\n
Apr 28, 2025 14:58:21.229106903 CEST	1358	IN	Data Raw: 5c 6e 20 20 6c 65 66 74 3a 20 38 70 78 3b 5c 6e 20 20 61 6e 69 6d 61 74 69 6f 6e 3a 20 70 6b 2d 61 6e 69 6d 2d 31 20 30 2e 36 73 20 69 6e 66 69 6e 69 74 65 3b 5c 6e 7d 5c 6e 5c 6e 2e 70 6b 2d 6c 6f 61 64 65 72 20 64 69 76 3a 6e 74 68 2d 63 68 69 Data Ascii: \n left: 8px;\n animation: pk-anim-1 0.6s infinite;\n}\n\n.pk-loader div:nth-child(2) {\n left: 8px;\n animation: pk-anim-2 0.6s infinite;\n}\n\n.pk-loader div:nth-child(3) {\n left: 32px;\n animation: pk-anim-2 0.6s infinite;\n}\n\n.pk-
Apr 28, 2025 14:58:21.229116917 CEST	1358	IN	Data Raw: 6d 4e 6f 64 65 2e 63 6c 61 73 73 4c 69 73 74 2e 61 64 64 28 50 41 47 45 5f 52 45 41 44 59 5f 43 4c 41 53 53 29 7d 2c 74 68 69 73 2e 68 69 64 65 53 61 6c 65 73 42 61 6e 6e 65 72 3d 28 29 3d 3e 7b 74 68 69 73 2e 64 6f 6d 4e 6f 64 65 2e 63 6c 61 73 Data Ascii: mNode.classList.add(PAGE_READY_CLASS)},this.hideSalesBanner=()=>{this.domNode.classList.add("hide-sales-banner")},this.revealSalesBanner=()=>{this.domNode.classList.remove("hide-sales-banner")},this.injectMetaDescription=e=>{if(!e\|\|0===e.lengt
Apr 28, 2025 14:58:21.229141951 CEST	1358	IN	Data Raw: 3c 2f 64 69 76 3e 5c 6e 20 20 20 20 20 20 60 2c 22 42 4f 54 54 4f 4d 22 3d 3d 3d 6e 3f 28 6f 2e 73 74 79 6c 65 2e 6d 61 72 67 69 6e 54 6f 70 3d 22 33 30 70 78 22 2c 64 6f 63 75 6d 65 6e 74 2e 62 6f 64 79 2e 61 70 70 65 6e 64 43 68 69 6c 64 28 6f Data Ascii: </div>\n `,"BOTTOM"===n?(o.style.marginTop="30px",document.body.appendChild(o)):document.body.prepend(o)}loading(e){let t="a few";e>0&&(t=`<span id="redirect">${e}</span>`),this.message(`\n <div class="pk-loader">\n <div></div
Apr 28, 2025 14:58:21.229157925 CEST	1358	IN	Data Raw: 74 72 69 6e 67 28 29 2c 64 6f 63 75 6d 65 6e 74 2e 68 65 61 64 2e 61 70 70 65 6e 64 43 68 69 6c 64 28 74 29 7d 69 6e 6a 65 63 74 53 63 72 69 70 74 28 65 29 7b 69 66 28 21 65 29 72 65 74 75 72 6e 3b 63 6f 6e 73 74 20 74 3d 64 6f 63 75 6d 65 6e 74 Data Ascii: tring(),document.head.appendChild(t)}injectScript(e){if(!e)return;const t=document.createElement("script");t.type="text/javascript",t.src=e,document.body.appendChild(t)}injectJS(js){js&&0!==js.length&&eval(js)}injectHTML(e){this.domNode?(e&&(t
Apr 28, 2025 14:58:21.229170084 CEST	1358	IN	Data Raw: 6f 6e 73 74 20 74 3d 6e 65 77 20 44 69 73 61 62 6c 65 64 3b 72 65 74 75 72 6e 20 74 2e 72 65 61 73 6f 6e 3d 6e 2c 74 2e 64 6f 6d 61 69 6e 3d 65 2e 64 6f 6d 61 69 6e 4e 61 6d 65 2c 74 7d 7d 67 65 74 20 6d 65 73 73 61 67 65 28 29 7b 73 77 69 74 63 Data Ascii: onst t=new Disabled;return t.reason=n,t.domain=e.domainName,t}}get message(){switch(this.reason){case"adblocker":return"<h1>Content blocked</h1> Please turn off your ad blocker.";case"disabled_mr":return`<h1>Invalid URL</h1> Referral traffic f

Timestamp	Bytes transferred	Direction	Data
2025-04-28 12:58:19 UTC	586	OUT	GET /hyirn.hta?ch=1&js=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJKb2tlbiIsImV4cCI6MTc0NTg1MTg3NCwiaWF0IjoxNzQ1ODQ0Njc0LCJpc3MiOiJKb2tlbiIsImpzIjoxLCJqdGkiOiIzMHQ3b3VyMWg0cWNpbXBjOThhMDhpODYiLCJuYmYiOjE3NDU4NDQ2NzQsInRzIjoxNzQ1ODQ0Njc0OTE4NjIwfQ.GI_YPwbWdpRvsfw_D8XkPikj7MZDOzelICwzole8gjQ&sid=7851b02e-242f-11f0-bce7-d69d2fb93891 HTTP/1.1 Accept: text/html, application/xhtml+xml, image/jxr, / Accept-Language: en-CH User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Accept-Encoding: gzip, deflate Host: d.coka.la Connection: Keep-Alive
2025-04-28 12:58:20 UTC	352	IN	HTTP/1.1 302 Found cache-control: max-age=0, private, must-revalidate connection: close content-length: 11 date: Mon, 28 Apr 2025 12:58:20 GMT location: http://ww1.coka.la server: Cowboy set-cookie: sid=7851b02e-242f-11f0-bce7-d69d2fb93891; path=/; domain=.coka.la; expires=Sat, 16 May 2093 16:12:27 GMT; max-age=2147483647; secure; HttpOnly
2025-04-28 12:58:20 UTC	11	IN	Data Raw: 52 65 64 69 72 65 63 74 69 6e 67 Data Ascii: Redirecting

Target ID:	0
Start time:	08:58:13
Start date:	28/04/2025
Path:	C:\Windows\SysWOW64\mshta.exe
Wow64 process (32bit):	true
Commandline:	mshta.exe "C:\Users\user\Desktop\hyirn.hta"
Imagebase:	0xd70000
File size:	13'312 bytes
MD5 hash:	06B02D5C097C7DB1F109749C45F3F505
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Target ID:	3
Start time:	08:58:14
Start date:	28/04/2025
Path:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1488 CREDAT:17410 /prefetch:2
Imagebase:	0xd30000
File size:	828'368 bytes
MD5 hash:	6F0F06D6AB125A99E43335427066A4A1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	false

Target ID:	5
Start time:	08:58:17
Start date:	28/04/2025
Path:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1488 CREDAT:17414 /prefetch:2
Imagebase:	0xd30000
File size:	828'368 bytes
MD5 hash:	6F0F06D6AB125A99E43335427066A4A1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	false

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of open application windows. Window listings could convey information about how the system is used.For example, information about application windows could be used identify potential data to collect as well as identifying security tooling ( Security Software Discovery ) to evade.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report hyirn.hta

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{71851B2B-2430-11F0-8C30-ECF4BB570DC9}.dat

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{71851B2D-2430-11F0-8C30-ECF4BB570DC9}.dat

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{71851B2F-2430-11F0-8C30-ECF4BB570DC9}.dat

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-17529550060\msapplication.xml

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-18270793970\msapplication.xml

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-21706820\msapplication.xml

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-314712940\msapplication.xml

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-4759708130\msapplication.xml

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-6757900\msapplication.xml

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-8760897390\msapplication.xml

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin20259167780\msapplication.xml

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin20332743330\msapplication.xml

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin8215062560\msapplication.xml

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\favicon[1].ico

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\hyirn[1].hta

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\UVO4M0JR.htm

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\bLEzTQZNU[1].js

C:\Users\user\AppData\Local\Temp\~DF67298C79B64E95AD.TMP

C:\Users\user\AppData\Local\Temp\~DF811127BDF2917958.TMP

C:\Users\user\AppData\Local\Temp\~DFC310EA29AC4B93F9.TMP

Static File Info

General

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

Windows Analysis Report
hyirn.hta