Joe Sandbox Cloud Basic Analysis Report
Edit tour

Windows Analysis Report
default.hta

Overview

General Information

Sample name:default.hta
Analysis ID:1676286
MD5:3dbd4bfc0e65d7ad83d90a9b45f65e49
SHA1:7ce5d14340c68ff26e602ed903765f6ce5cc75b3
SHA256:7f442e5bbc06204cec861f2bfde13bec0ba0cbdf3becb54caa421e03f09a1426
Tags:htauser-abuse_ch
Infos:

Detection

Score:23
Range:0 - 100
Confidence:60%

Signatures

Opens network shares
AV process strings found (often used to terminate AV products)
Detected TCP or UDP traffic on non-standard ports
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
One or more processes crash
Searches for the Microsoft Outlook file path
Uses a known web browser user agent for HTTP communication

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious

Process Tree

  • System is w10x64
  • mshta.exe (PID: 6240 cmdline: mshta.exe "C:\Users\user\Desktop\default.hta" MD5: 06B02D5C097C7DB1F109749C45F3F505)
    • WerFault.exe (PID: 7360 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6240 -s 2792 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

  • Compliance
  • Networking
  • System Summary
  • Hooking and other Techniques for Hiding and Protection
  • Malware Analysis System Evasion
  • Anti Debugging
  • Lowering of HIPS / PFW / Operating System Security Settings
  • Stealing of Sensitive Information

Click to jump to signature section

Show All Signature Results
Source: unknownHTTPS traffic detected: 142.250.69.4:443 -> 192.168.2.7:49693 version: TLS 1.2
Source: unknownHTTPS traffic detected: 3.163.125.15:443 -> 192.168.2.7:49701 version: TLS 1.2
Source: global trafficTCP traffic: 192.168.2.7:49683 -> 104.17.150.117:139
Source: Joe Sandbox ViewIP Address: 104.17.150.117 104.17.150.117
Source: Joe Sandbox ViewIP Address: 3.163.125.15 3.163.125.15
Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
Source: global trafficHTTP traffic detected: GET /recaptcha/api.js HTTP/1.1Accept: */*Accept-Language: en-CHAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: www.google.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /libs/amplitude-8.5.0-min.gz.js HTTP/1.1Accept: */*Accept-Language: en-CHOrigin: file:Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: cdn.amplitude.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /images/icons/myfiles/default.png HTTP/1.1Accept: */*Accept-Language: en-CHAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: www.mediafire.comConnection: Keep-Alive
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficHTTP traffic detected: GET /recaptcha/api.js HTTP/1.1Accept: */*Accept-Language: en-CHAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: www.google.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /libs/amplitude-8.5.0-min.gz.js HTTP/1.1Accept: */*Accept-Language: en-CHOrigin: file:Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: cdn.amplitude.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /images/icons/myfiles/default.png HTTP/1.1Accept: */*Accept-Language: en-CHAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: www.mediafire.comConnection: Keep-Alive
Source: mshta.exe, 00000000.00000002.1540443421.0000000000632000.00000004.00000020.00020000.00000000.sdmp, default.htaString found in binary or memory: <!DOCTYPE html> <html lang="en-US" xmlns:fb="http://www.facebook.com/2008/fbml" xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" /> equals www.facebook.com (Facebook)
Source: mshta.exe, 00000000.00000003.1268505982.00000000006CB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: href="/upgrade/">Upgrade</a></h2> <ul> <li><a href="/upgrade/index.php?plan=Pro">Professional</a></li> <li><a href="https://fast.io/pricing">Business</a></li> </ul> </div> <div class="footerCol" style="margin-right:0;"> <h2><a href="https://mediafire.zendesk.com/hc/en-us" target="_blank">Support</a></h2> <ul> <li class="minFooterShow"><a href="https://mediafire.zendesk.com/hc/en-us" target="_blank">Get Support</a></li> </ul> </div> </div> </div> <div class="myfilesTabHelp"> <p> Questions? <a href="/help/submit_a_ticket.php" target="_blank" tabindex="-1">Submit a ticket</a> or <a href="/help/" target="_blank">visit our Help Center</a>. </p> <div class="footerShortcuts"> <p style="margin-right:15px;">Keyboard Shortcuts:</p> <div class="footerShortcutHide"><span>U</span> = Upload</div> <div class="footerShortcutHide"><span>N</span> = New Folder</div> <div><span class="footerShortcutsWin">CTRL</span><span class="footerShortcutsMac">CMD</span> + <span>A</span> = Select All</div> <div><span>ESC</span> = Deselect</div> <div class="lastShortcut"><span>DEL</span> = Move to Trash</div> </div> </div> <div id="google_translate_element_dynamic"></div> <ul class="subFooterLinks"> <li id="copyrightInfo">&copy;2025 MediaFire<span> Build 121937</span></li> <li><a href="/advertising/">Advertising</a></li> <li><a href="/policies/terms_of_service.php">Terms</a></li> <li><a href="/policies/privacy_policy.php">Privacy Policy</a></li> <li><a href="/policy_violation/copyright.php">Copyright</a></li> <li><a href="/policy_violation/terms_of_service.php">Abuse</a></li> <li><a href="/credits/">Credits</a></li> <li><a href="/about/">More...</a></li> </ul> <div class="subFooterSocialWrap"> <ul id="subFooterSocial"> <li class="footerIcn"> <a href="http://www.facebook.com/mediafire" class="footerIcnFb" target="_blank" rel="noreferrer" title="MediaFire's Facebook page"> <span class="footerIcnFb"></span> </a> </li> <li class="footerIcn"> <a href="http://twitter.com/#!/mediafire" class="footerIcnTw" target="_blank" rel="noreferrer" title="MediaFire's Twitter page"> <span class="footerIcnTw"></span> </a> </li> <li class="footerIcn"> <a href="http://blog.mediafire.com/" class="footerIcnBlog" target="_blank" title="MediaFire Blog"> <span class="footerIcnBlog"></span> </a> </li> </ul> </div> </div> </div> </footer> <div class="sandboxLabel labelRibbon">SANDBOX</div> <footer id="simpleFooter" role="contentinfo"> <div class="wrap"> <span>&copy;2025 MediaFire&nbsp;&nbsp; <span>Build 121937</span> </span> <span style="opacity:.5;border-left:1px solid #999;margin:0 8px 0 10px;"></span> Need help? <a href="/help/submit_a_ticket.php" target="_blank">Submit a ticket</a>. </div> </footer> <div id="page_screen">&nbsp;</div> <iframe src="/blank.html" style="display:none;" id="userwork" name="userwork" width="0" height="0" frameborder="0"></iframe> <iframe src="/blank.html" style="display:none;" id="emailwork" name="emailwork" width="0" height="0" frameborder="0"></iframe> <script typ
Source: mshta.exe, 00000000.00000003.1268505982.00000000006CB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: href="/upgrade/">Upgrade</a></h2> <ul> <li><a href="/upgrade/index.php?plan=Pro">Professional</a></li> <li><a href="https://fast.io/pricing">Business</a></li> </ul> </div> <div class="footerCol" style="margin-right:0;"> <h2><a href="https://mediafire.zendesk.com/hc/en-us" target="_blank">Support</a></h2> <ul> <li class="minFooterShow"><a href="https://mediafire.zendesk.com/hc/en-us" target="_blank">Get Support</a></li> </ul> </div> </div> </div> <div class="myfilesTabHelp"> <p> Questions? <a href="/help/submit_a_ticket.php" target="_blank" tabindex="-1">Submit a ticket</a> or <a href="/help/" target="_blank">visit our Help Center</a>. </p> <div class="footerShortcuts"> <p style="margin-right:15px;">Keyboard Shortcuts:</p> <div class="footerShortcutHide"><span>U</span> = Upload</div> <div class="footerShortcutHide"><span>N</span> = New Folder</div> <div><span class="footerShortcutsWin">CTRL</span><span class="footerShortcutsMac">CMD</span> + <span>A</span> = Select All</div> <div><span>ESC</span> = Deselect</div> <div class="lastShortcut"><span>DEL</span> = Move to Trash</div> </div> </div> <div id="google_translate_element_dynamic"></div> <ul class="subFooterLinks"> <li id="copyrightInfo">&copy;2025 MediaFire<span> Build 121937</span></li> <li><a href="/advertising/">Advertising</a></li> <li><a href="/policies/terms_of_service.php">Terms</a></li> <li><a href="/policies/privacy_policy.php">Privacy Policy</a></li> <li><a href="/policy_violation/copyright.php">Copyright</a></li> <li><a href="/policy_violation/terms_of_service.php">Abuse</a></li> <li><a href="/credits/">Credits</a></li> <li><a href="/about/">More...</a></li> </ul> <div class="subFooterSocialWrap"> <ul id="subFooterSocial"> <li class="footerIcn"> <a href="http://www.facebook.com/mediafire" class="footerIcnFb" target="_blank" rel="noreferrer" title="MediaFire's Facebook page"> <span class="footerIcnFb"></span> </a> </li> <li class="footerIcn"> <a href="http://twitter.com/#!/mediafire" class="footerIcnTw" target="_blank" rel="noreferrer" title="MediaFire's Twitter page"> <span class="footerIcnTw"></span> </a> </li> <li class="footerIcn"> <a href="http://blog.mediafire.com/" class="footerIcnBlog" target="_blank" title="MediaFire Blog"> <span class="footerIcnBlog"></span> </a> </li> </ul> </div> </div> </div> </footer> <div class="sandboxLabel labelRibbon">SANDBOX</div> <footer id="simpleFooter" role="contentinfo"> <div class="wrap"> <span>&copy;2025 MediaFire&nbsp;&nbsp; <span>Build 121937</span> </span> <span style="opacity:.5;border-left:1px solid #999;margin:0 8px 0 10px;"></span> Need help? <a href="/help/submit_a_ticket.php" target="_blank">Submit a ticket</a>. </div> </footer> <div id="page_screen">&nbsp;</div> <iframe src="/blank.html" style="display:none;" id="userwork" name="userwork" width="0" height="0" frameborder="0"></iframe> <iframe src="/blank.html" style="display:none;" id="emailwork" name="emailwork" width="0" height="0" frameborder="0"></iframe> <script typ
Source: mshta.exe, 00000000.00000002.1540443421.0000000000632000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: 0m <!DOCTYPE html> <html lang="en-US" xmlns:fb="http://www.facebook.com/2008/fbml" xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" /> equals www.facebook.com (Facebook)
Source: mshta.exe, 00000000.00000002.1556267399.00000000076D9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: \Symbol is not a constructoris_legacy_loadedfl_random_numberinternal.unsiloIdnonGoogleScriptsTAG_CALLBACK_SUCCESSinternal.getUserAgenthttps://www.youtube.comdelivery_postal_codephone_conversion_idsads_data_redactioninternal.injectHtmlinternal.addFormDataestimated_delivery_datenonGoogleIframescustomer_buyer_stagehttps://m.youtube.cominternal.safeInvokeCONTAINER_SETUP_ENDeuid_logged_in_state_tag_firing_delaycustomer_lifetime_valuephone_conversion_numberuser_data_auto_statuscallOnWindowLoadinternal.getElementByIdinternal.createRegexinternalErrorStatecampaign_contentad_personalizationadditionalQueuesCONTAINER_SETUP_STARTcustomer_loyalty_tag_firing_timeupdateConsentStateTAG_EXECUTE_STARTcustomer_ltv_bucketuser_data_settingsreadCharacterSettemporary_client_idinternal.getFlagsCONTAINER_BLOCKING_ENDsetDefaultConsentStateremarketingListsgetContainerVersioninternal.injectScriptFULL_TRANSMISSIONinternal.getHtmlIdga_restrict_domainanalytics_storageCONTAINER_EXECUTE_ENDinternal.getEventDataCUSTOM_PERFORMANCE_ENDLIMITED_TRANSMISSIONga_temp_client_idus_privacy_stringCONTAINER_YIELD_ENDallow_custom_scriptsinternal.setFormActionredact_device_infogtmEcommerceDatamerchant_feed_label equals www.youtube.com (Youtube)
Source: js[1].js.0.drString found in binary or memory: function Qt(a,b){var c=gt(b),d=ht(a,c);if(!d)return 0;var e;e=a==="ag"?it(d):dt(d);for(var f=0,g=0;g<e.length;g++)f=Math.max(f,e[g].timestamp);return f}function Rt(a){for(var b=0,c=l(Object.keys(a)),d=c.next();!d.done;d=c.next())for(var e=a[d.value],f=0;f<e.length;f++)b=Math.max(b,Number(e[f].timestamp));return b}function St(a){var b=Math.max(Qt("aw",a),Rt(at($s())?Us():{})),c=Math.max(Qt("gb",a),Rt(at($s())?Us("_gac_gb",!0):{}));c=Math.max(c,Qt("ag",a));return c>b};function hu(){return Jo("dedupe_gclid",function(){return Ar()})};var iu=/^(www\.)?google(\.com?)?(\.[a-z]{2}t?)?$/,ju=/^www.googleadservices.com$/;function ku(a){a||(a=lu());return a.po?!1:a.nn||a.on||a.rn||a.pn||a.df||a.Wm||a.qn||a.dn?!0:!1}function lu(){var a={},b=fs(!0);a.po=!!b._up;var c=vt();a.nn=c.aw!==void 0;a.on=c.dc!==void 0;a.rn=c.wbraid!==void 0;a.pn=c.gbraid!==void 0;a.qn=c.gclsrc==="aw.ds";a.df=Vt().df;var d=A.referrer?fk(lk(A.referrer),"host"):"";a.dn=iu.test(d);a.Wm=ju.test(d);return a};var mu=["https://www.google.com","https://www.youtube.com","https://m.youtube.com"]; equals www.youtube.com (Youtube)
Source: mshta.exe, 00000000.00000002.1540443421.0000000000692000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.facebook.com/2008/fbml equals www.facebook.com (Facebook)
Source: mshta.exe, 00000000.00000002.1540443421.00000000006D1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.facebook.com/mediafires"a) equals www.facebook.com (Facebook)
Source: mshta.exe, 00000000.00000003.1496259441.0000000005AFA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.youtube.com equals www.youtube.com (Youtube)
Source: mshta.exe, 00000000.00000003.1268505982.00000000006CB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: n href="/upgrade/">Upgrade</a></h2> <ul> <li><a href="/upgrade/index.php?plan=Pro">Professional</a></li> <li><a href="https://fast.io/pricing">Business</a></li> </ul> </div> <div class="footerCol" style="margin-right:0;"> <h2><a href="https://mediafire.zendesk.com/hc/en-us" target="_blank">Support</a></h2> <ul> <li class="minFooterShow"><a href="https://mediafire.zendesk.com/hc/en-us" target="_blank">Get Support</a></li> </ul> </div> </div> </div> <div class="myfilesTabHelp"> <p> Questions? <a href="/help/submit_a_ticket.php" target="_blank" tabindex="-1">Submit a ticket</a> or <a href="/help/" target="_blank">visit our Help Center</a>. </p> <div class="footerShortcuts"> <p style="margin-right:15px;">Keyboard Shortcuts:</p> <div class="footerShortcutHide"><span>U</span> = Upload</div> <div class="footerShortcutHide"><span>N</span> = New Folder</div> <div><span class="footerShortcutsWin">CTRL</span><span class="footerShortcutsMac">CMD</span> + <span>A</span> = Select All</div> <div><span>ESC</span> = Deselect</div> <div class="lastShortcut"><span>DEL</span> = Move to Trash</div> </div> </div> <div id="google_translate_element_dynamic"></div> <ul class="subFooterLinks"> <li id="copyrightInfo">&copy;2025 MediaFire<span> Build 121937</span></li> <li><a href="/advertising/">Advertising</a></li> <li><a href="/policies/terms_of_service.php">Terms</a></li> <li><a href="/policies/privacy_policy.php">Privacy Policy</a></li> <li><a href="/policy_violation/copyright.php">Copyright</a></li> <li><a href="/policy_violation/terms_of_service.php">Abuse</a></li> <li><a href="/credits/">Credits</a></li> <li><a href="/about/">More...</a></li> </ul> <div class="subFooterSocialWrap"> <ul id="subFooterSocial"> <li class="footerIcn"> <a href="http://www.facebook.com/mediafire" class="footerIcnFb" target="_blank" rel="noreferrer" title="MediaFire's Facebook page"> <span class="footerIcnFb"></span> </a> </li> <li class="footerIcn"> <a href="http://twitter.com/#!/mediafire" class="footerIcnTw" target="_blank" rel="noreferrer" title="MediaFire's Twitter page"> <span class="footerIcnTw"></span> </a> </li> <li class="footerIcn"> <a href="http://blog.mediafire.com/" class="footerIcnBlog" target="_blank" title="MediaFire Blog"> <span class="footerIcnBlog"></span> </a> </li> </ul> </div> </div> </div> </footer> <div class="sandboxLabel labelRibbon">SANDBOX</div> <footer id="simpleFooter" role="contentinfo"> <div class="wrap"> <span>&copy;2025 MediaFire&nbsp;&nbsp; <span>Build 121937</span> </span> <span style="opacity:.5;border-left:1px solid #999;margin:0 8px 0 10px;"></span> Need help? <a href="/help/submit_a_ticket.php" target="_blank">Submit a ticket</a>. </div> </footer> <div id="page_screen">&nbsp;</div> <iframe src="/blank.html" style="display:none;" id="userwork" name="userwork" width="0" height="0" frameborder="0"></iframe> <iframe src="/blank.html" style="display:none;" id="emailwork" name="emailwork" width="0" height="0" frameborder="0"></iframe> <script
Source: mshta.exe, 00000000.00000003.1268505982.00000000006CB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: n href="/upgrade/">Upgrade</a></h2> <ul> <li><a href="/upgrade/index.php?plan=Pro">Professional</a></li> <li><a href="https://fast.io/pricing">Business</a></li> </ul> </div> <div class="footerCol" style="margin-right:0;"> <h2><a href="https://mediafire.zendesk.com/hc/en-us" target="_blank">Support</a></h2> <ul> <li class="minFooterShow"><a href="https://mediafire.zendesk.com/hc/en-us" target="_blank">Get Support</a></li> </ul> </div> </div> </div> <div class="myfilesTabHelp"> <p> Questions? <a href="/help/submit_a_ticket.php" target="_blank" tabindex="-1">Submit a ticket</a> or <a href="/help/" target="_blank">visit our Help Center</a>. </p> <div class="footerShortcuts"> <p style="margin-right:15px;">Keyboard Shortcuts:</p> <div class="footerShortcutHide"><span>U</span> = Upload</div> <div class="footerShortcutHide"><span>N</span> = New Folder</div> <div><span class="footerShortcutsWin">CTRL</span><span class="footerShortcutsMac">CMD</span> + <span>A</span> = Select All</div> <div><span>ESC</span> = Deselect</div> <div class="lastShortcut"><span>DEL</span> = Move to Trash</div> </div> </div> <div id="google_translate_element_dynamic"></div> <ul class="subFooterLinks"> <li id="copyrightInfo">&copy;2025 MediaFire<span> Build 121937</span></li> <li><a href="/advertising/">Advertising</a></li> <li><a href="/policies/terms_of_service.php">Terms</a></li> <li><a href="/policies/privacy_policy.php">Privacy Policy</a></li> <li><a href="/policy_violation/copyright.php">Copyright</a></li> <li><a href="/policy_violation/terms_of_service.php">Abuse</a></li> <li><a href="/credits/">Credits</a></li> <li><a href="/about/">More...</a></li> </ul> <div class="subFooterSocialWrap"> <ul id="subFooterSocial"> <li class="footerIcn"> <a href="http://www.facebook.com/mediafire" class="footerIcnFb" target="_blank" rel="noreferrer" title="MediaFire's Facebook page"> <span class="footerIcnFb"></span> </a> </li> <li class="footerIcn"> <a href="http://twitter.com/#!/mediafire" class="footerIcnTw" target="_blank" rel="noreferrer" title="MediaFire's Twitter page"> <span class="footerIcnTw"></span> </a> </li> <li class="footerIcn"> <a href="http://blog.mediafire.com/" class="footerIcnBlog" target="_blank" title="MediaFire Blog"> <span class="footerIcnBlog"></span> </a> </li> </ul> </div> </div> </div> </footer> <div class="sandboxLabel labelRibbon">SANDBOX</div> <footer id="simpleFooter" role="contentinfo"> <div class="wrap"> <span>&copy;2025 MediaFire&nbsp;&nbsp; <span>Build 121937</span> </span> <span style="opacity:.5;border-left:1px solid #999;margin:0 8px 0 10px;"></span> Need help? <a href="/help/submit_a_ticket.php" target="_blank">Submit a ticket</a>. </div> </footer> <div id="page_screen">&nbsp;</div> <iframe src="/blank.html" style="display:none;" id="userwork" name="userwork" width="0" height="0" frameborder="0"></iframe> <iframe src="/blank.html" style="display:none;" id="emailwork" name="emailwork" width="0" height="0" frameborder="0"></iframe> <script
Source: mshta.exe, 00000000.00000003.1268505982.00000000006CB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: n<a href="/upgrade/">Upgrade</a></h2> <ul> <li><a href="/upgrade/index.php?plan=Pro">Professional</a></li> <li><a href="https://fast.io/pricing">Business</a></li> </ul> </div> <div class="footerCol" style="margin-right:0;"> <h2><a href="https://mediafire.zendesk.com/hc/en-us" target="_blank">Support</a></h2> <ul> <li class="minFooterShow"><a href="https://mediafire.zendesk.com/hc/en-us" target="_blank">Get Support</a></li> </ul> </div> </div> </div> <div class="myfilesTabHelp"> <p> Questions? <a href="/help/submit_a_ticket.php" target="_blank" tabindex="-1">Submit a ticket</a> or <a href="/help/" target="_blank">visit our Help Center</a>. </p> <div class="footerShortcuts"> <p style="margin-right:15px;">Keyboard Shortcuts:</p> <div class="footerShortcutHide"><span>U</span> = Upload</div> <div class="footerShortcutHide"><span>N</span> = New Folder</div> <div><span class="footerShortcutsWin">CTRL</span><span class="footerShortcutsMac">CMD</span> + <span>A</span> = Select All</div> <div><span>ESC</span> = Deselect</div> <div class="lastShortcut"><span>DEL</span> = Move to Trash</div> </div> </div> <div id="google_translate_element_dynamic"></div> <ul class="subFooterLinks"> <li id="copyrightInfo">&copy;2025 MediaFire<span> Build 121937</span></li> <li><a href="/advertising/">Advertising</a></li> <li><a href="/policies/terms_of_service.php">Terms</a></li> <li><a href="/policies/privacy_policy.php">Privacy Policy</a></li> <li><a href="/policy_violation/copyright.php">Copyright</a></li> <li><a href="/policy_violation/terms_of_service.php">Abuse</a></li> <li><a href="/credits/">Credits</a></li> <li><a href="/about/">More...</a></li> </ul> <div class="subFooterSocialWrap"> <ul id="subFooterSocial"> <li class="footerIcn"> <a href="http://www.facebook.com/mediafire" class="footerIcnFb" target="_blank" rel="noreferrer" title="MediaFire's Facebook page"> <span class="footerIcnFb"></span> </a> </li> <li class="footerIcn"> <a href="http://twitter.com/#!/mediafire" class="footerIcnTw" target="_blank" rel="noreferrer" title="MediaFire's Twitter page"> <span class="footerIcnTw"></span> </a> </li> <li class="footerIcn"> <a href="http://blog.mediafire.com/" class="footerIcnBlog" target="_blank" title="MediaFire Blog"> <span class="footerIcnBlog"></span> </a> </li> </ul> </div> </div> </div> </footer> <div class="sandboxLabel labelRibbon">SANDBOX</div> <footer id="simpleFooter" role="contentinfo"> <div class="wrap"> <span>&copy;2025 MediaFire&nbsp;&nbsp; <span>Build 121937</span> </span> <span style="opacity:.5;border-left:1px solid #999;margin:0 8px 0 10px;"></span> Need help? <a href="/help/submit_a_ticket.php" target="_blank">Submit a ticket</a>. </div> </footer> <div id="page_screen">&nbsp;</div> <iframe src="/blank.html" style="display:none;" id="userwork" name="userwork" width="0" height="0" frameborder="0"></iframe> <iframe src="/blank.html" style="display:none;" id="emailwork" name="emailwork" width="0" height="0" frameborder="0"></iframe> <script
Source: mshta.exe, 00000000.00000003.1268505982.00000000006CB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: n<a href="/upgrade/">Upgrade</a></h2> <ul> <li><a href="/upgrade/index.php?plan=Pro">Professional</a></li> <li><a href="https://fast.io/pricing">Business</a></li> </ul> </div> <div class="footerCol" style="margin-right:0;"> <h2><a href="https://mediafire.zendesk.com/hc/en-us" target="_blank">Support</a></h2> <ul> <li class="minFooterShow"><a href="https://mediafire.zendesk.com/hc/en-us" target="_blank">Get Support</a></li> </ul> </div> </div> </div> <div class="myfilesTabHelp"> <p> Questions? <a href="/help/submit_a_ticket.php" target="_blank" tabindex="-1">Submit a ticket</a> or <a href="/help/" target="_blank">visit our Help Center</a>. </p> <div class="footerShortcuts"> <p style="margin-right:15px;">Keyboard Shortcuts:</p> <div class="footerShortcutHide"><span>U</span> = Upload</div> <div class="footerShortcutHide"><span>N</span> = New Folder</div> <div><span class="footerShortcutsWin">CTRL</span><span class="footerShortcutsMac">CMD</span> + <span>A</span> = Select All</div> <div><span>ESC</span> = Deselect</div> <div class="lastShortcut"><span>DEL</span> = Move to Trash</div> </div> </div> <div id="google_translate_element_dynamic"></div> <ul class="subFooterLinks"> <li id="copyrightInfo">&copy;2025 MediaFire<span> Build 121937</span></li> <li><a href="/advertising/">Advertising</a></li> <li><a href="/policies/terms_of_service.php">Terms</a></li> <li><a href="/policies/privacy_policy.php">Privacy Policy</a></li> <li><a href="/policy_violation/copyright.php">Copyright</a></li> <li><a href="/policy_violation/terms_of_service.php">Abuse</a></li> <li><a href="/credits/">Credits</a></li> <li><a href="/about/">More...</a></li> </ul> <div class="subFooterSocialWrap"> <ul id="subFooterSocial"> <li class="footerIcn"> <a href="http://www.facebook.com/mediafire" class="footerIcnFb" target="_blank" rel="noreferrer" title="MediaFire's Facebook page"> <span class="footerIcnFb"></span> </a> </li> <li class="footerIcn"> <a href="http://twitter.com/#!/mediafire" class="footerIcnTw" target="_blank" rel="noreferrer" title="MediaFire's Twitter page"> <span class="footerIcnTw"></span> </a> </li> <li class="footerIcn"> <a href="http://blog.mediafire.com/" class="footerIcnBlog" target="_blank" title="MediaFire Blog"> <span class="footerIcnBlog"></span> </a> </li> </ul> </div> </div> </div> </footer> <div class="sandboxLabel labelRibbon">SANDBOX</div> <footer id="simpleFooter" role="contentinfo"> <div class="wrap"> <span>&copy;2025 MediaFire&nbsp;&nbsp; <span>Build 121937</span> </span> <span style="opacity:.5;border-left:1px solid #999;margin:0 8px 0 10px;"></span> Need help? <a href="/help/submit_a_ticket.php" target="_blank">Submit a ticket</a>. </div> </footer> <div id="page_screen">&nbsp;</div> <iframe src="/blank.html" style="display:none;" id="userwork" name="userwork" width="0" height="0" frameborder="0"></iframe> <iframe src="/blank.html" style="display:none;" id="emailwork" name="emailwork" width="0" height="0" frameborder="0"></iframe> <script
Source: mshta.exe, 00000000.00000002.1553777770.0000000007070000.00000004.00000020.00020000.00000000.sdmp, gtm[1].js.0.dr, js[1].js.0.drString found in binary or memory: return f}iI.K="internal.enableAutoEventOnTimer";var $b=ua(["data-gtm-yt-inspected-"]),kI=["www.youtube.com","www.youtube-nocookie.com"],lI,mI=!1; equals www.youtube.com (Youtube)
Source: mshta.exe, 00000000.00000002.1556138988.00000000076A4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: storeGacitem_category4transaction_idgtag.getgtm_debug=dno-storegdpr_appliesitem_category5campaignKeyworddescriptionhttps://transport_urlcurrencyCodecredentialsapp_removeshared_user_idsecurityGroupsin_app_purchase_fpm_parametersgeo_granularityscriptUrlgtmTrackerNameCLOSURE_FLAGStrip_typepage_viewsetInWindow_host_namekeepalivecallbacktoLowerCasemerchant_idNO_QUEUEvalue_callbackexperimentscontent_groupexDescriptionscreen_viewduration_googWcmImplurl_passthroughfirebase_idvalue_keycopyFromWindowhostname_googWcmAkcontent_typesession_startnavigation_type_ip_overrideANALYTICSUA-829541-1permissionstoUpperCasesample_rate_google_ngredirectsource_updatenew_customeraffiliationeventCategoryinitializedscreen_namedataLayerMONITORINGgoogle_signalspingDataconversion_idtransportnon_interactionEVENT_SETUP_END_gaPhoneImplcheckout_optionus_privacywww.youtube.comtiming_completecompletetimingVargoogle_tldcheckout_stepoptimize_idinteractiveremoveItemgetReferrerUrltrack_social_script_sourceresetDataLayerpt_listener_setconsent_update_sst_parametersfunctionapp_namecontinuegpp_stringpage_hostnameuser_engagementeventLabelitem_list_nameread_event_datasearch_termconversion_apiapp_versionresourcepage_pathlogToConsole equals www.youtube.com (Youtube)
Source: mshta.exe, 00000000.00000002.1553777770.0000000007070000.00000004.00000020.00020000.00000000.sdmp, gtm[1].js.0.drString found in binary or memory: var xH=function(a,b,c,d,e){var f=mE("fsl",c?"nv.mwt":"mwt",0),g;g=c?mE("fsl","nv.ids",[]):mE("fsl","ids",[]);if(!g.length)return!0;var h=rE(a,"gtm.formSubmit",g),m=a.action;m&&m.tagName&&(m=a.cloneNode(!1).action);O(121);if(m==="https://www.facebook.com/tr/")return O(122),!0;h["gtm.elementUrl"]=m;h["gtm.formCanceled"]=c;a.getAttribute("name")!=null&&(h["gtm.interactedFormName"]=a.getAttribute("name"));e&&(h["gtm.formSubmitElement"]=e,h["gtm.formSubmitElementText"]=e.value);if(d&&f){if(!JC(h,LC(b, equals www.facebook.com (Facebook)
Source: mshta.exe, 00000000.00000003.1496118787.0000000005B06000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: www.youtube.comD equals www.youtube.com (Youtube)
Source: global trafficDNS traffic detected: DNS query: www.google.com
Source: global trafficDNS traffic detected: DNS query: www.mediafire.com
Source: global trafficDNS traffic detected: DNS query: cdn.amplitude.com
Source: mshta.exe, 00000000.00000002.1540443421.0000000000663000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ajax.googleapis.com/
Source: mshta.exe, 00000000.00000003.1277787628.0000000006260000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.1540443421.0000000000632000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1268505982.00000000006B8000.00000004.00000020.00020000.00000000.sdmp, default.htaString found in binary or memory: http://ajax.googleapis.com/ajax/libs/jquery/1.7.2/jquery.min.js
Source: mshta.exe, 00000000.00000003.1268392930.0000000006264000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ajax.googleapis.com/ajax/libs/jquery/1.7.2/jquery.min.js(1
Source: mshta.exe, 00000000.00000002.1540443421.0000000000692000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ajax.googleapis.com/ajax/libs/jquery/1.7.2/jquery.min.js)
Source: mshta.exe, 00000000.00000003.1268392930.0000000006264000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ajax.googleapis.com/ajax/libs/jquery/1.7.2/jquery.min.jst0
Source: mshta.exe, 00000000.00000003.1268505982.00000000006CB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ajax.googleapis.com/ajax/libs/jquery/1.7.2/jquery.min.jswsC:
Source: mshta.exe, 00000000.00000002.1540443421.0000000000663000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://blog.mediafire.com/
Source: mshta.exe, 00000000.00000002.1546945776.0000000006B34000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cdn.ampproject.org
Source: mshta.exe, 00000000.00000002.1544729680.00000000062ED000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://twitter.com/#
Source: Amcache.hve.11.drString found in binary or memory: http://upx.sf.net
Source: mshta.exe, 00000000.00000002.1540443421.0000000000663000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.1540443421.0000000000632000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1268505982.00000000006B8000.00000004.00000020.00020000.00000000.sdmp, default.htaString found in binary or memory: http://www.mediafire.com
Source: mshta.exe, 00000000.00000002.1540443421.0000000000663000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.mediafire.com/
Source: mshta.exe, 00000000.00000002.1540443421.0000000000632000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.mediafire.com/im
Source: mshta.exe, 00000000.00000003.1268505982.00000000006CB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.mediafire.com/images/icons/myfiles/default.png
Source: mshta.exe, 00000000.00000003.1268392930.0000000006264000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.mediafire.com/images/icons/myfiles/default.png4
Source: mshta.exe, 00000000.00000002.1544729680.0000000006262000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1277787628.0000000006260000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.mediafire.com/images/icons/myfiles/default.pngD
Source: mshta.exe, 00000000.00000002.1540443421.0000000000692000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.mediafire.com/images/icons/myfiles/default.pngF
Source: mshta.exe, 00000000.00000003.1268505982.00000000006CB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.mediafire.com/images/icons/myfiles/default.pngKVy
Source: mshta.exe, 00000000.00000003.1268392930.0000000006264000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.mediafire.com/images/icons/myfiles/default.pngd
Source: mshta.exe, 00000000.00000002.1540443421.00000000006AE000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1268505982.00000000006B8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.mediafire.com/images/icons/myfiles/default.pngogo_u1_full_color.svgrsed.svgyw
Source: mshta.exe, 00000000.00000002.1540443421.0000000000692000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.mediafire.com/images/icons/myfiles/default.pngq
Source: default.htaString found in binary or memory: http://www.mediafire.com/images/logos/mf_logo250x250.png
Source: mshta.exe, 00000000.00000002.1540443421.0000000000692000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.mediafire.com/images/logos/mf_logo250x250.png32
Source: mshta.exe, 00000000.00000002.1553777770.0000000007070000.00000004.00000020.00020000.00000000.sdmp, gtm[1].js.0.dr, js[1].js.0.drString found in binary or memory: https://ad.doubleclick.net/activity;
Source: mshta.exe, 00000000.00000002.1553777770.0000000007070000.00000004.00000020.00020000.00000000.sdmp, gtm[1].js.0.dr, js[1].js.0.drString found in binary or memory: https://ad.doubleclick.net/activity;register_conversion=1;
Source: mshta.exe, 00000000.00000002.1553777770.0000000007070000.00000004.00000020.00020000.00000000.sdmp, gtm[1].js.0.dr, js[1].js.0.drString found in binary or memory: https://ade.googlesyndication.com/ddm/activity/
Source: mshta.exe, 00000000.00000003.1286122083.00000000006CA000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1285250107.00000000062E8000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1268505982.00000000006CB000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1277787628.00000000062E8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://blog.mediafire.com/
Source: mshta.exe, 00000000.00000002.1553777770.0000000007070000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1496118787.0000000005B06000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1277627215.000000000632B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1285983778.00000000062D0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1277787628.0000000006258000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1285250107.00000000062DB000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.1555968918.0000000007650000.00000004.00000800.00020000.00000000.sdmp, gtm[1].js.0.dr, js[1].js.0.drString found in binary or memory: https://cct.google/taggy/agent.js
Source: mshta.exe, 00000000.00000003.1277787628.0000000006260000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.amplitude.com/
Source: mshta.exe, 00000000.00000002.1544729680.0000000006262000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1277787628.0000000006260000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.amplitude.com/.
Source: mshta.exe, 00000000.00000003.1277787628.0000000006260000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.1546782725.0000000006AF0000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.1540443421.0000000000632000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1268505982.00000000006B8000.00000004.00000020.00020000.00000000.sdmp, default.htaString found in binary or memory: https://cdn.amplitude.com/libs/amplitude-8.5.0-min.gz.js
Source: mshta.exe, 00000000.00000002.1544729680.0000000006262000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1277787628.0000000006260000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.amplitude.com/libs/amplitude-8.5.0-min.gz.js4
Source: mshta.exe, 00000000.00000002.1544729680.0000000006262000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1277787628.0000000006260000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.amplitude.com/libs/amplitude-8.5.0-min.gz.js80
Source: mshta.exe, 00000000.00000002.1540443421.00000000006AE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.amplitude.com/libs/amplitude-8.5.0-min.gz.jsC:
Source: mshta.exe, 00000000.00000002.1544729680.0000000006262000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1277787628.0000000006260000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.amplitude.com/libs/amplitude-8.5.0-min.gz.jsd
Source: mshta.exe, 00000000.00000002.1544729680.0000000006262000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1277787628.0000000006260000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.amplitude.com/libs/amplitude-8.5.0-min.gz.jst
Source: mshta.exe, 00000000.00000002.1556980973.0000000007EB2000.00000004.00000020.00020000.00000000.sdmp, recaptcha__en[1].js.0.drString found in binary or memory: https://cloud.google.com/contact
Source: mshta.exe, 00000000.00000002.1556980973.0000000007EB2000.00000004.00000020.00020000.00000000.sdmp, recaptcha__en[1].js.0.drString found in binary or memory: https://cloud.google.com/recaptcha-enterprise/billing-information
Source: mshta.exe, 00000000.00000002.1556980973.0000000007EB2000.00000004.00000020.00020000.00000000.sdmp, recaptcha__en[1].js.0.drString found in binary or memory: https://cloud.google.com/recaptcha/docs/troubleshoot-recaptcha-issues#automated-query-error
Source: mshta.exe, 00000000.00000002.1556980973.0000000007EB2000.00000004.00000020.00020000.00000000.sdmp, recaptcha__en[1].js.0.drString found in binary or memory: https://cloud.google.com/recaptcha/docs/troubleshoot-recaptcha-issues#localhost-error
Source: mshta.exe, 00000000.00000002.1540443421.0000000000632000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://csp.w
Source: mshta.exe, 00000000.00000003.1268505982.00000000006B8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://csp.withgoogle.com/csp/hosted-libraries-pushers
Source: mshta.exe, 00000000.00000003.1277787628.0000000006260000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://csp.withgoogle.com/csp/recaptcha
Source: mshta.exe, 00000000.00000003.1268392930.0000000006264000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1268564609.0000000006256000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1268392930.0000000006254000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://csp.withgoogle.com/csp/report-to/38fac9d5b82543fc4729580d18ff2d3d
Source: mshta.exe, 00000000.00000003.1268392930.0000000006264000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.1544729680.0000000006262000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1277787628.0000000006260000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1268505982.00000000006B8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://csp.withgoogle.com/csp/report-to/hosted-libraries-pushers
Source: mshta.exe, 00000000.00000003.1277787628.0000000006260000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.1540443421.0000000000632000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://csp.withgoogle.com/csp/report-to/recaptcha
Source: mshta.exe, 00000000.00000002.1544729680.00000000062C3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1286122083.00000000006CA000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1286161937.00000000062C7000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1277787628.00000000062C7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://csp.withgoogle.com/csp/report-to/scaffolding/ascgcycc:1068:0
Source: mshta.exe, 00000000.00000003.1285250107.000000000630D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1286001142.0000000006308000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.1544729680.00000000062C3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1285963623.0000000006314000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1285983778.00000000062D0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.1544729680.00000000062F8000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1286161937.00000000062C7000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1277787628.00000000062CD000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1277787628.00000000062F8000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1277787628.000000000631B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://csp.withgoogle.com/csp/report-to/scaffolding/ascgcycc:1310:0
Source: mshta.exe, 00000000.00000002.1544729680.00000000062C3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1286122083.00000000006CA000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1286161937.00000000062C7000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1277787628.00000000062C7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://csp.withgoogle.com/csp/scaffolding/ascgcycc:1068:0
Source: mshta.exe, 00000000.00000003.1277787628.000000000631B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://csp.withgoogle.com/csp/scaffolding/ascgcycc:1310:0
Source: mshta.exe, 00000000.00000002.1556980973.0000000007EB2000.00000004.00000020.00020000.00000000.sdmp, recaptcha__en[1].js.0.drString found in binary or memory: https://developers.google.com/recaptcha/docs/faq#are-there-any-qps-or-daily-limits-on-my-use-of-reca
Source: mshta.exe, 00000000.00000003.1286122083.00000000006CA000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1268505982.00000000006CB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://fast.io
Source: mshta.exe, 00000000.00000003.1268505982.00000000006CB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://fast.io/pricing
Source: mshta.exe, 00000000.00000003.1285250107.00000000062F8000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.1544729680.00000000062F8000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1277787628.00000000062F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://fast.ioO
Source: mshta.exe, 00000000.00000002.1540443421.00000000006AE000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.1540443421.0000000000663000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://fonts.googleapis.com/
Source: mshta.exe, 00000000.00000002.1540443421.0000000000612000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.1540443421.0000000000632000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1268505982.00000000006B8000.00000004.00000020.00020000.00000000.sdmp, default.htaString found in binary or memory: https://fonts.googleapis.com/css?family=Open
Source: mshta.exe, 00000000.00000002.1540443421.00000000006D1000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1286122083.00000000006CA000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.1544729680.0000000006262000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1277787628.0000000006260000.00000004.00000020.00020000.00000000.sdmp, css[1].css.0.drString found in binary or memory: https://fonts.gstatic.com/l/font?kit=memSYaGs126MiZpBA-UvWbX2vVnXBbObj2OVZyOOSr4dVJWUgsjZ0B4gaVY&ske
Source: mshta.exe, 00000000.00000002.1553777770.0000000007070000.00000004.00000020.00020000.00000000.sdmp, gtm[1].js.0.dr, js[1].js.0.drString found in binary or memory: https://google.com/pagead/form-data
Source: mshta.exe, 00000000.00000002.1553777770.0000000007070000.00000004.00000020.00020000.00000000.sdmp, gtm[1].js.0.dr, js[1].js.0.drString found in binary or memory: https://googleads.g.doubleclick.net/pagead/viewthroughconversion
Source: mshta.exe, 00000000.00000002.1540443421.0000000000692000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.c
Source: mshta.exe, 00000000.00000002.1553777770.0000000007070000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1496259441.0000000005AFA000.00000004.00000020.00020000.00000000.sdmp, gtm[1].js.0.dr, js[1].js.0.drString found in binary or memory: https://m.youtube.com
Source: mshta.exe, 00000000.00000003.1268505982.00000000006CB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://mediafire.zendesk.com/hc/en-us
Source: mshta.exe, 00000000.00000002.1553777770.0000000007070000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.1546230547.00000000068E0000.00000004.00000800.00020000.00000000.sdmp, gtm[1].js.0.dr, js[1].js.0.drString found in binary or memory: https://pagead2.googlesyndication.com
Source: mshta.exe, 00000000.00000002.1553777770.0000000007070000.00000004.00000020.00020000.00000000.sdmp, gtm[1].js.0.dr, js[1].js.0.drString found in binary or memory: https://pagead2.googlesyndication.com/ccm/collect
Source: mshta.exe, 00000000.00000002.1553777770.0000000007070000.00000004.00000020.00020000.00000000.sdmp, gtm[1].js.0.dr, js[1].js.0.drString found in binary or memory: https://pagead2.googlesyndication.com/pagead/gen_204?id=tcfe
Source: mshta.exe, 00000000.00000003.1496313880.0000000005AEE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://pagead2.googlesyndication.comok.https://pagead2.googlesyndication.com
Source: mshta.exe, 00000000.00000002.1553777770.0000000007070000.00000004.00000020.00020000.00000000.sdmp, gtm[1].js.0.drString found in binary or memory: https://static.hotjar.com/c/hotjar-
Source: recaptcha__en[1].js.0.drString found in binary or memory: https://support.google.com/recaptcha
Source: mshta.exe, 00000000.00000003.1277657009.0000000006327000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1277787628.000000000630D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.1556980973.0000000007EB2000.00000004.00000020.00020000.00000000.sdmp, recaptcha__en[1].js.0.drString found in binary or memory: https://support.google.com/recaptcha#6262736
Source: mshta.exe, 00000000.00000002.1556980973.0000000007EB2000.00000004.00000020.00020000.00000000.sdmp, recaptcha__en[1].js.0.drString found in binary or memory: https://support.google.com/recaptcha/#6175971
Source: mshta.exe, 00000000.00000003.1277657009.0000000006327000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1277787628.000000000630D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.1556980973.0000000007EB2000.00000004.00000020.00020000.00000000.sdmp, recaptcha__en[1].js.0.drString found in binary or memory: https://support.google.com/recaptcha/?hl=en#6223828
Source: mshta.exe, 00000000.00000002.1556138988.00000000076A4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://targetRefisDestinationTADebugSignalREFERRERcct.google__TAG_ASSISTANTEXTENSION_PARAMGTM_DEBUG
Source: mshta.exe, 00000000.00000002.1553777770.0000000007070000.00000004.00000020.00020000.00000000.sdmp, gtm[1].js.0.dr, js[1].js.0.drString found in binary or memory: https://td.doubleclick.net
Source: mshta.exe, 00000000.00000002.1553777770.0000000007070000.00000004.00000020.00020000.00000000.sdmp, js[1].js.0.drString found in binary or memory: https://www.google-analytics.com/analytics.js
Source: mshta.exe, 00000000.00000002.1556020949.0000000007676000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google-analytics.com/analytics.js;
Source: mshta.exe, 00000000.00000003.1496118787.0000000005B06000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google-analytics.com/analytics.jsY.loadedc.onFailure
Source: js[1].js.0.drString found in binary or memory: https://www.google.com
Source: mshta.exe, 00000000.00000002.1540443421.0000000000692000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.1540443421.00000000006AE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/
Source: mshta.exe, 00000000.00000002.1553777770.0000000007070000.00000004.00000020.00020000.00000000.sdmp, gtm[1].js.0.dr, js[1].js.0.drString found in binary or memory: https://www.google.com/ccm/collect
Source: mshta.exe, 00000000.00000002.1553777770.0000000007070000.00000004.00000020.00020000.00000000.sdmp, gtm[1].js.0.dr, js[1].js.0.drString found in binary or memory: https://www.google.com/pagead/form-data
Source: mshta.exe, 00000000.00000003.1268392930.0000000006264000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.1540443421.0000000000651000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.1544729680.0000000006262000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.1544729680.0000000006250000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.1546020690.0000000006833000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1277787628.0000000006260000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.1540443421.0000000000632000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1268505982.00000000006B8000.00000004.00000020.00020000.00000000.sdmp, default.htaString found in binary or memory: https://www.google.com/recaptcha/api.js
Source: mshta.exe, 00000000.00000003.1268392930.0000000006264000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/recaptcha/api.js.com/images/icons/myfiles/default.png
Source: mshta.exe, 00000000.00000002.1540443421.0000000000663000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/recaptcha/api.jsH
Source: mshta.exe, 00000000.00000002.1540443421.0000000000651000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/recaptcha/api.jsft
Source: mshta.exe, 00000000.00000002.1544729680.0000000006250000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/recaptcha/api.jsp
Source: mshta.exe, 00000000.00000002.1544729680.0000000006240000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.1556980973.0000000007EB2000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.1540443421.0000000000663000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1268505982.00000000006CB000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.1546020690.0000000006845000.00000004.00000800.00020000.00000000.sdmp, api[1].js.0.dr, recaptcha__en[1].js.0.drString found in binary or memory: https://www.google.com/recaptcha/api2/
Source: mshta.exe, 00000000.00000002.1553777770.0000000007070000.00000004.00000020.00020000.00000000.sdmp, gtm[1].js.0.dr, js[1].js.0.drString found in binary or memory: https://www.google.com/travel/flights/click/conversion
Source: mshta.exe, 00000000.00000002.1556267399.00000000076D9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.comconversion_linkerapplicableSectionsapp_installer_idfl_user_data_cacheaddConsen
Source: mshta.exe, 00000000.00000003.1496313880.0000000005AEE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.comok.https://www.google.com
Source: mshta.exe, 00000000.00000002.1553777770.0000000007070000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.1546230547.00000000068E0000.00000004.00000800.00020000.00000000.sdmp, gtm[1].js.0.dr, js[1].js.0.drString found in binary or memory: https://www.googleadservices.com
Source: mshta.exe, 00000000.00000002.1555968918.0000000007650000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.googleadservices.cominternal.sortRemoteConfigParametersinternal.addHistoryChangeListener
Source: mshta.exe, 00000000.00000003.1496313880.0000000005AEE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.googleadservices.comok.https://www.googleadservices.com
Source: js[1].js.0.drString found in binary or memory: https://www.googletagmanager.com
Source: mshta.exe, 00000000.00000002.1540443421.0000000000692000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.googletagmanager.com/
Source: mshta.exe, 00000000.00000002.1540443421.0000000000692000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.googletagmanager.com/F
Source: mshta.exe, 00000000.00000002.1553777770.0000000007070000.00000004.00000020.00020000.00000000.sdmp, gtm[1].js.0.dr, js[1].js.0.drString found in binary or memory: https://www.googletagmanager.com/a?
Source: mshta.exe, 00000000.00000002.1544729680.0000000006262000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.1540443421.0000000000663000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.1540443421.00000000006EC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.1556020949.0000000007676000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1277787628.0000000006260000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.1546782725.0000000006AF0000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.1540443421.0000000000632000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1268505982.00000000006B8000.00000004.00000020.00020000.00000000.sdmp, default.htaString found in binary or memory: https://www.googletagmanager.com/gtag/js?id=UA-829541-1
Source: mshta.exe, 00000000.00000002.1544729680.0000000006262000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.googletagmanager.com/gtag/js?id=UA-829541-1.js91
Source: mshta.exe, 00000000.00000002.1540443421.0000000000651000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.googletagmanager.com/gtag/js?id=UA-829541-1.min.js
Source: mshta.exe, 00000000.00000003.1286122083.00000000006CA000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.1540443421.00000000006EC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.googletagmanager.com/gtag/js?id=UA-829541-1C:
Source: mshta.exe, 00000000.00000002.1544729680.0000000006262000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1277787628.0000000006260000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.googletagmanager.com/gtag/js?id=UA-829541-1D
Source: mshta.exe, 00000000.00000002.1544729680.0000000006262000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1277787628.0000000006260000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.googletagmanager.com/gtag/js?id=UA-829541-1f
Source: mshta.exe, 00000000.00000002.1540443421.0000000000692000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.googletagmanager.com/gtag/js?id=UA-829541-1ogleTranslateElementInit.php
Source: mshta.exe, 00000000.00000002.1540443421.00000000006AE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.googletagmanager.com/gtag/js?id=UA-829541-1ranslateElementInit
Source: mshta.exe, 00000000.00000002.1540443421.00000000006AE000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.1547250915.0000000006C1D000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.1540443421.0000000000632000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1268505982.00000000006B8000.00000004.00000020.00020000.00000000.sdmp, default.htaString found in binary or memory: https://www.googletagmanager.com/gtm.js?id=
Source: mshta.exe, 00000000.00000003.1277787628.0000000006260000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.googletagmanager.com/gtm.js?id=GTM-53LP4T
Source: mshta.exe, 00000000.00000002.1544729680.0000000006262000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1277787628.0000000006260000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.googletagmanager.com/gtm.js?id=GTM-53LP4T1
Source: mshta.exe, 00000000.00000003.1277787628.0000000006260000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.googletagmanager.com/gtm.js?id=GTM-53LP4TI
Source: mshta.exe, 00000000.00000002.1544729680.0000000006317000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.googletagmanager.com/gtm.js?id=GTM-53LP4TLMEMp
Source: mshta.exe, 00000000.00000002.1540443421.00000000006D1000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1286122083.00000000006CA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.googletagmanager.com/gtm.js?id=GTM-53LP4Tjsmin.jsTF7/recaptcha__en.js
Source: mshta.exe, 00000000.00000002.1544729680.0000000006262000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.googletagmanager.com/gtm.js?id=GTM-53LP4Tjsml(1
Source: mshta.exe, 00000000.00000002.1544729680.0000000006262000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1277787628.0000000006260000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.googletagmanager.com/gtm.js?id=GTM-53LP4Tv
Source: mshta.exe, 00000000.00000003.1277787628.0000000006260000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.googletagmanager.com/gtm.js?id=GTM-53LP4T~
Source: mshta.exe, 00000000.00000003.1286122083.00000000006CA000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.1540443421.00000000006AE000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.1540443421.0000000000632000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1268505982.00000000006B8000.00000004.00000020.00020000.00000000.sdmp, default.htaString found in binary or memory: https://www.googletagmanager.com/ns.html?id=GTM-53LP4T
Source: mshta.exe, 00000000.00000002.1553777770.0000000007070000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.1556020949.0000000007676000.00000004.00000800.00020000.00000000.sdmp, gtm[1].js.0.dr, js[1].js.0.drString found in binary or memory: https://www.googletagmanager.com/static/service_worker/
Source: mshta.exe, 00000000.00000003.1496259441.0000000005AFA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.googletagmanager.com/static/service_worker/d.protocol
Source: mshta.exe, 00000000.00000002.1556980973.0000000007EB2000.00000004.00000020.00020000.00000000.sdmp, recaptcha__en[1].js.0.drString found in binary or memory: https://www.gstatic.c..?/recaptcha/releases/w0_qmZVSdobukXrBwYd9dTF7/recaptcha__.
Source: mshta.exe, 00000000.00000002.1544729680.0000000006262000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1277787628.0000000006260000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.gstatic.com/
Source: mshta.exe, 00000000.00000002.1544729680.0000000006262000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1277787628.0000000006260000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.gstatic.com/6
Source: mshta.exe, 00000000.00000002.1544729680.0000000006240000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.gstatic.com/recaptcha/releases/w0_qmZVSdobu
Source: mshta.exe, 00000000.00000002.1544304246.0000000005AA2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.gstatic.com/recaptcha/releases/w0_qmZVSdobukXrBwYd9dTF7/
Source: mshta.exe, 00000000.00000002.1540443421.0000000000692000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.1540443421.0000000000663000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1268505982.00000000006CB000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.1546020690.0000000006845000.00000004.00000800.00020000.00000000.sdmp, api[1].js.0.drString found in binary or memory: https://www.gstatic.com/recaptcha/releases/w0_qmZVSdobukXrBwYd9dTF7/recaptcha__en.js
Source: mshta.exe, 00000000.00000002.1540443421.0000000000692000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.gstatic.com/recaptcha/releases/w0_qmZVSdobukXrBwYd9dTF7/recaptcha__en.js7
Source: mshta.exe, 00000000.00000002.1540443421.00000000006D1000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1286122083.00000000006CA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.gstatic.com/recaptcha/releases/w0_qmZVSdobukXrBwYd9dTF7/recaptcha__en.jsHIv
Source: mshta.exe, 00000000.00000002.1544729680.00000000062CD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.gstatic.com/recaptcha/releases/w0_qmZVSdobukXrBwYd9dTF7/recaptcha__en.jsLMEM
Source: mshta.exe, 00000000.00000002.1540443421.0000000000692000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.gstatic.com/recaptcha/releases/w0_qmZVSdobukXrBwYd9dTF7/recaptcha__en.jsX
Source: mshta.exe, 00000000.00000002.1540443421.0000000000692000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.gstatic.com/recaptcha/releases/w0_qmZVSdobukXrBwYd9dTF7/recaptcha__en.jsi
Source: mshta.exe, 00000000.00000003.1286122083.00000000006CA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.gstatic.com/recaptcha/releases/w0_qmZVSdobukXrBwYd9dTF7/recaptcha__en.jsip
Source: mshta.exe, 00000000.00000002.1540443421.0000000000692000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.gstatic.com/recaptcha/releases/w0_qmZVSdobukXrBwYd9dTF7/recaptcha__en.jss10
Source: mshta.exe, 00000000.00000002.1553777770.0000000007070000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1496259441.0000000005AFA000.00000004.00000020.00020000.00000000.sdmp, gtm[1].js.0.dr, js[1].js.0.drString found in binary or memory: https://www.youtube.com
Source: mshta.exe, 00000000.00000002.1556267399.00000000076D9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.youtube.comdelivery_postal_codephone_conversion_idsads_data_redactioninternal.injectHtml
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49693
Source: unknownNetwork traffic detected: HTTP traffic on port 49693 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49701 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49701
Source: unknownHTTPS traffic detected: 142.250.69.4:443 -> 192.168.2.7:49693 version: TLS 1.2
Source: unknownHTTPS traffic detected: 3.163.125.15:443 -> 192.168.2.7:49701 version: TLS 1.2
Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6240 -s 2792
Source: C:\Windows\SysWOW64\mshta.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXEJump to behavior
Source: classification engineClassification label: sus23.spyw.winHTA@2/17@3/3
Source: C:\Windows\SysWOW64\mshta.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W1DLB4AP\jquery.min[1].jsJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6240
Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\0b7d8130-5f12-4071-8af1-ecd9b006558cJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: unknownProcess created: C:\Windows\SysWOW64\mshta.exe mshta.exe "C:\Users\user\Desktop\default.hta"
Source: C:\Windows\SysWOW64\mshta.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6240 -s 2792
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: mshtml.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: powrprof.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wkscli.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: umpdc.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: msiso.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: srpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: msimtf.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: dxgi.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: resourcepolicyclient.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: dataexchange.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: d3d11.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: dcomp.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: twinapi.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: wininet.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: schannel.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: mskeyprotect.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: ntasn1.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: dpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: ncrypt.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: ncryptsslp.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: windowscodecs.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: jscript9.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: ieframe.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: mlang.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: sxs.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: d2d1.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeSection loaded: dwrite.dllJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{25336920-03F9-11CF-8FD0-00AA00686F13}\InProcServer32Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SettingsJump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Windows\SysWOW64\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: Amcache.hve.11.drBinary or memory string: VMware
Source: Amcache.hve.11.drBinary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.11.drBinary or memory string: vmci.syshbin
Source: Amcache.hve.11.drBinary or memory string: VMware, Inc.
Source: Amcache.hve.11.drBinary or memory string: VMware20,1hbin@
Source: Amcache.hve.11.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.11.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.11.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: mshta.exe, 00000000.00000002.1540443421.00000000006AE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: mshta.exe, 00000000.00000003.1286122083.00000000006CA000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.1540443421.0000000000663000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.1540443421.00000000006EC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1268505982.00000000006CB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
Source: Amcache.hve.11.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.11.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.11.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.11.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.11.drBinary or memory string: vmci.sys
Source: Amcache.hve.11.drBinary or memory string: vmci.syshbin`
Source: Amcache.hve.11.drBinary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.11.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: mshta.exe, 00000000.00000002.1540443421.00000000006AE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}S|q"
Source: Amcache.hve.11.drBinary or memory string: VMware20,1
Source: Amcache.hve.11.drBinary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.11.drBinary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.11.drBinary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.11.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.11.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.11.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.11.drBinary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.11.drBinary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.11.drBinary or memory string: VMware Virtual RAM
Source: Amcache.hve.11.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.11.drBinary or memory string: VMware-42 27 88 19 56 cc 59 1a-97 79 fb 8c bf a1 e2 9d
Source: Amcache.hve.11.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
Source: C:\Windows\SysWOW64\mshta.exeMemory allocated: page read and write | page guardJump to behavior
Source: Amcache.hve.11.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.11.drBinary or memory string: msmpeng.exe
Source: Amcache.hve.11.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.11.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
Source: Amcache.hve.11.drBinary or memory string: MsMpEng.exe

Stealing of Sensitive Information

barindex
Source: C:\Windows\SysWOW64\mshta.exeFile opened: \\static.mediafire.com\css\Jump to behavior

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
DLL Side-Loading		1
Process Injection		1
Masquerading		OS Credential Dumping1
Network Share Discovery		Remote Services1
Email Collection		1
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
DLL Side-Loading		1
Disable or Modify Tools		LSASS Memory11
Security Software Discovery		Remote Desktop ProtocolData from Removable Media1
Non-Standard Port		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
Process Injection		Security Account Manager2
System Information Discovery		SMB/Windows Admin SharesData from Network Shared Drive2
Non-Application Layer Protocol		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
DLL Side-Loading		NTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput Capture13
Application Layer Protocol		Traffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon ScriptSoftware PackingLSA SecretsInternet Connection DiscoverySSHKeylogging1
Ingress Tool Transfer		Scheduled TransferData Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1676286 Sample: default.hta Startdate: 28/04/2025 Architecture: WINDOWS Score: 23 12 www.mediafire.com 2->12 14 www.google.com 2->14 16 cdn.amplitude.com 2->16 6 mshta.exe 27 2->6         started        process3 dnsIp4 18 www.google.com 142.250.69.4, 443, 49693 GOOGLEUS United States 6->18 20 www.mediafire.com 104.17.150.117, 139, 445, 49696 CLOUDFLARENETUS United States 6->20 22 cdn.amplitude.com 3.163.125.15, 443, 49701 AMAZON-02US United States 6->22 24 Opens network shares 6->24 10 WerFault.exe 22 16 6->10         started        signatures5 process6

Screenshots

Download Video

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
default.hta0%VirustotalBrowse
default.hta0%ReversingLabs

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
https://blog.mediafire.com/0%Avira URL Cloudsafe
https://fast.io0%Avira URL Cloudsafe
https://www.google.comok.https://www.google.com0%Avira URL Cloudsafe
https://login.live.c0%Avira URL Cloudsafe
https://targetRefisDestinationTADebugSignalREFERRERcct.google__TAG_ASSISTANTEXTENSION_PARAMGTM_DEBUG0%Avira URL Cloudsafe
http://blog.mediafire.com/0%Avira URL Cloudsafe
https://www.youtube.comdelivery_postal_codephone_conversion_idsads_data_redactioninternal.injectHtml0%Avira URL Cloudsafe
https://www.google.comconversion_linkerapplicableSectionsapp_installer_idfl_user_data_cacheaddConsen0%Avira URL Cloudsafe
https://fast.io/pricing0%Avira URL Cloudsafe
https://csp.w0%Avira URL Cloudsafe
https://mediafire.zendesk.com/hc/en-us0%Avira URL Cloudsafe
https://fast.ioO0%Avira URL Cloudsafe

Domains and IPs

Download Network PCAP: filteredfull

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
www.mediafire.com
104.17.150.117
truefalse
    		high
    cdn.amplitude.com
    		3.163.125.15
    		truefalse
      		high
      www.google.com
      		142.250.69.4
      		truefalse
        		high

        Contacted URLs

        NameMaliciousAntivirus DetectionReputation
        http://www.mediafire.com/images/icons/myfiles/default.pngfalse
          		high
          https://www.google.com/recaptcha/api.jsfalse
            		high
            https://cdn.amplitude.com/libs/amplitude-8.5.0-min.gz.jsfalse
              		high
              NameSourceMaliciousAntivirus DetectionReputation
              https://blog.mediafire.com/mshta.exe, 00000000.00000003.1286122083.00000000006CA000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1285250107.00000000062E8000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1268505982.00000000006CB000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1277787628.00000000062E8000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              https://ad.doubleclick.net/activity;register_conversion=1;mshta.exe, 00000000.00000002.1553777770.0000000007070000.00000004.00000020.00020000.00000000.sdmp, gtm[1].js.0.dr, js[1].js.0.drfalse
                		high
                https://fast.iomshta.exe, 00000000.00000003.1286122083.00000000006CA000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1268505982.00000000006CB000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://csp.withgoogle.com/csp/report-to/38fac9d5b82543fc4729580d18ff2d3dmshta.exe, 00000000.00000003.1268392930.0000000006264000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1268564609.0000000006256000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1268392930.0000000006254000.00000004.00000020.00020000.00000000.sdmpfalse
                  		high
                  https://cdn.amplitude.com/.mshta.exe, 00000000.00000002.1544729680.0000000006262000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1277787628.0000000006260000.00000004.00000020.00020000.00000000.sdmpfalse
                    		high
                    https://support.google.com/recaptcha#6262736mshta.exe, 00000000.00000003.1277657009.0000000006327000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1277787628.000000000630D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.1556980973.0000000007EB2000.00000004.00000020.00020000.00000000.sdmp, recaptcha__en[1].js.0.drfalse
                      		high
                      http://blog.mediafire.com/mshta.exe, 00000000.00000002.1540443421.0000000000663000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://www.google.com/recaptcha/api.jsftmshta.exe, 00000000.00000002.1540443421.0000000000651000.00000004.00000020.00020000.00000000.sdmpfalse
                        		high
                        https://cloud.google.com/recaptcha/docs/troubleshoot-recaptcha-issues#automated-query-errormshta.exe, 00000000.00000002.1556980973.0000000007EB2000.00000004.00000020.00020000.00000000.sdmp, recaptcha__en[1].js.0.drfalse
                          		high
                          http://www.mediafire.com/images/icons/myfiles/default.pngFmshta.exe, 00000000.00000002.1540443421.0000000000692000.00000004.00000020.00020000.00000000.sdmpfalse
                            		high
                            https://google.com/pagead/form-datamshta.exe, 00000000.00000002.1553777770.0000000007070000.00000004.00000020.00020000.00000000.sdmp, gtm[1].js.0.dr, js[1].js.0.drfalse
                              		high
                              http://www.mediafire.com/images/icons/myfiles/default.pngDmshta.exe, 00000000.00000002.1544729680.0000000006262000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1277787628.0000000006260000.00000004.00000020.00020000.00000000.sdmpfalse
                                		high
                                https://csp.withgoogle.com/csp/recaptchamshta.exe, 00000000.00000003.1277787628.0000000006260000.00000004.00000020.00020000.00000000.sdmpfalse
                                  		high
                                  https://googleads.g.doubleclick.net/pagead/viewthroughconversionmshta.exe, 00000000.00000002.1553777770.0000000007070000.00000004.00000020.00020000.00000000.sdmp, gtm[1].js.0.dr, js[1].js.0.drfalse
                                    		high
                                    https://targetRefisDestinationTADebugSignalREFERRERcct.google__TAG_ASSISTANTEXTENSION_PARAMGTM_DEBUGmshta.exe, 00000000.00000002.1556138988.00000000076A4000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.mediafire.com/images/icons/myfiles/default.pngKVymshta.exe, 00000000.00000003.1268505982.00000000006CB000.00000004.00000020.00020000.00000000.sdmpfalse
                                      		high
                                      https://support.google.com/recaptcha/?hl=en#6223828mshta.exe, 00000000.00000003.1277657009.0000000006327000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1277787628.000000000630D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.1556980973.0000000007EB2000.00000004.00000020.00020000.00000000.sdmp, recaptcha__en[1].js.0.drfalse
                                        		high
                                        https://cloud.google.com/contactmshta.exe, 00000000.00000002.1556980973.0000000007EB2000.00000004.00000020.00020000.00000000.sdmp, recaptcha__en[1].js.0.drfalse
                                          		high
                                          https://www.youtube.commshta.exe, 00000000.00000002.1553777770.0000000007070000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1496259441.0000000005AFA000.00000004.00000020.00020000.00000000.sdmp, gtm[1].js.0.dr, js[1].js.0.drfalse
                                            		high
                                            http://www.mediafire.com/images/icons/myfiles/default.pngqmshta.exe, 00000000.00000002.1540443421.0000000000692000.00000004.00000020.00020000.00000000.sdmpfalse
                                              		high
                                              https://www.google.comjs[1].js.0.drfalse
                                                		high
                                                http://www.mediafire.com/images/logos/mf_logo250x250.pngdefault.htafalse
                                                  		high
                                                  https://www.google.com/recaptcha/api.jspmshta.exe, 00000000.00000002.1544729680.0000000006250000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    		high
                                                    https://www.google.com/travel/flights/click/conversionmshta.exe, 00000000.00000002.1553777770.0000000007070000.00000004.00000020.00020000.00000000.sdmp, gtm[1].js.0.dr, js[1].js.0.drfalse
                                                      		high
                                                      https://support.google.com/recaptcha/#6175971mshta.exe, 00000000.00000002.1556980973.0000000007EB2000.00000004.00000020.00020000.00000000.sdmp, recaptcha__en[1].js.0.drfalse
                                                        		high
                                                        https://m.youtube.commshta.exe, 00000000.00000002.1553777770.0000000007070000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1496259441.0000000005AFA000.00000004.00000020.00020000.00000000.sdmp, gtm[1].js.0.dr, js[1].js.0.drfalse
                                                          		high
                                                          https://fast.io/pricingmshta.exe, 00000000.00000003.1268505982.00000000006CB000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          https://www.youtube.comdelivery_postal_codephone_conversion_idsads_data_redactioninternal.injectHtmlmshta.exe, 00000000.00000002.1556267399.00000000076D9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          https://cdn.amplitude.com/libs/amplitude-8.5.0-min.gz.js4mshta.exe, 00000000.00000002.1544729680.0000000006262000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1277787628.0000000006260000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            		high
                                                            https://www.google.com/recaptcha/api2/mshta.exe, 00000000.00000002.1544729680.0000000006240000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.1556980973.0000000007EB2000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.1540443421.0000000000663000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1268505982.00000000006CB000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.1546020690.0000000006845000.00000004.00000800.00020000.00000000.sdmp, api[1].js.0.dr, recaptcha__en[1].js.0.drfalse
                                                              		high
                                                              http://www.mediafire.com/images/icons/myfiles/default.pngdmshta.exe, 00000000.00000003.1268392930.0000000006264000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                		high
                                                                http://www.mediafire.com/mshta.exe, 00000000.00000002.1540443421.0000000000663000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  https://csp.withgoogle.com/csp/report-to/hosted-libraries-pushersmshta.exe, 00000000.00000003.1268392930.0000000006264000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.1544729680.0000000006262000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1277787628.0000000006260000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1268505982.00000000006B8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    https://support.google.com/recaptcharecaptcha__en[1].js.0.drfalse
                                                                      		high
                                                                      https://www.google.com/pagead/form-datamshta.exe, 00000000.00000002.1553777770.0000000007070000.00000004.00000020.00020000.00000000.sdmp, gtm[1].js.0.dr, js[1].js.0.drfalse
                                                                        		high
                                                                        https://csp.withgoogle.com/csp/report-to/scaffolding/ascgcycc:1068:0mshta.exe, 00000000.00000002.1544729680.00000000062C3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1286122083.00000000006CA000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1286161937.00000000062C7000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1277787628.00000000062C7000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          https://cloud.google.com/recaptcha/docs/troubleshoot-recaptcha-issues#localhost-errormshta.exe, 00000000.00000002.1556980973.0000000007EB2000.00000004.00000020.00020000.00000000.sdmp, recaptcha__en[1].js.0.drfalse
                                                                            		high
                                                                            https://csp.wmshta.exe, 00000000.00000002.1540443421.0000000000632000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                            • Avira URL Cloud: safe
                                                                            		unknown
                                                                            http://www.mediafire.com/images/logos/mf_logo250x250.png32mshta.exe, 00000000.00000002.1540443421.0000000000692000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              http://www.mediafire.commshta.exe, 00000000.00000002.1540443421.0000000000663000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.1540443421.0000000000632000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1268505982.00000000006B8000.00000004.00000020.00020000.00000000.sdmp, default.htafalse
                                                                                		high
                                                                                https://cdn.amplitude.com/libs/amplitude-8.5.0-min.gz.js80mshta.exe, 00000000.00000002.1544729680.0000000006262000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1277787628.0000000006260000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  https://cloud.google.com/recaptcha-enterprise/billing-informationmshta.exe, 00000000.00000002.1556980973.0000000007EB2000.00000004.00000020.00020000.00000000.sdmp, recaptcha__en[1].js.0.drfalse
                                                                                    		high
                                                                                    https://www.google.com/recaptcha/api.jsHmshta.exe, 00000000.00000002.1540443421.0000000000663000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                      		high
                                                                                      https://www.google.comok.https://www.google.commshta.exe, 00000000.00000003.1496313880.0000000005AEE000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                      • Avira URL Cloud: safe
                                                                                      		unknown
                                                                                      https://csp.withgoogle.com/csp/scaffolding/ascgcycc:1068:0mshta.exe, 00000000.00000002.1544729680.00000000062C3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1286122083.00000000006CA000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1286161937.00000000062C7000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1277787628.00000000062C7000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                        		high
                                                                                        https://login.live.cmshta.exe, 00000000.00000002.1540443421.0000000000692000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                        • Avira URL Cloud: safe
                                                                                        		unknown
                                                                                        https://static.hotjar.com/c/hotjar-mshta.exe, 00000000.00000002.1553777770.0000000007070000.00000004.00000020.00020000.00000000.sdmp, gtm[1].js.0.drfalse
                                                                                          		high
                                                                                          http://upx.sf.netAmcache.hve.11.drfalse
                                                                                            		high
                                                                                            https://csp.withgoogle.com/csp/hosted-libraries-pushersmshta.exe, 00000000.00000003.1268505982.00000000006B8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                              		high
                                                                                              https://www.google.comconversion_linkerapplicableSectionsapp_installer_idfl_user_data_cacheaddConsenmshta.exe, 00000000.00000002.1556267399.00000000076D9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                              • Avira URL Cloud: safe
                                                                                              		unknown
                                                                                              https://cct.google/taggy/agent.jsmshta.exe, 00000000.00000002.1553777770.0000000007070000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1496118787.0000000005B06000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1277627215.000000000632B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1285983778.00000000062D0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1277787628.0000000006258000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1285250107.00000000062DB000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.1555968918.0000000007650000.00000004.00000800.00020000.00000000.sdmp, gtm[1].js.0.dr, js[1].js.0.drfalse
                                                                                                		high
                                                                                                https://csp.withgoogle.com/csp/report-to/recaptchamshta.exe, 00000000.00000003.1277787628.0000000006260000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.1540443421.0000000000632000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                  		high
                                                                                                  https://developers.google.com/recaptcha/docs/faq#are-there-any-qps-or-daily-limits-on-my-use-of-recamshta.exe, 00000000.00000002.1556980973.0000000007EB2000.00000004.00000020.00020000.00000000.sdmp, recaptcha__en[1].js.0.drfalse
                                                                                                    		high
                                                                                                    https://cdn.amplitude.com/libs/amplitude-8.5.0-min.gz.jsdmshta.exe, 00000000.00000002.1544729680.0000000006262000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1277787628.0000000006260000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                      		high
                                                                                                      http://www.mediafire.com/images/icons/myfiles/default.png4mshta.exe, 00000000.00000003.1268392930.0000000006264000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                        		high
                                                                                                        https://ad.doubleclick.net/activity;mshta.exe, 00000000.00000002.1553777770.0000000007070000.00000004.00000020.00020000.00000000.sdmp, gtm[1].js.0.dr, js[1].js.0.drfalse
                                                                                                          		high
                                                                                                          https://td.doubleclick.netmshta.exe, 00000000.00000002.1553777770.0000000007070000.00000004.00000020.00020000.00000000.sdmp, gtm[1].js.0.dr, js[1].js.0.drfalse
                                                                                                            		high
                                                                                                            http://www.mediafire.com/immshta.exe, 00000000.00000002.1540443421.0000000000632000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                              		high
                                                                                                              https://mediafire.zendesk.com/hc/en-usmshta.exe, 00000000.00000003.1268505982.00000000006CB000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                              • Avira URL Cloud: safe
                                                                                                              		unknown
                                                                                                              https://cdn.amplitude.com/libs/amplitude-8.5.0-min.gz.jsC:mshta.exe, 00000000.00000002.1540443421.00000000006AE000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                		high
                                                                                                                http://twitter.com/#mshta.exe, 00000000.00000002.1544729680.00000000062ED000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                  		high
                                                                                                                  https://www.google.com/recaptcha/api.js.com/images/icons/myfiles/default.pngmshta.exe, 00000000.00000003.1268392930.0000000006264000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                    		high
                                                                                                                    https://fast.ioOmshta.exe, 00000000.00000003.1285250107.00000000062F8000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.1544729680.00000000062F8000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1277787628.00000000062F8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                    • Avira URL Cloud: safe
                                                                                                                    		unknown
                                                                                                                    https://cdn.amplitude.com/libs/amplitude-8.5.0-min.gz.jstmshta.exe, 00000000.00000002.1544729680.0000000006262000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1277787628.0000000006260000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                      		high
                                                                                                                      http://cdn.ampproject.orgmshta.exe, 00000000.00000002.1546945776.0000000006B34000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                        		high
                                                                                                                        https://cdn.amplitude.com/mshta.exe, 00000000.00000003.1277787628.0000000006260000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                          		high
                                                                                                                          https://csp.withgoogle.com/csp/report-to/scaffolding/ascgcycc:1310:0mshta.exe, 00000000.00000003.1285250107.000000000630D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1286001142.0000000006308000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.1544729680.00000000062C3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1285963623.0000000006314000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1285983778.00000000062D0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.1544729680.00000000062F8000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1286161937.00000000062C7000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1277787628.00000000062CD000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1277787628.00000000062F8000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1277787628.000000000631B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                            		high
                                                                                                                            https://csp.withgoogle.com/csp/scaffolding/ascgcycc:1310:0mshta.exe, 00000000.00000003.1277787628.000000000631B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                              		high
                                                                                                                              https://www.google.com/ccm/collectmshta.exe, 00000000.00000002.1553777770.0000000007070000.00000004.00000020.00020000.00000000.sdmp, gtm[1].js.0.dr, js[1].js.0.drfalse
                                                                                                                                		high
                                                                                                                                https://www.google.com/mshta.exe, 00000000.00000002.1540443421.0000000000692000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.1540443421.00000000006AE000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                  		high
                                                                                                                                  http://www.mediafire.com/images/icons/myfiles/default.pngogo_u1_full_color.svgrsed.svgywmshta.exe, 00000000.00000002.1540443421.00000000006AE000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1268505982.00000000006B8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                    		high
                                                                                                                                    https://www.gstatic.c..?/recaptcha/releases/w0_qmZVSdobukXrBwYd9dTF7/recaptcha__.mshta.exe, 00000000.00000002.1556980973.0000000007EB2000.00000004.00000020.00020000.00000000.sdmp, recaptcha__en[1].js.0.drfalse
                                                                                                                                      		high

                                                                                                                                      World Map of Contacted IPs

                                                                                                                                      • No. of IPs < 25%
                                                                                                                                      • 25% < No. of IPs < 50%
                                                                                                                                      • 50% < No. of IPs < 75%
                                                                                                                                      • 75% < No. of IPs

                                                                                                                                      Public IPs

                                                                                                                                      IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                      142.250.69.4
                                                                                                                                      		www.google.comUnited States
                                                                                                                                      		15169GOOGLEUSfalse
                                                                                                                                      104.17.150.117
                                                                                                                                      		www.mediafire.comUnited States
                                                                                                                                      		13335CLOUDFLARENETUSfalse
                                                                                                                                      3.163.125.15
                                                                                                                                      		cdn.amplitude.comUnited States
                                                                                                                                      		16509AMAZON-02USfalse

                                                                                                                                      General Information

                                                                                                                                      Joe Sandbox version:42.0.0 Malachite
                                                                                                                                      Analysis ID:1676286
                                                                                                                                      Start date and time:2025-04-28 15:22:18 +02:00
                                                                                                                                      Joe Sandbox product:CloudBasic
                                                                                                                                      Overall analysis duration:0h 5m 20s
                                                                                                                                      Hypervisor based Inspection enabled:false
                                                                                                                                      Report type:full
                                                                                                                                      Cookbook file name:default.jbs
                                                                                                                                      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 134, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                                      Number of analysed new started processes analysed:15
                                                                                                                                      Number of new started drivers analysed:0
                                                                                                                                      Number of existing processes analysed:0
                                                                                                                                      Number of existing drivers analysed:0
                                                                                                                                      Number of injected processes analysed:0
                                                                                                                                      Technologies:
                                                                                                                                      • HCA enabled
                                                                                                                                      • EGA enabled
                                                                                                                                      • AMSI enabled
                                                                                                                                      Analysis Mode:default
                                                                                                                                      Analysis stop reason:Timeout
                                                                                                                                      Sample name:default.hta
                                                                                                                                      Detection:SUS
                                                                                                                                      Classification:sus23.spyw.winHTA@2/17@3/3
                                                                                                                                      EGA Information:Failed
                                                                                                                                      HCA Information:
                                                                                                                                      • Successful, ratio: 100%
                                                                                                                                      • Number of executed functions: 32
                                                                                                                                      • Number of non-executed functions: 0
                                                                                                                                      Cookbook Comments:
                                                                                                                                      • Found application associated with file extension: .hta
                                                                                                                                      • Exclude process from analysis (whitelisted): MpCmdRun.exe, sppsvc.exe, WerFault.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                                                                                                                                      • Excluded IPs from analysis (whitelisted): 192.178.49.170, 142.250.69.8, 192.178.49.195, 52.168.117.173, 4.245.163.56, 184.29.183.29, 20.190.151.70
                                                                                                                                      • Excluded domains from analysis (whitelisted): onedsblobprdeus16.eastus.cloudapp.azure.com, fonts.googleapis.com, fs.microsoft.com, slscr.update.microsoft.com, ajax.googleapis.com, ctldl.windowsupdate.com, static.mediafire.com, fe3cr.delivery.mp.microsoft.com, login.live.com, www.googletagmanager.com, blobcollector.events.data.trafficmanager.net, translate.google.com, umwatson.events.data.microsoft.com, www.gstatic.com, c.pki.goog
                                                                                                                                      • Execution Graph export aborted for target mshta.exe, PID 6240 because it is empty
                                                                                                                                      • Not all processes where analyzed, report is missing behavior information
                                                                                                                                      • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                                      • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                                                      • Report size getting too big, too many NtQueryValueKey calls found.

                                                                                                                                      Simulations

                                                                                                                                      Behavior and APIs

                                                                                                                                      TimeTypeDescription
                                                                                                                                      09:23:53API Interceptor1x Sleep call for process: mshta.exe modified
                                                                                                                                      09:24:20API Interceptor1x Sleep call for process: WerFault.exe modified

                                                                                                                                      Joe Sandbox View / Context

                                                                                                                                      IPs

                                                                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                      104.17.150.117250427-qx3s4s1wct.bin.vbsGet hashmaliciousLCRYXBrowse
                                                                                                                                        https://www.youtube.com/redirect?event=video_description&redir_token=QUFFLUhqbnozTmR0Vno0czY3WnFuRk4ySHBPbDdhdDRrd3xBQ3Jtc0trcXl4a05HZXJ2UFRLR3VzWVB2cnNjRzN3QkZlaHQ1cGplYXdEUFpfaHp0MXZkajNCb2FfTjBVdkxwSHl6cmU3VnUyamgyem1YOEpKbmlURlZrR3BFa3FCT1hWQnFrczRHZ3N6eGwzdy1uVFBlQ2hXOA&q=https%3A%2F%2Ffusionhacks.pw%2Fcheat%2Fval-176.php&v=DVy4Ry9PsTIGet hashmaliciousUnknownBrowse
                                                                                                                                          https://www.mediafire.com/file_premium/862bjkucj0uc79f/69149366_pdf.lzh/fileGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                            LCrypt0rX.vbsGet hashmaliciousLCRYXBrowse
                                                                                                                                              https://tr.ee/wljbhwGet hashmaliciousUnknownBrowse
                                                                                                                                                http://goo.su/0F4XkGet hashmaliciousUnknownBrowse
                                                                                                                                                  http://freegamesDL.netGet hashmaliciousUnknownBrowse
                                                                                                                                                    LCrypt0rX.vbsGet hashmaliciousChaos, LCRYX, XmrigBrowse
                                                                                                                                                      LCrypt0rX.vbsGet hashmaliciousChaos, LCRYX, XmrigBrowse
                                                                                                                                                        809e682faadb839aaf9e5e6b171dfa3e.ps1Get hashmaliciousUnknownBrowse
                                                                                                                                                          3.163.125.15Welcome to the Niskayuna Soccer Club 3 (003).docxGet hashmaliciousUnknownBrowse
                                                                                                                                                            https://clickme.thryv.com/ls/click?upn=u001.5dsdCa4YiGVzoib36gWoSPyltUaWCsyFq200Ntb2JspVnELOGgvw66FVBJMc1CsMmns0_-2BOVhbrxcsvz9veeoLEglpD8RiEh0AaH1ow0Lk-2FKx9DGH2EA0fWhnrHZ-2FmlnIJ5UhAxXtDoOWXX-2FPyG5rVAl4UI7bgryXtRxONxX47M69Zs408-2BvnAL8-2FwQfC38J0vo-2BNPuXd9ZQRl3mVPkcpfDB8fFzO8k72NDbDigQEVVlq88Cbyd-2FspyzvoVJPR1h-2FbZ7QQ6McqmPE9-2BcpXmxMjtiMnlH5y7my6ciUJ8oawjrr8uTV2VFCUnRz-2BYajHpdlo-2BdijTTWoN6XIqzSzzn9raVdyCv6yrtMzJIVFFK229s6J0zoOHuRdvwd4zEdpENbxbzehqnKQ8Yk3LeuEYUlsDIufaiekHtd-2BWbkmha56OPiK-2BI-3DGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                                              https://cloudde-e0e7.samariakurtz.workers.dev/633c62d4-5847-4578-aefc-6b70c4961623Get hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                https://enjucm-6424.anotudhoeah.workers.dev/8dc0c739-61df-4e9d-9bd9-b5bc957356bfGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                  https://nhdaua-8845.etezmraleietk.workers.dev/Get hashmaliciousHTMLPhisherBrowse

                                                                                                                                                                    Domains

                                                                                                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                    www.mediafire.com250427-qx3s4s1wct.bin.vbsGet hashmaliciousLCRYXBrowse
                                                                                                                                                                    • 104.17.150.117
                                                                                                                                                                    LCrypt0rX.vbsGet hashmaliciousLCRYXBrowse
                                                                                                                                                                    • 104.17.151.117
                                                                                                                                                                    https://www.youtube.com/redirect?event=video_description&redir_token=QUFFLUhqbnozTmR0Vno0czY3WnFuRk4ySHBPbDdhdDRrd3xBQ3Jtc0trcXl4a05HZXJ2UFRLR3VzWVB2cnNjRzN3QkZlaHQ1cGplYXdEUFpfaHp0MXZkajNCb2FfTjBVdkxwSHl6cmU3VnUyamgyem1YOEpKbmlURlZrR3BFa3FCT1hWQnFrczRHZ3N6eGwzdy1uVFBlQ2hXOA&q=https%3A%2F%2Ffusionhacks.pw%2Fcheat%2Fval-176.php&v=DVy4Ry9PsTIGet hashmaliciousUnknownBrowse
                                                                                                                                                                    • 104.17.150.117
                                                                                                                                                                    https://www.mediafire.com/file_premium/862bjkucj0uc79f/69149366_pdf.lzh/fileGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                                    • 104.17.150.117
                                                                                                                                                                    http://goo.su/0F4XkGet hashmaliciousUnknownBrowse
                                                                                                                                                                    • 104.17.151.117
                                                                                                                                                                    http://freegamesDL.netGet hashmaliciousUnknownBrowse
                                                                                                                                                                    • 104.17.150.117
                                                                                                                                                                    LCrypt0rX.vbsGet hashmaliciousChaos, LCRYX, XmrigBrowse
                                                                                                                                                                    • 104.17.150.117
                                                                                                                                                                    LCrypt0rX.vbsGet hashmaliciousChaos, LCRYX, XmrigBrowse
                                                                                                                                                                    • 104.17.150.117
                                                                                                                                                                    LCrypt0rX.vbsGet hashmaliciousChaos, LCRYXBrowse
                                                                                                                                                                    • 104.17.151.117
                                                                                                                                                                    https://www.mediafire.com/file_premium/8q094mjevfshw6g/glass.mp3/fileGet hashmaliciousUnknownBrowse
                                                                                                                                                                    • 104.17.151.117
                                                                                                                                                                    cdn.amplitude.comhttps://www.youtube.com/redirect?event=video_description&redir_token=QUFFLUhqbnozTmR0Vno0czY3WnFuRk4ySHBPbDdhdDRrd3xBQ3Jtc0trcXl4a05HZXJ2UFRLR3VzWVB2cnNjRzN3QkZlaHQ1cGplYXdEUFpfaHp0MXZkajNCb2FfTjBVdkxwSHl6cmU3VnUyamgyem1YOEpKbmlURlZrR3BFa3FCT1hWQnFrczRHZ3N6eGwzdy1uVFBlQ2hXOA&q=https%3A%2F%2Ffusionhacks.pw%2Fcheat%2Fval-176.php&v=DVy4Ry9PsTIGet hashmaliciousUnknownBrowse
                                                                                                                                                                    • 13.33.21.19
                                                                                                                                                                    FW Partnership HealthPlan of CA 2025 Employee Engagement Survey Dashboard Invite.msgGet hashmaliciousUnknownBrowse
                                                                                                                                                                    • 13.33.21.29
                                                                                                                                                                    https://email.safetyculture.io/ls/click?upn=u001.cCyxNsYTMFF4ZKCpdv-2Bg28QgUGX9bJuy-2Fei6moTQptvv2V6K6AkKU64zbCs9BLFuHYXR_Jmcoi-2BtLy2oATK-2B5qJhoXO8WIQKx6v-2BgOONpd-2Bdm5MbYvpstcM2UQs-2B9al-2B0YWp-2FLIHioEmA9x7VbqUJ0iHZ5RuT3URHNpHAW8MxlU47M70oaVfGVfxAHKdLKB857L3mVQzC5TLomvNVzTGc1xNZTM7J9SQyDeg5gmqTBxVGR-2Bxhi-2FRpL7ruqhNfku5cyBHFkVu9Mk8YrMqpwuvD03kwfo0jOu-2FDYhLAvlp0PSfypTrsLon1pmBxw-2F-2Bk5HJZZ5zZsFxvoIbMLgyFvWU11-2BLBDSnmfh8fGhZvCRi6eFC57GUJj3UgcGLWVX93vAMrkdqwttsCsMks2-2FB8pIZtGQGxPNam2WW28QD3ltMZUYgGCzJqItoU468pVM9QMdShkp-2Fd6jIukwK-2Bey5UVdQJGNQUj7s61MA7QAnXCmKNmrdW-2FTO9UpLhxl9lryeo13xkrwzWJXJQibThPapZifxIo2ivMw-3D-3DGet hashmaliciousUnknownBrowse
                                                                                                                                                                    • 18.64.155.73
                                                                                                                                                                    https://complianz.com/agreements/pccf9k/portal/newGet hashmaliciousUnknownBrowse
                                                                                                                                                                    • 18.64.155.6
                                                                                                                                                                    http://www.accessmyig.comGet hashmaliciousUnknownBrowse
                                                                                                                                                                    • 108.139.29.12
                                                                                                                                                                    http://goo.su/0F4XkGet hashmaliciousUnknownBrowse
                                                                                                                                                                    • 108.139.29.53
                                                                                                                                                                    http://freegamesDL.netGet hashmaliciousUnknownBrowse
                                                                                                                                                                    • 108.139.29.40
                                                                                                                                                                    https://app.milanote.com/1U2zIh1wMk1t0w?p=EJe9bohrOuKGet hashmaliciousUnknownBrowse
                                                                                                                                                                    • 108.139.29.45
                                                                                                                                                                    https://funeral-notices.co.ukGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                    • 108.139.29.45
                                                                                                                                                                    http://belastingdiensrt.nl.services.cartoriomoreirafeitosa.com.br//#mclear@securustechnologies.comGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                    • 108.139.29.12

                                                                                                                                                                    ASNs

                                                                                                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                    AMAZON-02USRUWAIS_LNG_-_SOURCING_1321-1051_EQUIPMENT_MATERIALS.xls.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                                    • 13.248.169.48
                                                                                                                                                                    na.elfGet hashmaliciousPrometeiBrowse
                                                                                                                                                                    • 34.254.182.186
                                                                                                                                                                    PO-0427-26 - 150-30.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                                    • 13.248.169.48
                                                                                                                                                                    na.elfGet hashmaliciousPrometeiBrowse
                                                                                                                                                                    • 34.249.145.219
                                                                                                                                                                    payment confirmation copy (JLT).exeGet hashmaliciousFormBookBrowse
                                                                                                                                                                    • 13.248.169.48
                                                                                                                                                                    #U041f#U0430#U0440#U043e#U043b#U044c.jsGet hashmaliciousRMSRemoteAdminBrowse
                                                                                                                                                                    • 35.158.89.211
                                                                                                                                                                    .i.elfGet hashmaliciousUnknownBrowse
                                                                                                                                                                    • 54.171.230.55
                                                                                                                                                                    mips.elfGet hashmaliciousUnknownBrowse
                                                                                                                                                                    • 34.249.145.219
                                                                                                                                                                    skid.arm.elfGet hashmaliciousUnknownBrowse
                                                                                                                                                                    • 34.249.145.219
                                                                                                                                                                    https://links.executiveconsulting.company/D/pY6XAFlRNUOvXbeZTKqgmBLI3HJxMtwCVsyE94XpoJYcn7kgMRadXfUv1Lz0NTHUqFEPWrbgAMJKXvQYIWnLtduCmfXsOYl5zpNhVgTRqjco7xEM9KaFWbLdXsUQpOynYvT2WX3CZlrMkNbF1gJoHEi84Get hashmaliciousUnknownBrowse
                                                                                                                                                                    • 3.129.244.205
                                                                                                                                                                    CLOUDFLARENETUSQuotation.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                                    • 104.21.16.1
                                                                                                                                                                    RUWAIS_LNG_-_SOURCING_1321-1051_EQUIPMENT_MATERIALS.xls.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                                    • 104.21.68.226
                                                                                                                                                                    https://digitalgurususerinfraction.vercel.app/help&supportGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                    • 104.26.4.15
                                                                                                                                                                    http://7063734195.sbsGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                    • 104.18.95.41
                                                                                                                                                                    original.emlGet hashmaliciousUnknownBrowse
                                                                                                                                                                    • 1.1.1.1
                                                                                                                                                                    MTC & Drawing-A0115-P1-10-MOLD-BASE.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                                    • 104.21.64.1
                                                                                                                                                                    PO9765.jsGet hashmaliciousUnknownBrowse
                                                                                                                                                                    • 162.159.140.237
                                                                                                                                                                    National Environmental Health Service Online.htmlGet hashmaliciousUnknownBrowse
                                                                                                                                                                    • 172.67.41.16
                                                                                                                                                                    PO-0427-26 - 150-30.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                                    • 172.67.136.196
                                                                                                                                                                    lYhbb40rTt.exeGet hashmaliciousACR StealerBrowse
                                                                                                                                                                    • 172.67.195.37

                                                                                                                                                                    JA3 Fingerprints

                                                                                                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                    37f463bf4616ecd445d4a1937da06e19Quotation request List.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                                                                                                                                                    • 142.250.69.4
                                                                                                                                                                    • 3.163.125.15
                                                                                                                                                                    AWB 210229572045.docx.docGet hashmaliciousUnknownBrowse
                                                                                                                                                                    • 142.250.69.4
                                                                                                                                                                    • 3.163.125.15
                                                                                                                                                                    adguardInstaller.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                    • 142.250.69.4
                                                                                                                                                                    • 3.163.125.15
                                                                                                                                                                    fBuTJOzoyQ.exeGet hashmaliciousCryptOneBrowse
                                                                                                                                                                    • 142.250.69.4
                                                                                                                                                                    • 3.163.125.15
                                                                                                                                                                    c57s18lwKh.exeGet hashmaliciousAmadey, LummaC Stealer, RHADAMANTHYS, Vidar, XmrigBrowse
                                                                                                                                                                    • 142.250.69.4
                                                                                                                                                                    • 3.163.125.15
                                                                                                                                                                    VaN8Wm707H.exeGet hashmaliciousCryptOneBrowse
                                                                                                                                                                    • 142.250.69.4
                                                                                                                                                                    • 3.163.125.15
                                                                                                                                                                    6QRq90oLoJ.exeGet hashmaliciousCryptOneBrowse
                                                                                                                                                                    • 142.250.69.4
                                                                                                                                                                    • 3.163.125.15
                                                                                                                                                                    loper5105205736990.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                                                                                                    • 142.250.69.4
                                                                                                                                                                    • 3.163.125.15
                                                                                                                                                                    rKS57hZAwU.exeGet hashmaliciousCryptOneBrowse
                                                                                                                                                                    • 142.250.69.4
                                                                                                                                                                    • 3.163.125.15

                                                                                                                                                                    Dropped Files

                                                                                                                                                                    No context

                                                                                                                                                                    Created / dropped Files

                                                                                                                                                                    C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_mshta.exe_bcb95a7a9e21634649798181010fd5ee01c244_945217a8_a42d8a10-9525-415b-8e84-f0a1a052b40a\Report.wer

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                    File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):65536
                                                                                                                                                                    Entropy (8bit):1.2227348198478787
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:192:OifZxAmY0otkwjBFRHhLOzuiFFZ24IO8Io:VfPAmzotkwjPOzuiFFY4IO8I
                                                                                                                                                                    MD5:FDF61BBE1066EA2E7ED10BF217EC4F91
                                                                                                                                                                    SHA1:7275F7200FCCC5ADF3832F450A962AA286479CE2
                                                                                                                                                                    SHA-256:63AB7CBACD066F89F092C022B28353DCA951717CB3651289008585E6E8D1A7B8
                                                                                                                                                                    SHA-512:C420049240EDDE60CC99A000E79FA37F04F6621EFE63E24D208CCDB8C9E96373EF2FEF273EFDD8F99A84440922A519238EA3049099D59DEF0086033488B41C68
                                                                                                                                                                    Malicious:false
                                                                                                                                                                    Reputation:low
                                                                                                                                                                    Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.9.0.3.2.0.2.5.7.2.1.5.8.7.4.6.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.9.0.3.2.0.2.5.7.8.7.2.1.3.9.3.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.a.4.2.d.8.a.1.0.-.9.5.2.5.-.4.1.5.b.-.8.e.8.4.-.f.0.a.1.a.0.5.2.b.4.0.a.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.1.1.4.0.b.d.e.b.-.c.5.c.8.-.4.9.5.d.-.a.f.b.0.-.8.7.7.1.a.a.5.a.a.3.c.f.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.m.s.h.t.a...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.M.S.H.T.A...E.X.E.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.8.6.0.-.0.0.0.1.-.0.0.1.8.-.c.6.b.f.-.7.b.b.b.4.0.b.8.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.0.8.9.b.8.3.6.3.e.b.6.8.6.c.8.d.0.5.5.e.c.2.c.4.e.5.8.9.9.f.d.d.4.5.0.e.f.7.7.d.!.m.s.

                                                                                                                                                                    C:\ProgramData\Microsoft\Windows\WER\Temp\WERB943.tmp.dmp

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                    File Type:Mini DuMP crash report, 15 streams, Mon Apr 28 13:24:17 2025, 0x1205a4 type
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):209024
                                                                                                                                                                    Entropy (8bit):1.993520656538898
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:768:z2FoYT58R/L2nrA79iA5aHLCeZg0JZtwbqLkbLbc:z2wL2ridIHLCeZgItwbqLknbc
                                                                                                                                                                    MD5:0EBCECF20FC929FF205951D94C3816D9
                                                                                                                                                                    SHA1:0EBBCE83D2EBFE7574F5B987E09B14D16055DF86
                                                                                                                                                                    SHA-256:F0043F9DA832FF1527D362ED91B8E7B233525B9F67C408E6A34D7B1DC0FF0650
                                                                                                                                                                    SHA-512:F26AFBD6704F623831B43BF9C6DC548CDBF067CD7D43356796345510E44432B8D97972C3A295FD50F6AFA1C7C6ACC3789097E4FA8D9EFC22FA1FC4DDC1E94D1A
                                                                                                                                                                    Malicious:false
                                                                                                                                                                    Reputation:low
                                                                                                                                                                    Preview:MDMP..a..... ..........h........................h&..........<....1..........xv..........`.......8...........T........... m..`...........L1..........83..............................................................................eJ.......3......GenuineIntel............T.......`...R..h.............................0..9...........,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                    C:\ProgramData\Microsoft\Windows\WER\Temp\WERBADA.tmp.WERInternalMetadata.xml

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                    File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):6308
                                                                                                                                                                    Entropy (8bit):3.716060095080873
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:96:RSIU6o7wVetbiR+6yi/iU+Yrs2e+at5aMQUO89bbGgsf0KJm:R6l7wVeJio6yquYQ5pDO89bbvsf0KJm
                                                                                                                                                                    MD5:6FD84934FD0712578CA9801BBC76F53F
                                                                                                                                                                    SHA1:AC5CF783397DBC8B4FDE3573A434057F76CA7993
                                                                                                                                                                    SHA-256:C880FAED69E2960C25EABFD6891DC1B57630F62E28195F7187D34EB2737CFB7F
                                                                                                                                                                    SHA-512:06C702DD56EC6F37FC4DFC2F3B6D79B6418CC43BC0C20196C410C218423806B50188DBE0CE01C575F5D10EB7516EAEBD57C1B67F1E17EB21B22F8360BA4E55D8
                                                                                                                                                                    Malicious:false
                                                                                                                                                                    Reputation:low
                                                                                                                                                                    Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.2.4.0.<./.P.i.

                                                                                                                                                                    C:\ProgramData\Microsoft\Windows\WER\Temp\WERBB49.tmp.xml

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                    File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):4635
                                                                                                                                                                    Entropy (8bit):4.453586071163144
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:48:cvIwWl8zs6Jg77aI9AhVWpW8VYsYm8M4Jzgzl0FwT+q8XkVoLc0HoSTd:uIjfII76hk7V4Jz4ljUkVsxHoSTd
                                                                                                                                                                    MD5:9857164A4530076A42D9935D424B9AE2
                                                                                                                                                                    SHA1:1CD0D007FEA68C8F04DED94A50AA72716363FDF1
                                                                                                                                                                    SHA-256:D2CB32A6419011D42EA2774E88AA39E390CBD52BB4F9758CC39E079D26EBA260
                                                                                                                                                                    SHA-512:02EE9B68B5AF0C94F23C1633D1D624948AA078C07DE96DC03F55EDB00F8F00AD11648CAC7217314036E736143C7DF2563BB1A11AA97B4253791ECE39E2F36255
                                                                                                                                                                    Malicious:false
                                                                                                                                                                    Reputation:low
                                                                                                                                                                    Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="825386" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                                                                                                                                    C:\Users\user\AppData\Local\Microsoft\Internet Explorer\MSIMGSIZ.DAT

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\SysWOW64\mshta.exe
                                                                                                                                                                    File Type:data
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):49120
                                                                                                                                                                    Entropy (8bit):0.0017331682157558962
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:3:Ztt:T
                                                                                                                                                                    MD5:0392ADA071EB68355BED625D8F9695F3
                                                                                                                                                                    SHA1:777253141235B6C6AC92E17E297A1482E82252CC
                                                                                                                                                                    SHA-256:B1313DD95EAF63F33F86F72F09E2ECD700D11159A8693210C37470FCB84038F7
                                                                                                                                                                    SHA-512:EF659EEFCAB16221783ECB258D19801A1FF063478698CF4FCE3C9F98059CA7B1D060B0449E6FD89D3B70439D9735FA1D50088568FF46C9927DE45808250AEC2E
                                                                                                                                                                    Malicious:false
                                                                                                                                                                    Reputation:high, very likely benign file
                                                                                                                                                                    Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ATCVA5TX\gtm[1].js

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\SysWOW64\mshta.exe
                                                                                                                                                                    File Type:ASCII text, with very long lines (26592)
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):342599
                                                                                                                                                                    Entropy (8bit):5.557454057198506
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:3072:GPkdrV9tDBDN3+lU3g0fqfaGdY35Gk5+FioUJoquvfe+0/NPg65sjK0xGc:GsvF53+lUnoaRPYFFlv70/NPg6cK0/
                                                                                                                                                                    MD5:D1F39E70763D986E4C9760EC78C0E1FB
                                                                                                                                                                    SHA1:C8186252D96923F5CAAEEB9650527108C4AE9440
                                                                                                                                                                    SHA-256:812E1C35D3F88B5BD097BD56420F86CB9BC2495FE416C0503278688D2BCA46D7
                                                                                                                                                                    SHA-512:3576DA811435EAAF05544E79BE9C5A5D92F4319D84ED5CA202B36F93A9D3EC03A1D76B5C9855AB990425C5BF8AABC785A3611B6CF595113A949FB36BD0EAC01A
                                                                                                                                                                    Malicious:false
                                                                                                                                                                    Reputation:low
                                                                                                                                                                    Preview:.// Copyright 2012 Google Inc. All rights reserved.. . (function(w,g){w[g]=w[g]||{};. w[g].e=function(s){return eval(s);};})(window,'google_tag_manager');. .(function(){..var data = {."resource": {. "version":"174",. . "macros":[{"function":"__u","vtp_component":"URL","vtp_enableMultiQueryKeys":false,"vtp_enableIgnoreEmptyQueryParam":false},{"function":"__e"},{"function":"__u","vtp_component":"PATH","vtp_enableMultiQueryKeys":false,"vtp_enableIgnoreEmptyQueryParam":false},{"function":"__vis","vtp_elementId":"mfAppFrame","vtp_outputMethod":"BOOLEAN","vtp_selectorType":"ID","vtp_onScreenRatio":"100"},{"function":"__j","convert_null_to":"false","convert_undefined_to":"false","vtp_name":"MF_UNICORN"},{"function":"__k","vtp_decodeCookie":false,"vtp_name":"uni-opt-out"},{"function":"__v","vtp_dataLayerVersion":2,"vtp_setDefaultValue":false,"vtp_name":"userId"},{"function":"__v","vtp_dataLayerVersion":2,"vtp_setDefaultValue":false,"vtp_name":"userType"},{"function":"__v","vtp_dataLayerVers

                                                                                                                                                                    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ATCVA5TX\js[1].js

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\SysWOW64\mshta.exe
                                                                                                                                                                    File Type:ASCII text, with very long lines (2361)
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):249323
                                                                                                                                                                    Entropy (8bit):5.543492108669097
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:3072:LKdrV9tD1DN3NBUCg0fqoaGd535Gk5+FioUJoqu7JeD0/NPgdTnc:Gvp53NBUahaAPYFFl7U0/NPgdo
                                                                                                                                                                    MD5:9F86E846DB9AEF47C1E46E47B485699C
                                                                                                                                                                    SHA1:3DC8A4776B8A884E2860BE5D3439D9BA4CFE09C2
                                                                                                                                                                    SHA-256:D42C78E4EF9F33CA085213F5BF5E83DFDE6A65A1358BF2AB19CB8F9F7AF323D5
                                                                                                                                                                    SHA-512:59746C1490D7591F7AD930A02505054DA83851E7D45DAE744D006C7EDAB7353D971A22F496F1AD79DBC62BDCE1670522D141E8B912B903CC5A8E9E9257CBA118
                                                                                                                                                                    Malicious:false
                                                                                                                                                                    Preview:.// Copyright 2012 Google Inc. All rights reserved.. .(function(){..var data = {."resource": {. "version":"1",. . "macros":[{"function":"__e"},{"function":"__cid"}],. "tags":[{"function":"__rep","once_per_event":true,"vtp_containerId":["macro",1],"tag_id":1}],. "predicates":[{"function":"_eq","arg0":["macro",0],"arg1":"gtm.js"}],. "rules":[[["if",0],["add",0]]].},."runtime":[ [50,"__cid",[46,"a"],[36,[17,[13,[41,"$0"],[3,"$0",["require","getContainerVersion"]],["$0"]],"containerId"]]]. ,[50,"__e",[46,"a"],[36,[13,[41,"$0"],[3,"$0",["require","internal.getEventData"]],["$0","event"]]]]. .].,"entities":{."__cid":{"2":true,"4":true,"3":true}.,."__e":{"2":true,"4":true}...}.,"blob":{"1":"1"}.,"permissions":{."__cid":{"read_container_data":{}}.,."__e":{"read_event_data":{"eventDataAccess":"specific","keyPatterns":["event"]}}...}....,"security_groups":{."google":[."__cid".,."__e"..]...}....};.....var k,aa=function(a){var b=0;return function(){return b<a.length?{done:!1,value:a[b++]}:{d

                                                                                                                                                                    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ATCVA5TX\recaptcha__en[1].js

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\SysWOW64\mshta.exe
                                                                                                                                                                    File Type:HTML document, ASCII text, with very long lines (569)
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):653519
                                                                                                                                                                    Entropy (8bit):5.821252682364424
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:6144:K+4IYIWOzpUXzgXcz1RJhG3WaJynggJ9FcfZszyIFSV7RCPt7cw04Q4+k8pHyjcf:TcEcuSFcWztkB4OXIiibAvdWLi
                                                                                                                                                                    MD5:CBD28877A88395976F715EC0854F2851
                                                                                                                                                                    SHA1:F35F838AF11A3BF2A2ADC866CE3E8C73A0E3275F
                                                                                                                                                                    SHA-256:336E6C582C23DC0FB67E2AD68159CFCEEBEE4409A0FB47B51A4323F447BEE396
                                                                                                                                                                    SHA-512:E3E231C8937A6AF7B00FFBECB6FB7A483172948141B95919DFFDF9A9CE5651A996A7E8166BDE2677810AC372978B2926EF6A6E04982EB85C52C4E3E4C6B24521
                                                                                                                                                                    Malicious:false
                                                                                                                                                                    Preview:(function(){/*.. Copyright 2018 Google Inc. SPDX-License-Identifier: Apache-2.0.*/./*.. Copyright The Closure Library Authors.. SPDX-License-Identifier: Apache-2.0.*/./*.. Copyright 2005, 2007 Bob Ippolito. All Rights Reserved.. Copyright The Closure Library Authors.. SPDX-License-Identifier: MIT.*/./*.. Copyright Google LLC. SPDX-License-Identifier: Apache-2.0.*/./*. Copyright The Closure Library Authors.. SPDX-License-Identifier: Apache-2.0.*/.var wS=function(){return[function(z,t,A,g,l,I,R,p,w,Y,D,G,f,n,L){return(((z^((L=[3,4,7],z)>>2>=17&&((z^42)&8)<L[0]&&(p=N[35](22,"rc-prepositional-target"),R=[],Array.prototype.forEach.call(N[8](39,l,document,g,p,"td"),function(a,q,O,S,B){((S={selected:!((B=["push",37,(O=this,17)],this.m)[B[0]](q),1),element:a,index:q},R)[B[0]](S),d[44](47,P[32](B[2],this),new sa(a),ls,function(U,C){((U=!(O.Kb((C=["rc-prepositional-selected",23,38],t)),S).selected)?(r[C[2]](20,C[0],S.element),M[4](50,A,S.index,O.m)):.(N[C[1]](99,S.element,C[0]),O.m.push(S.index)

                                                                                                                                                                    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\amplitude-8.5.0-min.gz[1].js

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\SysWOW64\mshta.exe
                                                                                                                                                                    File Type:ASCII text, with very long lines (65536), with no line terminators
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):69465
                                                                                                                                                                    Entropy (8bit):5.508995251914778
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:1536:nA+DtVy1IcRdURpkou5ElpQ0YMVBQjHeJtVkRnDcdzQFp2KtzRa:AMypo1pQ0AHejTb
                                                                                                                                                                    MD5:C43D9F000A09BD500ED8728606A09DE3
                                                                                                                                                                    SHA1:36AD6B0FA2C6BCD116FB642F25789FC2D08A68E6
                                                                                                                                                                    SHA-256:2450E5580136F94BDA7CCF95E3167B57E15B05B513A430967943A50036FA47A4
                                                                                                                                                                    SHA-512:802AF189282AFF84B1262A54E59463BDB9B07EC6D1DBF20FA26712B3E19A2212F1A31F2A2D4DD620D7D1313CEFF43DC4272F51A7A2407296BF6D57C11E38801B
                                                                                                                                                                    Malicious:false
                                                                                                                                                                    Preview:var amplitude=function(){"use strict";function t(e){return(t="function"==typeof Symbol&&"symbol"==typeof Symbol.iterator?function(e){return typeof e}:function(e){return e&&"function"==typeof Symbol&&e.constructor===Symbol&&e!==Symbol.prototype?"symbol":typeof e})(e)}function i(e,t){for(var n=0;n<t.length;n++){var i=t[n];i.enumerable=i.enumerable||!1,i.configurable=!0,"value"in i&&(i.writable=!0),Object.defineProperty(e,i.key,i)}}function r(e,t,n){return t in e?Object.defineProperty(e,t,{value:n,enumerable:!0,configurable:!0,writable:!0}):e[t]=n,e}function _(t){for(var e=1;e<arguments.length;e++){var n=null!=arguments[e]?arguments[e]:{},i=Object.keys(n);"function"==typeof Object.getOwnPropertySymbols&&(i=i.concat(Object.getOwnPropertySymbols(n).filter(function(e){return Object.getOwnPropertyDescriptor(n,e).enumerable}))),i.forEach(function(e){r(t,e,n[e])})}return t}function n(e){return function(e){if(Array.isArray(e)){for(var t=0,n=new Array(e.length);t<e.length;t++)n[t]=e[t];return n}}

                                                                                                                                                                    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\error[1]

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\SysWOW64\mshta.exe
                                                                                                                                                                    File Type:HTML document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):3249
                                                                                                                                                                    Entropy (8bit):5.4598794938059125
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:96:vKFrZ/kxjqD9zqp36wxVJddFAdd5Ydddopdyddv+dd865FhlleXckVDuca:CGpv+GkduSDl6LRa
                                                                                                                                                                    MD5:939A9FBD880F8B22D4CDD65B7324C6DB
                                                                                                                                                                    SHA1:62167D495B0993DD0396056B814ABAE415A996EE
                                                                                                                                                                    SHA-256:156E7226C757414F8FD450E28E19D0A404FDBA2571425B203FDC9C185CF7FF0E
                                                                                                                                                                    SHA-512:91428FFA2A79F3D05EBDB19ED7F6490A4CEE788DF709AB32E2CDC06AEC948CDCCCDAEBF12555BE4AD315234D30F44C477823A2592258E12D77091FA01308197B
                                                                                                                                                                    Malicious:false
                                                                                                                                                                    Preview:...<HTML id=dlgError STYLE="font-family: ms sans serif; font-size: 8pt;..width: 41.4em; height: 24em">..<HEAD>..<meta http-equiv="Content-Type" content="text/html; charset=utf-8">..<META HTTP-EQUIV="MSThemeCompatible" CONTENT="Yes">..<TITLE id=dialogTitle>..Script Error..</TITLE>..<SCRIPT>..var L_Dialog_ErrorMessage = "An error has occurred in this dialogue.";..var L_ErrorNumber_Text = "Error: ";..var L_ContinueScript_Message = "Do you want to debug the current page?";..var L_AffirmativeKeyCodeLowerCase_Number = 121;..var L_AffirmativeKeyCodeUpperCase_Number = 89;..var L_NegativeKeyCodeLowerCase_Number = 110;..var L_NegativeKeyCodeUpperCase_Number = 78;..</SCRIPT>..<SCRIPT LANGUAGE="JavaScript" src="error.js" defer></SCRIPT>..</HEAD>..<BODY ID=bdy onLoad="loadBdy()" style="font-family: 'ms sans serif';..font-size: 8pt; background: threedface; color: windowtext;" topmargin=0>..<CENTER id=ctrErrorMessage>..<table id=tbl1 cellPadding=3 cellspacing=3 border=0..style="background: buttonfa

                                                                                                                                                                    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\FGDLZ049\api[1].js

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\SysWOW64\mshta.exe
                                                                                                                                                                    File Type:ASCII text, with very long lines (911), with no line terminators
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):911
                                                                                                                                                                    Entropy (8bit):5.484507274243087
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:24:2jkm94/zKPccAgnHs+KVCekteS189ZsLqo40RWUnYN:VKEcznfKoHMS188LrwUnG
                                                                                                                                                                    MD5:D3C78DBD615BA7840D0AEB2B8E075645
                                                                                                                                                                    SHA1:76F36B2F804C7855B6ACFDEDACE61561236F338D
                                                                                                                                                                    SHA-256:EBBFBBD72E10308320AEBEFEB1E706A9C2373CB4CAAA6543C6CFDA5DF65EE827
                                                                                                                                                                    SHA-512:727E4EF943FC55CDF30D296A835A492432E6DA513242FC29D2BE505B7A64D9E9870FC377F5A9F2DDF69968F65825E071CC32662C54FF6EC92059A4C57861296C
                                                                                                                                                                    Malicious:false
                                                                                                                                                                    Preview:/* PLEASE DO NOT COPY AND PASTE THIS CODE. */(function(){var w=window,C='___grecaptcha_cfg',cfg=w[C]=w[C]||{},N='grecaptcha';var gr=w[N]=w[N]||{};gr.ready=gr.ready||function(f){(cfg['fns']=cfg['fns']||[]).push(f);};w['__recaptcha_api']='https://www.google.com/recaptcha/api2/';(cfg['render']=cfg['render']||[]).push('onload');(cfg['clr']=cfg['clr']||[]).push('true');w['__google_recaptcha_client']=true;var d=document,po=d.createElement('script');po.type='text/javascript';po.async=true; po.charset='utf-8';po.src='https://www.gstatic.com/recaptcha/releases/w0_qmZVSdobukXrBwYd9dTF7/recaptcha__en.js';po.crossOrigin='anonymous';po.integrity='sha384-kEsiil6fLViurM8481EXdJQQkHQUuq7A6OY7TuhkXySraE/9k/xc7bPynNEFwlr3';var e=d.querySelector('script[nonce]'),n=e&&(e['nonce']||e.getAttribute('nonce'));if(n){po.setAttribute('nonce',n);}var s=d.getElementsByTagName('script')[0];s.parentNode.insertBefore(po, s);})();

                                                                                                                                                                    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\FGDLZ049\css[1].css

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\SysWOW64\mshta.exe
                                                                                                                                                                    File Type:ASCII text
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):247
                                                                                                                                                                    Entropy (8bit):5.428842177231087
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:6:0IFFm15+56ZRWHMVgjWizlpdUD4uFl8vpAtCIif0RHC:jFMO6ZRoMYW6pSZE6tCrf0Ri
                                                                                                                                                                    MD5:F5DBA43B69C83A48868FECAD364B5B34
                                                                                                                                                                    SHA1:2A536D153CBBEA8037BE9B3DA5F2A51B6DCFB382
                                                                                                                                                                    SHA-256:4E05BF034F35EE0FD5263203A049263645F575B4846F721F667BEC6505362063
                                                                                                                                                                    SHA-512:F767C167FB7D60405558BFB15FB529DDC00C2E2169F8A938D5B7DC18DF4A4D51E4A4CCBD5EECC61732E592393676C288949F6048B526E78149280F226853DFAF
                                                                                                                                                                    Malicious:false
                                                                                                                                                                    Preview:@font-face {. font-family: 'Open Sans';. font-style: normal;. font-weight: 400;. font-stretch: normal;. src: url(https://fonts.gstatic.com/l/font?kit=memSYaGs126MiZpBA-UvWbX2vVnXBbObj2OVZyOOSr4dVJWUgsjZ0B4gaVY&skey=62c1cbfccc78b4b2&v=v40);.}.

                                                                                                                                                                    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\FGDLZ049\dnserrordiagoff[1]

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\SysWOW64\mshta.exe
                                                                                                                                                                    File Type:HTML document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):1681
                                                                                                                                                                    Entropy (8bit):4.567538112791388
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:24:rC7cWhfs5mVM4mVMyIjmgAV28EFP8hRqh/k+CkE03vjqX:u7o5V4VtihV2lFUWlEqvj6
                                                                                                                                                                    MD5:C74D57042D3614B92F2E0AF783ACD5DE
                                                                                                                                                                    SHA1:415F8A0F5DBD61D622724034C182C0B15E80CD20
                                                                                                                                                                    SHA-256:05182A8C3A558E671705B8A8421712A9715A1D597606E3710A6D6CFEB00FB462
                                                                                                                                                                    SHA-512:F33BC2CDA990B07FE8EA37A1F68DDDBF5FA9A67CA028019EA4D848B70CC6410D1468E0CE8F8132665124F6E4B8438AFFC41FB562D9E4A1401498E46CD0D1A0EC
                                                                                                                                                                    Malicious:false
                                                                                                                                                                    Preview:.<!DOCTYPE HTML>..<html>.. <head>.. <link rel="stylesheet" type="text/css" href="NewErrorPageTemplate.css">.. <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">.. <title>Can&rsquo;t reach this page</title>.. <script src="errorPageStrings.js" language="javascript" type="text/javascript">.. </script>.. <script src="httpErrorPagesScripts.js" language="javascript" type="text/javascript">.. </script>.. </head>.... <body onLoad="javascript:getInfo();">.. <div id="contentContainer" class="mainContent">.. <div id="mainTitle" class="title">Can&rsquo;t reach this page</div>.. <div class="taskSection" id="taskSection">.. <ul id="cantDisplayTasks" class="tasks">.. <li id="task1-1">Make sure the web address <span id="webpage" class="webpageURL"></span>is correct</li>.. <li id="task1-2">Search for this site on Bing</li>.. <l

                                                                                                                                                                    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W1DLB4AP\default[1].png

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\SysWOW64\mshta.exe
                                                                                                                                                                    File Type:PNG image data, 42 x 42, 8-bit gray+alpha, non-interlaced
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):364
                                                                                                                                                                    Entropy (8bit):7.194326738537886
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:6:6v/lhPU8jVmdbt/MpnnOd7eDXtJAE4u8z7tGyyo+XUDDJim6FeH0b2cz8JXKNrkb:6v/78Imdbt8XTAE4afoDDD56FW0KO8c4
                                                                                                                                                                    MD5:A3E216FD5E461266BABB87B1DA5B7BD1
                                                                                                                                                                    SHA1:3F130DDF6A59146BAD1D5299AD7E290E737D39B0
                                                                                                                                                                    SHA-256:5D974171B3B423F80948236CFBFB8F50005D85C767545E8E5EE6D74B8D8EA5DF
                                                                                                                                                                    SHA-512:DB2DD6B1B2F3A1F32593F7122812071C6A98920DAE318A446671CBD9CCA6B54768EC6C14B3E267ACF9CBAEFAFB3EB4D6E4262A0DC5E98B76EB34EFBBBFE14C75
                                                                                                                                                                    Malicious:false
                                                                                                                                                                    Preview:.PNG........IHDR...*...*.....o......3IDATx.../KCq...oZ.A0L... ".Q....5.Xd..{......Y... ..*&..-..'..{....{..$.....s8....H..F.6m...R2..D....c..aZdd.5Q*.a..Q|feA..=YP..L..q....\......K.............G....X......(>...(..b.(;.b..a:L.s....|..EF.OPAIQ"..$X......,..^...G.1v.U*t....V4..<..=k.B.*VU..Y>H.l0..GR...c......j....oV.G....~...%..d_>..K.g....IEND.B`.

                                                                                                                                                                    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W1DLB4AP\dnserrordiagoff[1]

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\SysWOW64\mshta.exe
                                                                                                                                                                    File Type:HTML document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):1681
                                                                                                                                                                    Entropy (8bit):4.567538112791388
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:24:rC7cWhfs5mVM4mVMyIjmgAV28EFP8hRqh/k+CkE03vjqX:u7o5V4VtihV2lFUWlEqvj6
                                                                                                                                                                    MD5:C74D57042D3614B92F2E0AF783ACD5DE
                                                                                                                                                                    SHA1:415F8A0F5DBD61D622724034C182C0B15E80CD20
                                                                                                                                                                    SHA-256:05182A8C3A558E671705B8A8421712A9715A1D597606E3710A6D6CFEB00FB462
                                                                                                                                                                    SHA-512:F33BC2CDA990B07FE8EA37A1F68DDDBF5FA9A67CA028019EA4D848B70CC6410D1468E0CE8F8132665124F6E4B8438AFFC41FB562D9E4A1401498E46CD0D1A0EC
                                                                                                                                                                    Malicious:false
                                                                                                                                                                    Preview:.<!DOCTYPE HTML>..<html>.. <head>.. <link rel="stylesheet" type="text/css" href="NewErrorPageTemplate.css">.. <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">.. <title>Can&rsquo;t reach this page</title>.. <script src="errorPageStrings.js" language="javascript" type="text/javascript">.. </script>.. <script src="httpErrorPagesScripts.js" language="javascript" type="text/javascript">.. </script>.. </head>.... <body onLoad="javascript:getInfo();">.. <div id="contentContainer" class="mainContent">.. <div id="mainTitle" class="title">Can&rsquo;t reach this page</div>.. <div class="taskSection" id="taskSection">.. <ul id="cantDisplayTasks" class="tasks">.. <li id="task1-1">Make sure the web address <span id="webpage" class="webpageURL"></span>is correct</li>.. <li id="task1-2">Search for this site on Bing</li>.. <l

                                                                                                                                                                    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W1DLB4AP\jquery.min[1].js

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\SysWOW64\mshta.exe
                                                                                                                                                                    File Type:HTML document, Unicode text, UTF-8 text, with very long lines (32769)
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):94840
                                                                                                                                                                    Entropy (8bit):5.372946098601679
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:1536:8YRKUfAjtledhTmtaFyQHGvCXsedOgRc9izzr4yff8teLvHHEjam7W5X3yzSiLnM:VUb6GvCu09s2o2skAieW
                                                                                                                                                                    MD5:B8D64D0BC142B3F670CC0611B0AEBCAE
                                                                                                                                                                    SHA1:ABCD2BA13348F178B17141B445BC99F1917D47AF
                                                                                                                                                                    SHA-256:47B68DCE8CB6805AD5B3EA4D27AF92A241F4E29A5C12A274C852E4346A0500B4
                                                                                                                                                                    SHA-512:A684ABBE37E8047C55C394366B012CC9AE5D682D29D340BC48A37BE1A549AECED72DE6408BEDFED776A14611E6F3374015B236FBF49422B2982EF18125FF47DC
                                                                                                                                                                    Malicious:false
                                                                                                                                                                    Preview:/*! jQuery v1.7.2 jquery.com | jquery.org/license */.(function(a,b){function cy(a){return f.isWindow(a)?a:a.nodeType===9?a.defaultView||a.parentWindow:!1}function cu(a){if(!cj[a]){var b=c.body,d=f("<"+a+">").appendTo(b),e=d.css("display");d.remove();if(e==="none"||e===""){ck||(ck=c.createElement("iframe"),ck.frameBorder=ck.width=ck.height=0),b.appendChild(ck);if(!cl||!ck.createElement)cl=(ck.contentWindow||ck.contentDocument).document,cl.write((f.support.boxModel?"<!doctype html>":"")+"<html><body>"),cl.close();d=cl.createElement(a),cl.body.appendChild(d),e=f.css(d,"display"),b.removeChild(ck)}cj[a]=e}return cj[a]}function ct(a,b){var c={};f.each(cp.concat.apply([],cp.slice(0,b)),function(){c[this]=a});return c}function cs(){cq=b}function cr(){setTimeout(cs,0);return cq=f.now()}function ci(){try{return new a.ActiveXObject("Microsoft.XMLHTTP")}catch(b){}}function ch(){try{return new a.XMLHttpRequest}catch(b){}}function cb(a,c){a.dataFilter&&(c=a.dataFilter(c,a.dataType));var d=a.dataTyp

                                                                                                                                                                    C:\Windows\appcompat\Programs\Amcache.hve

                                                                                                                                                                    Download File
                                                                                                                                                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                    File Type:MS Windows registry file, NT/2000 or above
                                                                                                                                                                    Category:dropped
                                                                                                                                                                    Size (bytes):1835008
                                                                                                                                                                    Entropy (8bit):4.420411593408928
                                                                                                                                                                    Encrypted:false
                                                                                                                                                                    SSDEEP:6144:Ccifpi6ceLPL9skLmb0mGSWSPtaJG8nAgex285i2MMhA20X4WABlUuNb5+:vi58GSWIZBk2MM6AFnJo
                                                                                                                                                                    MD5:9CC6D9348F3DBA484E35A2E850B7E1AF
                                                                                                                                                                    SHA1:0C3F98D016778A350234289AB476DE9DA43CEF13
                                                                                                                                                                    SHA-256:D6381D2354DBCA1931AC79EE8DBE8056844F66EE03997D748E13139B1FBD2939
                                                                                                                                                                    SHA-512:22985DB86E89B3412B3F730969B2AA1FA74E5CEE6201ED374990076096784D20350E601CC5C356F58B40EE2BD460253C5973385DC02E873D3235049A91C98F53
                                                                                                                                                                    Malicious:false
                                                                                                                                                                    Preview:regfH...H....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtmRj..@................................................................................................................................................................................................................................................................................................................................................(..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                    Static File Info

                                                                                                                                                                    General

                                                                                                                                                                    File type:HTML document, ASCII text, with very long lines (9184)
                                                                                                                                                                    Entropy (8bit):5.319647508076908
                                                                                                                                                                    TrID:
                                                                                                                                                                    • HyperText Markup Language (12502/1) 100.00%
                                                                                                                                                                    File name:default.hta
                                                                                                                                                                    File size:33'598 bytes
                                                                                                                                                                    MD5:3dbd4bfc0e65d7ad83d90a9b45f65e49
                                                                                                                                                                    SHA1:7ce5d14340c68ff26e602ed903765f6ce5cc75b3
                                                                                                                                                                    SHA256:7f442e5bbc06204cec861f2bfde13bec0ba0cbdf3becb54caa421e03f09a1426
                                                                                                                                                                    SHA512:78f4469ba1d2254a47e681a174bf9e7e31ac6394f17bfdbf0913c159089caba790b43287d406728113343239c8d89b804154ade90b2a8551b187c451075c72c7
                                                                                                                                                                    SSDEEP:768:M5Rdm1AxUzHqrds/SozKiBbK6Kf3ISe2fx/Y:M5Rdm1A8H5SoLbjc3Iqx/Y
                                                                                                                                                                    TLSH:D7E2F822FDA5903602674199F7BBA709F371404BCA08CA10F2FC866A6FD9E46CC579DD
                                                                                                                                                                    File Content Preview: <!DOCTYPE html> <html lang="en-US" xmlns:fb="http://www.facebook.com/2008/fbml" xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />.<title>File sharing and storage made simple</title>.<

                                                                                                                                                                    Network Behavior

                                                                                                                                                                    Download Network PCAP: filteredfull

                                                                                                                                                                    Network Port Distribution

                                                                                                                                                                    • Total Packets: 45
                                                                                                                                                                    • 445 (Microsoft-DS)
                                                                                                                                                                    • 443 (HTTPS)
                                                                                                                                                                    • 139 (NetBIOS Datagram Service)
                                                                                                                                                                    • 80 (HTTP)
                                                                                                                                                                    • 53 (DNS)
                                                                                                                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                    Apr 28, 2025 15:23:31.507411003 CEST49681445192.168.2.7104.17.150.117
                                                                                                                                                                    Apr 28, 2025 15:23:32.517420053 CEST49681445192.168.2.7104.17.150.117
                                                                                                                                                                    Apr 28, 2025 15:23:32.890141964 CEST49683139192.168.2.7104.17.150.117
                                                                                                                                                                    Apr 28, 2025 15:23:33.892005920 CEST49683139192.168.2.7104.17.150.117
                                                                                                                                                                    Apr 28, 2025 15:23:34.517111063 CEST49681445192.168.2.7104.17.150.117
                                                                                                                                                                    Apr 28, 2025 15:23:35.907846928 CEST49683139192.168.2.7104.17.150.117
                                                                                                                                                                    Apr 28, 2025 15:23:38.518861055 CEST49681445192.168.2.7104.17.150.117
                                                                                                                                                                    Apr 28, 2025 15:23:39.924036026 CEST49683139192.168.2.7104.17.150.117
                                                                                                                                                                    Apr 28, 2025 15:23:46.517067909 CEST49681445192.168.2.7104.17.150.117
                                                                                                                                                                    Apr 28, 2025 15:23:47.938977003 CEST49683139192.168.2.7104.17.150.117
                                                                                                                                                                    Apr 28, 2025 15:23:54.155805111 CEST49693443192.168.2.7142.250.69.4
                                                                                                                                                                    Apr 28, 2025 15:23:54.155848026 CEST44349693142.250.69.4192.168.2.7
                                                                                                                                                                    Apr 28, 2025 15:23:54.155998945 CEST49693443192.168.2.7142.250.69.4
                                                                                                                                                                    Apr 28, 2025 15:23:54.236280918 CEST4969680192.168.2.7104.17.150.117
                                                                                                                                                                    Apr 28, 2025 15:23:54.291167021 CEST49693443192.168.2.7142.250.69.4
                                                                                                                                                                    Apr 28, 2025 15:23:54.291193008 CEST44349693142.250.69.4192.168.2.7
                                                                                                                                                                    Apr 28, 2025 15:23:54.376355886 CEST8049696104.17.150.117192.168.2.7
                                                                                                                                                                    Apr 28, 2025 15:23:54.379251957 CEST4969680192.168.2.7104.17.150.117
                                                                                                                                                                    Apr 28, 2025 15:23:54.534904003 CEST4969680192.168.2.7104.17.150.117
                                                                                                                                                                    Apr 28, 2025 15:23:54.609657049 CEST44349693142.250.69.4192.168.2.7
                                                                                                                                                                    Apr 28, 2025 15:23:54.610003948 CEST49693443192.168.2.7142.250.69.4
                                                                                                                                                                    Apr 28, 2025 15:23:54.674770117 CEST8049696104.17.150.117192.168.2.7
                                                                                                                                                                    Apr 28, 2025 15:23:54.706094980 CEST49693443192.168.2.7142.250.69.4
                                                                                                                                                                    Apr 28, 2025 15:23:54.706113100 CEST44349693142.250.69.4192.168.2.7
                                                                                                                                                                    Apr 28, 2025 15:23:54.706334114 CEST44349693142.250.69.4192.168.2.7
                                                                                                                                                                    Apr 28, 2025 15:23:54.706382990 CEST49693443192.168.2.7142.250.69.4
                                                                                                                                                                    Apr 28, 2025 15:23:54.714365959 CEST8049696104.17.150.117192.168.2.7
                                                                                                                                                                    Apr 28, 2025 15:23:54.714596987 CEST4969680192.168.2.7104.17.150.117
                                                                                                                                                                    Apr 28, 2025 15:23:54.715740919 CEST49693443192.168.2.7142.250.69.4
                                                                                                                                                                    Apr 28, 2025 15:23:54.760274887 CEST44349693142.250.69.4192.168.2.7
                                                                                                                                                                    Apr 28, 2025 15:23:54.939745903 CEST44349693142.250.69.4192.168.2.7
                                                                                                                                                                    Apr 28, 2025 15:23:54.939798117 CEST49693443192.168.2.7142.250.69.4
                                                                                                                                                                    Apr 28, 2025 15:23:54.939811945 CEST44349693142.250.69.4192.168.2.7
                                                                                                                                                                    Apr 28, 2025 15:23:54.939853907 CEST49693443192.168.2.7142.250.69.4
                                                                                                                                                                    Apr 28, 2025 15:23:54.939853907 CEST44349693142.250.69.4192.168.2.7
                                                                                                                                                                    Apr 28, 2025 15:23:54.939902067 CEST49693443192.168.2.7142.250.69.4
                                                                                                                                                                    Apr 28, 2025 15:23:54.941302061 CEST49693443192.168.2.7142.250.69.4
                                                                                                                                                                    Apr 28, 2025 15:23:54.941318035 CEST44349693142.250.69.4192.168.2.7
                                                                                                                                                                    Apr 28, 2025 15:23:55.184190035 CEST49701443192.168.2.73.163.125.15
                                                                                                                                                                    Apr 28, 2025 15:23:55.184228897 CEST443497013.163.125.15192.168.2.7
                                                                                                                                                                    Apr 28, 2025 15:23:55.184289932 CEST49701443192.168.2.73.163.125.15
                                                                                                                                                                    Apr 28, 2025 15:23:55.184700012 CEST49701443192.168.2.73.163.125.15
                                                                                                                                                                    Apr 28, 2025 15:23:55.184714079 CEST443497013.163.125.15192.168.2.7
                                                                                                                                                                    Apr 28, 2025 15:23:55.491992950 CEST443497013.163.125.15192.168.2.7
                                                                                                                                                                    Apr 28, 2025 15:23:55.492058039 CEST49701443192.168.2.73.163.125.15
                                                                                                                                                                    Apr 28, 2025 15:23:55.495714903 CEST49701443192.168.2.73.163.125.15
                                                                                                                                                                    Apr 28, 2025 15:23:55.495723963 CEST443497013.163.125.15192.168.2.7
                                                                                                                                                                    Apr 28, 2025 15:23:55.495940924 CEST443497013.163.125.15192.168.2.7
                                                                                                                                                                    Apr 28, 2025 15:23:55.495987892 CEST49701443192.168.2.73.163.125.15
                                                                                                                                                                    Apr 28, 2025 15:23:55.496409893 CEST49701443192.168.2.73.163.125.15
                                                                                                                                                                    Apr 28, 2025 15:23:55.544275999 CEST443497013.163.125.15192.168.2.7
                                                                                                                                                                    Apr 28, 2025 15:23:55.864797115 CEST443497013.163.125.15192.168.2.7
                                                                                                                                                                    Apr 28, 2025 15:23:55.864814997 CEST443497013.163.125.15192.168.2.7
                                                                                                                                                                    Apr 28, 2025 15:23:55.864830971 CEST443497013.163.125.15192.168.2.7
                                                                                                                                                                    Apr 28, 2025 15:23:55.864842892 CEST49701443192.168.2.73.163.125.15
                                                                                                                                                                    Apr 28, 2025 15:23:55.865077972 CEST49701443192.168.2.73.163.125.15
                                                                                                                                                                    Apr 28, 2025 15:23:55.865086079 CEST443497013.163.125.15192.168.2.7
                                                                                                                                                                    Apr 28, 2025 15:23:55.865394115 CEST49701443192.168.2.73.163.125.15
                                                                                                                                                                    Apr 28, 2025 15:23:55.868839979 CEST443497013.163.125.15192.168.2.7
                                                                                                                                                                    Apr 28, 2025 15:23:55.868913889 CEST49701443192.168.2.73.163.125.15
                                                                                                                                                                    Apr 28, 2025 15:23:55.873040915 CEST443497013.163.125.15192.168.2.7
                                                                                                                                                                    Apr 28, 2025 15:23:55.873115063 CEST443497013.163.125.15192.168.2.7
                                                                                                                                                                    Apr 28, 2025 15:23:55.873188972 CEST49701443192.168.2.73.163.125.15
                                                                                                                                                                    Apr 28, 2025 15:23:55.873188972 CEST49701443192.168.2.73.163.125.15
                                                                                                                                                                    Apr 28, 2025 15:23:55.873347998 CEST49701443192.168.2.73.163.125.15
                                                                                                                                                                    Apr 28, 2025 15:23:55.873347998 CEST49701443192.168.2.73.163.125.15
                                                                                                                                                                    Apr 28, 2025 15:23:55.873359919 CEST443497013.163.125.15192.168.2.7
                                                                                                                                                                    Apr 28, 2025 15:23:55.873658895 CEST49701443192.168.2.73.163.125.15
                                                                                                                                                                    Apr 28, 2025 15:24:23.832103014 CEST4969680192.168.2.7104.17.150.117
                                                                                                                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                    Apr 28, 2025 15:23:54.009649992 CEST5568053192.168.2.71.1.1.1
                                                                                                                                                                    Apr 28, 2025 15:23:54.054061890 CEST5335053192.168.2.71.1.1.1
                                                                                                                                                                    Apr 28, 2025 15:23:54.149713993 CEST53556801.1.1.1192.168.2.7
                                                                                                                                                                    Apr 28, 2025 15:23:54.196357012 CEST53533501.1.1.1192.168.2.7
                                                                                                                                                                    Apr 28, 2025 15:23:55.039377928 CEST6141653192.168.2.71.1.1.1
                                                                                                                                                                    Apr 28, 2025 15:23:55.182951927 CEST53614161.1.1.1192.168.2.7
                                                                                                                                                                    TimestampSource IPDest IPChecksumCodeType
                                                                                                                                                                    Apr 28, 2025 15:23:32.747894049 CEST192.168.2.7104.17.150.1174f5cEcho
                                                                                                                                                                    Apr 28, 2025 15:23:32.889550924 CEST104.17.150.117192.168.2.7575cEcho Reply

                                                                                                                                                                    DNS Queries

                                                                                                                                                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                                                                    Apr 28, 2025 15:23:54.009649992 CEST192.168.2.71.1.1.10x5778Standard query (0)www.google.comA (IP address)IN (0x0001)false
                                                                                                                                                                    Apr 28, 2025 15:23:54.054061890 CEST192.168.2.71.1.1.10xd74Standard query (0)www.mediafire.comA (IP address)IN (0x0001)false
                                                                                                                                                                    Apr 28, 2025 15:23:55.039377928 CEST192.168.2.71.1.1.10x8273Standard query (0)cdn.amplitude.comA (IP address)IN (0x0001)false

                                                                                                                                                                    DNS Answers

                                                                                                                                                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                                                                    Apr 28, 2025 15:23:54.149713993 CEST1.1.1.1192.168.2.70x5778No error (0)www.google.com142.250.69.4A (IP address)IN (0x0001)false
                                                                                                                                                                    Apr 28, 2025 15:23:54.196357012 CEST1.1.1.1192.168.2.70xd74No error (0)www.mediafire.com104.17.150.117A (IP address)IN (0x0001)false
                                                                                                                                                                    Apr 28, 2025 15:23:54.196357012 CEST1.1.1.1192.168.2.70xd74No error (0)www.mediafire.com104.17.151.117A (IP address)IN (0x0001)false
                                                                                                                                                                    Apr 28, 2025 15:23:55.182951927 CEST1.1.1.1192.168.2.70x8273No error (0)cdn.amplitude.com3.163.125.15A (IP address)IN (0x0001)false
                                                                                                                                                                    Apr 28, 2025 15:23:55.182951927 CEST1.1.1.1192.168.2.70x8273No error (0)cdn.amplitude.com3.163.125.36A (IP address)IN (0x0001)false
                                                                                                                                                                    Apr 28, 2025 15:23:55.182951927 CEST1.1.1.1192.168.2.70x8273No error (0)cdn.amplitude.com3.163.125.20A (IP address)IN (0x0001)false
                                                                                                                                                                    Apr 28, 2025 15:23:55.182951927 CEST1.1.1.1192.168.2.70x8273No error (0)cdn.amplitude.com3.163.125.128A (IP address)IN (0x0001)false

                                                                                                                                                                    HTTP Request Dependency Graph

                                                                                                                                                                    • www.google.com
                                                                                                                                                                    • cdn.amplitude.com
                                                                                                                                                                    • www.mediafire.com

                                                                                                                                                                    HTTP Packets

                                                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                    0192.168.2.749696104.17.150.117806240C:\Windows\SysWOW64\mshta.exe
                                                                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                                                                    Apr 28, 2025 15:23:54.534904003 CEST333OUTGET /images/icons/myfiles/default.png HTTP/1.1
                                                                                                                                                                    Accept: */*
                                                                                                                                                                    Accept-Language: en-CH
                                                                                                                                                                    Accept-Encoding: gzip, deflate
                                                                                                                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
                                                                                                                                                                    Host: www.mediafire.com
                                                                                                                                                                    Connection: Keep-Alive
                                                                                                                                                                    Apr 28, 2025 15:23:54.714365959 CEST1222INHTTP/1.1 200 OK
                                                                                                                                                                    Date: Mon, 28 Apr 2025 13:23:54 GMT
                                                                                                                                                                    Content-Type: image/png
                                                                                                                                                                    Content-Length: 364
                                                                                                                                                                    Connection: keep-alive
                                                                                                                                                                    CF-Ray: 9376e07a4d477867-PHX
                                                                                                                                                                    CF-Cache-Status: HIT
                                                                                                                                                                    Accept-Ranges: bytes
                                                                                                                                                                    Access-Control-Allow-Origin: *
                                                                                                                                                                    Age: 13
                                                                                                                                                                    Cache-Control: max-age=2592000
                                                                                                                                                                    ETag: "62deda56-1a8"
                                                                                                                                                                    Expires: Wed, 28 May 2025 09:24:41 GMT
                                                                                                                                                                    Last-Modified: Mon, 25 Jul 2022 18:00:54 GMT
                                                                                                                                                                    Vary: Accept-Encoding
                                                                                                                                                                    access-control-allow-methods: OPTIONS, POST, GET
                                                                                                                                                                    alt-svc: h3=":443"; ma=86400
                                                                                                                                                                    Cf-Bgj: imgq:100,h2pri
                                                                                                                                                                    Cf-Polished: origSize=424
                                                                                                                                                                    x-mf-env: liveApi
                                                                                                                                                                    x-mf-fe: mf1
                                                                                                                                                                    Set-Cookie: __cf_bm=CmmQ6i9tWqTulZz9WupSJXjl6VRLy9t9Xf2eSk0pUSM-1745846634-1.0.1.1-7tayD3t2b5xh3_q_gOO6.HfVnXHx98r7wcI0_uDkCMhQSVq3kfZFgQinYIrEVu9b6BcFRHG3KeQVxlMVpZocUqqrXFM0hD43e.BY_QfQXoM; path=/; expires=Mon, 28-Apr-25 13:53:54 GMT; domain=.mediafire.com; HttpOnly
                                                                                                                                                                    Server: cloudflare
                                                                                                                                                                    Data Raw: 89 50 4e 47 0d 0a 1a 0a 00 00 00 0d 49 48 44 52 00 00 00 2a 00 00 00 2a 08 04 00 00 00 6f ca 01 d0 00 00 01 33 49 44 41 54 78 da ed d5 2f 4b 43 71 14 87 f1 6f 5a 14 41 30 4c a6 82 c1 20 22 a8 51 8c 16 83 8c 35 ab 58 64 13 0c 7b 07 06 c1 e9 1b 90 59 0c c2 dc 82 20 e2 d0 b6 2a 26 b1 0f 2d 2e f9 27 8c cd 7b f7 18 07 97 7b 7f f3 9e bb 24 fb bc 80 a7 9c 73 38 1a 19 f9 0f 48 91 a3 46 93 36 6d 9a d4 c8 91 52 32 cc f3 44 d0 0b 0b b2 63 86 16 61 5a 64 64 c5 35 51 2a b2 61 8e 1e 51 7c 66 65 41 1e 97 3d 59 50 c6 e5 4c 16 d4 71 b9 95 05 0d 5c 1a b2 e0 0e 97 1b 4b f2 00 1f 17 8f 0d c5 c5 15 83 14 15 17 47 0c b2 ad b8 58 c6 ed 87 b4 e2 e3 04 9f 28 3e 87 b2 e1 92 28 17 b2 62 97 28 3b b2 62 92 0e 61 3a 4c c8 8e 73 c2 94 95 04 d3 7c 13 f4 45 46 c9 b0 4f 50 41 49 51 22 a8 a4 24 58 e2 18 8f a0 1e a7 2c da e6 5e e4 19 97 47 f2 31 76 80 55 2a 74 f9 8b 2e 15 56 34 08 eb 3c 10 d7 3d 6b 8a 42 9a 2a 56 55 a6 c2 92 59 3e 48 e2 93 6c 30 b9 85 47 52 1e 9b ea 63 9c 16 c3 f0 ce 98 e3 6a cc 0a 8e 0f 6f 56 ef 47 df 18 96 d7 7e b4 [TRUNCATED]
                                                                                                                                                                    Data Ascii: PNGIHDR**o3IDATx/KCqoZA0L "Q5Xd{Y *&-.'{{$s8HF6mR2DcaZdd5Q*aQ|feA=YPLq\KGX(>(b(;ba:Ls|EFOPAIQ"$X,^G1vU*t.V4<=kB*VUY>Hl0GRcjoVG~%d_>KgIENDB`


                                                                                                                                                                    HTTPS Proxied Packets

                                                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                    0192.168.2.749693142.250.69.44436240C:\Windows\SysWOW64\mshta.exe
                                                                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                                                                    2025-04-28 13:23:54 UTC314OUTGET /recaptcha/api.js HTTP/1.1
                                                                                                                                                                    Accept: */*
                                                                                                                                                                    Accept-Language: en-CH
                                                                                                                                                                    Accept-Encoding: gzip, deflate
                                                                                                                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
                                                                                                                                                                    Host: www.google.com
                                                                                                                                                                    Connection: Keep-Alive
                                                                                                                                                                    2025-04-28 13:23:54 UTC749INHTTP/1.1 200 OK
                                                                                                                                                                    Content-Type: text/javascript; charset=utf-8
                                                                                                                                                                    Expires: Mon, 28 Apr 2025 13:23:54 GMT
                                                                                                                                                                    Date: Mon, 28 Apr 2025 13:23:54 GMT
                                                                                                                                                                    Cache-Control: private, max-age=300
                                                                                                                                                                    Cross-Origin-Resource-Policy: cross-origin
                                                                                                                                                                    Cross-Origin-Opener-Policy-Report-Only: same-origin; report-to="coop_38fac9d5b82543fc4729580d18ff2d3d"
                                                                                                                                                                    Report-To: {"group":"coop_38fac9d5b82543fc4729580d18ff2d3d","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/38fac9d5b82543fc4729580d18ff2d3d"}]}
                                                                                                                                                                    Server: ESF
                                                                                                                                                                    X-XSS-Protection: 0
                                                                                                                                                                    X-Frame-Options: SAMEORIGIN
                                                                                                                                                                    X-Content-Type-Options: nosniff
                                                                                                                                                                    Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                                                                                                                                    Accept-Ranges: none
                                                                                                                                                                    Vary: Accept-Encoding
                                                                                                                                                                    Connection: close
                                                                                                                                                                    Transfer-Encoding: chunked
                                                                                                                                                                    2025-04-28 13:23:54 UTC575INData Raw: 33 38 66 0d 0a 2f 2a 20 50 4c 45 41 53 45 20 44 4f 20 4e 4f 54 20 43 4f 50 59 20 41 4e 44 20 50 41 53 54 45 20 54 48 49 53 20 43 4f 44 45 2e 20 2a 2f 28 66 75 6e 63 74 69 6f 6e 28 29 7b 76 61 72 20 77 3d 77 69 6e 64 6f 77 2c 43 3d 27 5f 5f 5f 67 72 65 63 61 70 74 63 68 61 5f 63 66 67 27 2c 63 66 67 3d 77 5b 43 5d 3d 77 5b 43 5d 7c 7c 7b 7d 2c 4e 3d 27 67 72 65 63 61 70 74 63 68 61 27 3b 76 61 72 20 67 72 3d 77 5b 4e 5d 3d 77 5b 4e 5d 7c 7c 7b 7d 3b 67 72 2e 72 65 61 64 79 3d 67 72 2e 72 65 61 64 79 7c 7c 66 75 6e 63 74 69 6f 6e 28 66 29 7b 28 63 66 67 5b 27 66 6e 73 27 5d 3d 63 66 67 5b 27 66 6e 73 27 5d 7c 7c 5b 5d 29 2e 70 75 73 68 28 66 29 3b 7d 3b 77 5b 27 5f 5f 72 65 63 61 70 74 63 68 61 5f 61 70 69 27 5d 3d 27 68 74 74 70 73 3a 2f 2f 77 77 77 2e 67
                                                                                                                                                                    Data Ascii: 38f/* PLEASE DO NOT COPY AND PASTE THIS CODE. */(function(){var w=window,C='___grecaptcha_cfg',cfg=w[C]=w[C]||{},N='grecaptcha';var gr=w[N]=w[N]||{};gr.ready=gr.ready||function(f){(cfg['fns']=cfg['fns']||[]).push(f);};w['__recaptcha_api']='https://www.g
                                                                                                                                                                    2025-04-28 13:23:54 UTC343INData Raw: 6b 58 72 42 77 59 64 39 64 54 46 37 2f 72 65 63 61 70 74 63 68 61 5f 5f 65 6e 2e 6a 73 27 3b 70 6f 2e 63 72 6f 73 73 4f 72 69 67 69 6e 3d 27 61 6e 6f 6e 79 6d 6f 75 73 27 3b 70 6f 2e 69 6e 74 65 67 72 69 74 79 3d 27 73 68 61 33 38 34 2d 6b 45 73 69 69 6c 36 66 4c 56 69 75 72 4d 38 34 38 31 45 58 64 4a 51 51 6b 48 51 55 75 71 37 41 36 4f 59 37 54 75 68 6b 58 79 53 72 61 45 2f 39 6b 2f 78 63 37 62 50 79 6e 4e 45 46 77 6c 72 33 27 3b 76 61 72 20 65 3d 64 2e 71 75 65 72 79 53 65 6c 65 63 74 6f 72 28 27 73 63 72 69 70 74 5b 6e 6f 6e 63 65 5d 27 29 2c 6e 3d 65 26 26 28 65 5b 27 6e 6f 6e 63 65 27 5d 7c 7c 65 2e 67 65 74 41 74 74 72 69 62 75 74 65 28 27 6e 6f 6e 63 65 27 29 29 3b 69 66 28 6e 29 7b 70 6f 2e 73 65 74 41 74 74 72 69 62 75 74 65 28 27 6e 6f 6e 63 65
                                                                                                                                                                    Data Ascii: kXrBwYd9dTF7/recaptcha__en.js';po.crossOrigin='anonymous';po.integrity='sha384-kEsiil6fLViurM8481EXdJQQkHQUuq7A6OY7TuhkXySraE/9k/xc7bPynNEFwlr3';var e=d.querySelector('script[nonce]'),n=e&&(e['nonce']||e.getAttribute('nonce'));if(n){po.setAttribute('nonce
                                                                                                                                                                    2025-04-28 13:23:54 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                                                                    Data Ascii: 0


                                                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                    1192.168.2.7497013.163.125.154436240C:\Windows\SysWOW64\mshta.exe
                                                                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                                                                    2025-04-28 13:23:55 UTC346OUTGET /libs/amplitude-8.5.0-min.gz.js HTTP/1.1
                                                                                                                                                                    Accept: */*
                                                                                                                                                                    Accept-Language: en-CH
                                                                                                                                                                    Origin: file:
                                                                                                                                                                    Accept-Encoding: gzip, deflate
                                                                                                                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
                                                                                                                                                                    Host: cdn.amplitude.com
                                                                                                                                                                    Connection: Keep-Alive
                                                                                                                                                                    2025-04-28 13:23:55 UTC786INHTTP/1.1 200 OK
                                                                                                                                                                    Content-Type: application/javascript
                                                                                                                                                                    Content-Length: 22154
                                                                                                                                                                    Connection: close
                                                                                                                                                                    Date: Mon, 28 Apr 2025 13:23:56 GMT
                                                                                                                                                                    Access-Control-Allow-Origin: *
                                                                                                                                                                    Access-Control-Allow-Methods: GET, HEAD
                                                                                                                                                                    Access-Control-Max-Age: 3000
                                                                                                                                                                    Last-Modified: Fri, 13 Aug 2021 22:37:42 GMT
                                                                                                                                                                    ETag: "660c3b546f2a131de50b69b91f26c636"
                                                                                                                                                                    x-amz-server-side-encryption: AES256
                                                                                                                                                                    Cache-Control: max-age=31536000
                                                                                                                                                                    Content-Encoding: gzip
                                                                                                                                                                    x-amz-version-id: NY8_7uBz3xoXYJBVsMSBAGHOz8ixMBS3
                                                                                                                                                                    Accept-Ranges: bytes
                                                                                                                                                                    Server: AmazonS3
                                                                                                                                                                    Vary: Origin,Access-Control-Request-Headers,Access-Control-Request-Method
                                                                                                                                                                    X-Cache: Miss from cloudfront
                                                                                                                                                                    Via: 1.1 9ed589723d880832fbd56a7bfede4018.cloudfront.net (CloudFront)
                                                                                                                                                                    X-Amz-Cf-Pop: LAX54-P1
                                                                                                                                                                    X-Amz-Cf-Id: QpoIxtdFWKkfUtIVcViHgRXmd9CkyhvqNeHXqg33u6Go3-KdemSM6A==
                                                                                                                                                                    2025-04-28 13:23:55 UTC15598INData Raw: 1f 8b 08 00 2d f4 16 61 00 03 cc 3b 8d 73 e2 b6 f2 ff 8a e3 76 88 5d 14 17 48 9a be 9a a8 0c 49 b8 2b 6d 02 94 8f eb 5d 39 1e e3 80 42 dc 80 c5 d9 72 72 34 f0 bf bf 5d 49 fe e0 23 d7 4e df ef cd fc 66 6e 82 bd 5a af 56 bb ab fd 92 ee c9 0b 0d 6f b1 9c fb 22 9e 32 7a 1f 07 13 e1 f3 c0 b2 5f cc 38 62 46 24 42 7f 22 cc 6a 02 37 84 c5 ec 97 90 89 38 0c 2c 41 cd 04 6e 52 2a 56 4b c6 ef 8d de 6a 71 c7 e7 85 82 19 c9 87 dd 01 c7 17 2c f4 04 0f 6b e9 54 29 41 43 63 b2 8d 7b 60 90 01 cd d7 a7 63 ce 84 07 c0 6d 3c 01 da 94 d2 14 7e 94 3c 3b cb 90 0b 8e 9f d5 12 de dc 74 42 1b 26 da a4 8b f4 2d 46 84 fd 72 cf 43 eb 09 c4 13 d0 52 35 b8 10 ce 9c 05 33 f1 50 0d 8a 45 fb 05 e1 3e 15 c3 60 54 f5 1d 16 c4 0b 58 d5 dd 9c d1 fc cb 7a 7d 54 26 3e 32 76 ef cf 62 35 7e 54 22
                                                                                                                                                                    Data Ascii: -a;sv]HI+m]9Brr4]I#NfnZVo"2z_8bF$B"j78,AnR*VKjq,kT)ACc{`cm<~<;tB&-FrCR53PE>`TXz}T&>2vb5~T"
                                                                                                                                                                    2025-04-28 13:23:55 UTC3590INData Raw: be c2 17 25 9c 0a 94 f8 ac 45 a9 cd 20 f4 81 e0 21 e6 6f 17 01 b2 0a 90 db 1b 17 c1 10 04 06 61 c3 5b 59 6b 7d bd ad 3b 8b a1 b9 17 04 2f f1 3e 90 8e 36 25 69 a7 8d ea a9 89 77 8c 74 e3 02 d5 46 ec 5d 85 c3 38 e2 37 9a e0 c1 4c ef 37 9b 6e 14 54 8d 01 06 a2 12 77 93 5b 1f 9a 86 b8 0b 7c 95 a6 f2 68 1d 9d 7c 94 2f f1 e6 73 2b 97 81 d9 1b 56 d3 54 20 22 af 48 ab 7a ed ac aa b2 f8 2f 51 e2 92 a7 78 9c 38 18 96 a8 09 63 63 44 92 f4 f6 ad 00 8e af 0b 79 ea 44 41 91 61 e6 17 70 7b 9e 12 1f 3a e5 04 fc bd 4c 76 5e 15 99 5d 9e 62 8c cd 72 0f 4e 6d 34 bc 01 27 d6 a3 ad 23 72 9c ff d6 9b c0 2c 71 12 f9 c3 d6 51 c3 18 21 3a 18 e3 84 62 64 24 2f 74 7d e8 c3 2f 03 70 00 87 08 5c be f8 b2 f1 fc 80 48 27 a0 13 b2 57 4f 33 8e 0d d8 d2 f1 1c dc d6 56 c9 e0 cd 0c 52 ee 0a
                                                                                                                                                                    Data Ascii: %E !oa[Yk};/>6%iwtF]87L7nTw[|h|/s+VT "Hz/Qx8ccDyDAap{:Lv^]brNm4'#r,qQ!:bd$/t}/p\H'WO3VR
                                                                                                                                                                    2025-04-28 13:23:55 UTC2966INData Raw: b9 1a 93 d6 44 1b 27 db 11 88 c4 5d 37 4e 40 db c5 f3 a4 2f 6b 26 1e 3e ae 4a 1a b6 df 36 64 ac bb 7d b7 16 e1 2f 4b 2d 86 f9 32 0e 39 4f b8 8b 55 0b e5 59 e2 5b 0d d7 58 34 1f dc 5a a7 5d 4e 45 fb 9f bc f6 07 6e bc be ff 05 72 8f b1 c2 f7 7e 56 ba e2 af e4 19 1d b6 ab 0e 91 42 e9 a5 5e 75 8f 69 b3 fd bd e7 a8 21 ad 33 c9 7f 30 7d e9 d0 d9 79 3c a1 24 f5 1d 75 2f d7 bd 39 5a 70 6b ae 53 88 c0 da 80 0d 4a 6b d3 bf 48 57 e5 d2 cc e5 87 18 ab 69 12 e0 ff bd 48 65 09 4d 03 5b fa 43 b1 29 a4 60 ec 5a 82 35 56 20 00 6f dd 9b 4e f8 f7 5c 00 3a 2f 44 1c 2b 99 3b e1 29 ed e3 18 3d e1 d7 2c 3d fc 8b 70 6a 7e 91 5b 51 83 73 31 3c 8a d8 1a 8b a6 7e 78 81 e5 bb 02 76 3c f6 54 63 3b 1e 80 e4 86 86 1d 4f 57 ec b2 ad 32 2a fa c2 55 9b de 19 e7 3a 7e e4 81 36 bb 46 18 a0
                                                                                                                                                                    Data Ascii: D']7N@/k&>J6d}/K-29OUY[X4Z]NEnr~VB^ui!30}y<$u/9ZpkSJkHWiHeM[C)`Z5V oN\:/D+;)=,=pj~[Qs1<~xv<Tc;OW2*U:~6F


                                                                                                                                                                    Statistics

                                                                                                                                                                    CPU Usage

                                                                                                                                                                    050100s020406080100

                                                                                                                                                                    Click to jump to process

                                                                                                                                                                    Memory Usage

                                                                                                                                                                    050100s0.0010203040MB

                                                                                                                                                                    Click to jump to process

                                                                                                                                                                    High Level Behavior Distribution

                                                                                                                                                                    • File
                                                                                                                                                                    • Registry

                                                                                                                                                                    Click to dive into process behavior distribution

                                                                                                                                                                    Behavior

                                                                                                                                                                    Click to jump to process

                                                                                                                                                                    System Behavior

                                                                                                                                                                    General

                                                                                                                                                                    Target ID:0
                                                                                                                                                                    Start time:09:23:30
                                                                                                                                                                    Start date:28/04/2025
                                                                                                                                                                    Path:C:\Windows\SysWOW64\mshta.exe
                                                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                                                    Commandline:mshta.exe "C:\Users\user\Desktop\default.hta"
                                                                                                                                                                    Imagebase:0x8f0000
                                                                                                                                                                    File size:13'312 bytes
                                                                                                                                                                    MD5 hash:06B02D5C097C7DB1F109749C45F3F505
                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                    Reputation:high
                                                                                                                                                                    Has exited:true
                                                                                                                                                                    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                                                                                                                                    Show Windows behavior

                                                                                                                                                                    Section Activities

                                                                                                                                                                    Show Windows behavior

                                                                                                                                                                    Registry Activities

                                                                                                                                                                    Show Windows behavior

                                                                                                                                                                    COM Activities

                                                                                                                                                                    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                                                                                                                                    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                                                                                                                                    Show Windows behavior

                                                                                                                                                                    Thread Activities

                                                                                                                                                                    Show Windows behavior

                                                                                                                                                                    Memory Activities

                                                                                                                                                                    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                                                                                                                                    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                                                                                                                                    Show Windows behavior

                                                                                                                                                                    Windows UI Activities

                                                                                                                                                                    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                                                                                                                                    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                                                                                                                                    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                                                                                                                                                                    General

                                                                                                                                                                    Target ID:11
                                                                                                                                                                    Start time:09:24:17
                                                                                                                                                                    Start date:28/04/2025
                                                                                                                                                                    Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                                                    Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 6240 -s 2792
                                                                                                                                                                    Imagebase:0xd80000
                                                                                                                                                                    File size:483'680 bytes
                                                                                                                                                                    MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                                    Reputation:high
                                                                                                                                                                    Has exited:true
                                                                                                                                                                    Show Windows behavior

                                                                                                                                                                    File Activities

                                                                                                                                                                    Show Windows behavior

                                                                                                                                                                    Section Activities

                                                                                                                                                                    Show Windows behavior

                                                                                                                                                                    Registry Activities

                                                                                                                                                                    Show Windows behavior

                                                                                                                                                                    Mutex Activities

                                                                                                                                                                    Show Windows behavior

                                                                                                                                                                    Process Activities

                                                                                                                                                                    Show Windows behavior

                                                                                                                                                                    Thread Activities

                                                                                                                                                                    Show Windows behavior

                                                                                                                                                                    Memory Activities

                                                                                                                                                                    Show Windows behavior

                                                                                                                                                                    System Activities

                                                                                                                                                                    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                                                                                                                                    Show Windows behavior

                                                                                                                                                                    Windows UI Activities

                                                                                                                                                                    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                                                                                                                                                    There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                                                                                                                                                                    Disassembly

                                                                                                                                                                    Executed Functions

                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000000.00000002.1546708039.0000000006AA0000.00000010.00000800.00020000.00000000.sdmp, Offset: 06AA0000, based on PE: false
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_0_2_6aa0000_mshta.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID:
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID:
                                                                                                                                                                    • Opcode ID: d01243d30d7a15b8af5196df933bdf8aaba44409edc6a01ba4558f01e0b1b708
                                                                                                                                                                    • Instruction ID: 686820dca3963c21a3d3bef694e2d999e78a944a5853475e377f21e0a1e00040
                                                                                                                                                                    • Opcode Fuzzy Hash: d01243d30d7a15b8af5196df933bdf8aaba44409edc6a01ba4558f01e0b1b708
                                                                                                                                                                    • Instruction Fuzzy Hash:
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000000.00000002.1546708039.0000000006AA0000.00000010.00000800.00020000.00000000.sdmp, Offset: 06AA0000, based on PE: false
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_0_2_6aa0000_mshta.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID:
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID:
                                                                                                                                                                    • Opcode ID: d01243d30d7a15b8af5196df933bdf8aaba44409edc6a01ba4558f01e0b1b708
                                                                                                                                                                    • Instruction ID: 686820dca3963c21a3d3bef694e2d999e78a944a5853475e377f21e0a1e00040
                                                                                                                                                                    • Opcode Fuzzy Hash: d01243d30d7a15b8af5196df933bdf8aaba44409edc6a01ba4558f01e0b1b708
                                                                                                                                                                    • Instruction Fuzzy Hash:
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000000.00000002.1546708039.0000000006AA0000.00000010.00000800.00020000.00000000.sdmp, Offset: 06AA0000, based on PE: false
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_0_2_6aa0000_mshta.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID:
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID:
                                                                                                                                                                    • Opcode ID: d01243d30d7a15b8af5196df933bdf8aaba44409edc6a01ba4558f01e0b1b708
                                                                                                                                                                    • Instruction ID: 686820dca3963c21a3d3bef694e2d999e78a944a5853475e377f21e0a1e00040
                                                                                                                                                                    • Opcode Fuzzy Hash: d01243d30d7a15b8af5196df933bdf8aaba44409edc6a01ba4558f01e0b1b708
                                                                                                                                                                    • Instruction Fuzzy Hash:
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000000.00000002.1546708039.0000000006AA0000.00000010.00000800.00020000.00000000.sdmp, Offset: 06AA0000, based on PE: false
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_0_2_6aa0000_mshta.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID:
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID:
                                                                                                                                                                    • Opcode ID: d01243d30d7a15b8af5196df933bdf8aaba44409edc6a01ba4558f01e0b1b708
                                                                                                                                                                    • Instruction ID: 686820dca3963c21a3d3bef694e2d999e78a944a5853475e377f21e0a1e00040
                                                                                                                                                                    • Opcode Fuzzy Hash: d01243d30d7a15b8af5196df933bdf8aaba44409edc6a01ba4558f01e0b1b708
                                                                                                                                                                    • Instruction Fuzzy Hash:
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000000.00000002.1546708039.0000000006AA0000.00000010.00000800.00020000.00000000.sdmp, Offset: 06AA0000, based on PE: false
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_0_2_6aa0000_mshta.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID:
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID:
                                                                                                                                                                    • Opcode ID: d01243d30d7a15b8af5196df933bdf8aaba44409edc6a01ba4558f01e0b1b708
                                                                                                                                                                    • Instruction ID: 686820dca3963c21a3d3bef694e2d999e78a944a5853475e377f21e0a1e00040
                                                                                                                                                                    • Opcode Fuzzy Hash: d01243d30d7a15b8af5196df933bdf8aaba44409edc6a01ba4558f01e0b1b708
                                                                                                                                                                    • Instruction Fuzzy Hash:
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000000.00000002.1546708039.0000000006AA0000.00000010.00000800.00020000.00000000.sdmp, Offset: 06AA0000, based on PE: false
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_0_2_6aa0000_mshta.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID:
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID:
                                                                                                                                                                    • Opcode ID: d01243d30d7a15b8af5196df933bdf8aaba44409edc6a01ba4558f01e0b1b708
                                                                                                                                                                    • Instruction ID: 686820dca3963c21a3d3bef694e2d999e78a944a5853475e377f21e0a1e00040
                                                                                                                                                                    • Opcode Fuzzy Hash: d01243d30d7a15b8af5196df933bdf8aaba44409edc6a01ba4558f01e0b1b708
                                                                                                                                                                    • Instruction Fuzzy Hash:
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000000.00000002.1546708039.0000000006AA0000.00000010.00000800.00020000.00000000.sdmp, Offset: 06AA0000, based on PE: false
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_0_2_6aa0000_mshta.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID:
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID:
                                                                                                                                                                    • Opcode ID: d01243d30d7a15b8af5196df933bdf8aaba44409edc6a01ba4558f01e0b1b708
                                                                                                                                                                    • Instruction ID: 686820dca3963c21a3d3bef694e2d999e78a944a5853475e377f21e0a1e00040
                                                                                                                                                                    • Opcode Fuzzy Hash: d01243d30d7a15b8af5196df933bdf8aaba44409edc6a01ba4558f01e0b1b708
                                                                                                                                                                    • Instruction Fuzzy Hash:
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000000.00000002.1546708039.0000000006AA0000.00000010.00000800.00020000.00000000.sdmp, Offset: 06AA0000, based on PE: false
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_0_2_6aa0000_mshta.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID:
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID:
                                                                                                                                                                    • Opcode ID: d01243d30d7a15b8af5196df933bdf8aaba44409edc6a01ba4558f01e0b1b708
                                                                                                                                                                    • Instruction ID: 686820dca3963c21a3d3bef694e2d999e78a944a5853475e377f21e0a1e00040
                                                                                                                                                                    • Opcode Fuzzy Hash: d01243d30d7a15b8af5196df933bdf8aaba44409edc6a01ba4558f01e0b1b708
                                                                                                                                                                    • Instruction Fuzzy Hash:
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000000.00000002.1546708039.0000000006AA0000.00000010.00000800.00020000.00000000.sdmp, Offset: 06AA0000, based on PE: false
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_0_2_6aa0000_mshta.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID:
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID:
                                                                                                                                                                    • Opcode ID: d01243d30d7a15b8af5196df933bdf8aaba44409edc6a01ba4558f01e0b1b708
                                                                                                                                                                    • Instruction ID: 686820dca3963c21a3d3bef694e2d999e78a944a5853475e377f21e0a1e00040
                                                                                                                                                                    • Opcode Fuzzy Hash: d01243d30d7a15b8af5196df933bdf8aaba44409edc6a01ba4558f01e0b1b708
                                                                                                                                                                    • Instruction Fuzzy Hash:
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000000.00000002.1546708039.0000000006AA0000.00000010.00000800.00020000.00000000.sdmp, Offset: 06AA0000, based on PE: false
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_0_2_6aa0000_mshta.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID:
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID:
                                                                                                                                                                    • Opcode ID: d01243d30d7a15b8af5196df933bdf8aaba44409edc6a01ba4558f01e0b1b708
                                                                                                                                                                    • Instruction ID: 686820dca3963c21a3d3bef694e2d999e78a944a5853475e377f21e0a1e00040
                                                                                                                                                                    • Opcode Fuzzy Hash: d01243d30d7a15b8af5196df933bdf8aaba44409edc6a01ba4558f01e0b1b708
                                                                                                                                                                    • Instruction Fuzzy Hash:
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000000.00000002.1546708039.0000000006AA0000.00000010.00000800.00020000.00000000.sdmp, Offset: 06AA0000, based on PE: false
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_0_2_6aa0000_mshta.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID:
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID:
                                                                                                                                                                    • Opcode ID: d01243d30d7a15b8af5196df933bdf8aaba44409edc6a01ba4558f01e0b1b708
                                                                                                                                                                    • Instruction ID: 686820dca3963c21a3d3bef694e2d999e78a944a5853475e377f21e0a1e00040
                                                                                                                                                                    • Opcode Fuzzy Hash: d01243d30d7a15b8af5196df933bdf8aaba44409edc6a01ba4558f01e0b1b708
                                                                                                                                                                    • Instruction Fuzzy Hash:
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000000.00000002.1546708039.0000000006AA0000.00000010.00000800.00020000.00000000.sdmp, Offset: 06AA0000, based on PE: false
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_0_2_6aa0000_mshta.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID:
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID:
                                                                                                                                                                    • Opcode ID: d01243d30d7a15b8af5196df933bdf8aaba44409edc6a01ba4558f01e0b1b708
                                                                                                                                                                    • Instruction ID: 686820dca3963c21a3d3bef694e2d999e78a944a5853475e377f21e0a1e00040
                                                                                                                                                                    • Opcode Fuzzy Hash: d01243d30d7a15b8af5196df933bdf8aaba44409edc6a01ba4558f01e0b1b708
                                                                                                                                                                    • Instruction Fuzzy Hash:
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000000.00000002.1546708039.0000000006AA0000.00000010.00000800.00020000.00000000.sdmp, Offset: 06AA0000, based on PE: false
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_0_2_6aa0000_mshta.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID:
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID:
                                                                                                                                                                    • Opcode ID: d01243d30d7a15b8af5196df933bdf8aaba44409edc6a01ba4558f01e0b1b708
                                                                                                                                                                    • Instruction ID: 686820dca3963c21a3d3bef694e2d999e78a944a5853475e377f21e0a1e00040
                                                                                                                                                                    • Opcode Fuzzy Hash: d01243d30d7a15b8af5196df933bdf8aaba44409edc6a01ba4558f01e0b1b708
                                                                                                                                                                    • Instruction Fuzzy Hash:
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000000.00000002.1546708039.0000000006AA0000.00000010.00000800.00020000.00000000.sdmp, Offset: 06AA0000, based on PE: false
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_0_2_6aa0000_mshta.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID:
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID:
                                                                                                                                                                    • Opcode ID: d01243d30d7a15b8af5196df933bdf8aaba44409edc6a01ba4558f01e0b1b708
                                                                                                                                                                    • Instruction ID: 686820dca3963c21a3d3bef694e2d999e78a944a5853475e377f21e0a1e00040
                                                                                                                                                                    • Opcode Fuzzy Hash: d01243d30d7a15b8af5196df933bdf8aaba44409edc6a01ba4558f01e0b1b708
                                                                                                                                                                    • Instruction Fuzzy Hash:
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000000.00000002.1546708039.0000000006AA0000.00000010.00000800.00020000.00000000.sdmp, Offset: 06AA0000, based on PE: false
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_0_2_6aa0000_mshta.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID:
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID:
                                                                                                                                                                    • Opcode ID: d01243d30d7a15b8af5196df933bdf8aaba44409edc6a01ba4558f01e0b1b708
                                                                                                                                                                    • Instruction ID: 686820dca3963c21a3d3bef694e2d999e78a944a5853475e377f21e0a1e00040
                                                                                                                                                                    • Opcode Fuzzy Hash: d01243d30d7a15b8af5196df933bdf8aaba44409edc6a01ba4558f01e0b1b708
                                                                                                                                                                    • Instruction Fuzzy Hash:
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000000.00000002.1546708039.0000000006AA0000.00000010.00000800.00020000.00000000.sdmp, Offset: 06AA0000, based on PE: false
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_0_2_6aa0000_mshta.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID:
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID:
                                                                                                                                                                    • Opcode ID: d01243d30d7a15b8af5196df933bdf8aaba44409edc6a01ba4558f01e0b1b708
                                                                                                                                                                    • Instruction ID: 686820dca3963c21a3d3bef694e2d999e78a944a5853475e377f21e0a1e00040
                                                                                                                                                                    • Opcode Fuzzy Hash: d01243d30d7a15b8af5196df933bdf8aaba44409edc6a01ba4558f01e0b1b708
                                                                                                                                                                    • Instruction Fuzzy Hash:
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000000.00000002.1546708039.0000000006AA0000.00000010.00000800.00020000.00000000.sdmp, Offset: 06AA0000, based on PE: false
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_0_2_6aa0000_mshta.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID:
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID:
                                                                                                                                                                    • Opcode ID: d01243d30d7a15b8af5196df933bdf8aaba44409edc6a01ba4558f01e0b1b708
                                                                                                                                                                    • Instruction ID: 686820dca3963c21a3d3bef694e2d999e78a944a5853475e377f21e0a1e00040
                                                                                                                                                                    • Opcode Fuzzy Hash: d01243d30d7a15b8af5196df933bdf8aaba44409edc6a01ba4558f01e0b1b708
                                                                                                                                                                    • Instruction Fuzzy Hash:
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000000.00000002.1546708039.0000000006AA0000.00000010.00000800.00020000.00000000.sdmp, Offset: 06AA0000, based on PE: false
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_0_2_6aa0000_mshta.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID:
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID:
                                                                                                                                                                    • Opcode ID: d01243d30d7a15b8af5196df933bdf8aaba44409edc6a01ba4558f01e0b1b708
                                                                                                                                                                    • Instruction ID: 686820dca3963c21a3d3bef694e2d999e78a944a5853475e377f21e0a1e00040
                                                                                                                                                                    • Opcode Fuzzy Hash: d01243d30d7a15b8af5196df933bdf8aaba44409edc6a01ba4558f01e0b1b708
                                                                                                                                                                    • Instruction Fuzzy Hash:
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000000.00000002.1546708039.0000000006AA0000.00000010.00000800.00020000.00000000.sdmp, Offset: 06AA0000, based on PE: false
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_0_2_6aa0000_mshta.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID:
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID:
                                                                                                                                                                    • Opcode ID: d01243d30d7a15b8af5196df933bdf8aaba44409edc6a01ba4558f01e0b1b708
                                                                                                                                                                    • Instruction ID: 686820dca3963c21a3d3bef694e2d999e78a944a5853475e377f21e0a1e00040
                                                                                                                                                                    • Opcode Fuzzy Hash: d01243d30d7a15b8af5196df933bdf8aaba44409edc6a01ba4558f01e0b1b708
                                                                                                                                                                    • Instruction Fuzzy Hash:
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000000.00000002.1546708039.0000000006AA0000.00000010.00000800.00020000.00000000.sdmp, Offset: 06AA0000, based on PE: false
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_0_2_6aa0000_mshta.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID:
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID:
                                                                                                                                                                    • Opcode ID: d01243d30d7a15b8af5196df933bdf8aaba44409edc6a01ba4558f01e0b1b708
                                                                                                                                                                    • Instruction ID: 686820dca3963c21a3d3bef694e2d999e78a944a5853475e377f21e0a1e00040
                                                                                                                                                                    • Opcode Fuzzy Hash: d01243d30d7a15b8af5196df933bdf8aaba44409edc6a01ba4558f01e0b1b708
                                                                                                                                                                    • Instruction Fuzzy Hash:
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000000.00000002.1546708039.0000000006AA0000.00000010.00000800.00020000.00000000.sdmp, Offset: 06AA0000, based on PE: false
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_0_2_6aa0000_mshta.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID:
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID:
                                                                                                                                                                    • Opcode ID: d01243d30d7a15b8af5196df933bdf8aaba44409edc6a01ba4558f01e0b1b708
                                                                                                                                                                    • Instruction ID: 686820dca3963c21a3d3bef694e2d999e78a944a5853475e377f21e0a1e00040
                                                                                                                                                                    • Opcode Fuzzy Hash: d01243d30d7a15b8af5196df933bdf8aaba44409edc6a01ba4558f01e0b1b708
                                                                                                                                                                    • Instruction Fuzzy Hash:
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000000.00000002.1546708039.0000000006AA0000.00000010.00000800.00020000.00000000.sdmp, Offset: 06AA0000, based on PE: false
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_0_2_6aa0000_mshta.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID:
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID:
                                                                                                                                                                    • Opcode ID: d01243d30d7a15b8af5196df933bdf8aaba44409edc6a01ba4558f01e0b1b708
                                                                                                                                                                    • Instruction ID: 686820dca3963c21a3d3bef694e2d999e78a944a5853475e377f21e0a1e00040
                                                                                                                                                                    • Opcode Fuzzy Hash: d01243d30d7a15b8af5196df933bdf8aaba44409edc6a01ba4558f01e0b1b708
                                                                                                                                                                    • Instruction Fuzzy Hash:
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000000.00000002.1546708039.0000000006AA0000.00000010.00000800.00020000.00000000.sdmp, Offset: 06AA0000, based on PE: false
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_0_2_6aa0000_mshta.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID:
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID:
                                                                                                                                                                    • Opcode ID: d01243d30d7a15b8af5196df933bdf8aaba44409edc6a01ba4558f01e0b1b708
                                                                                                                                                                    • Instruction ID: 686820dca3963c21a3d3bef694e2d999e78a944a5853475e377f21e0a1e00040
                                                                                                                                                                    • Opcode Fuzzy Hash: d01243d30d7a15b8af5196df933bdf8aaba44409edc6a01ba4558f01e0b1b708
                                                                                                                                                                    • Instruction Fuzzy Hash:
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000000.00000002.1546708039.0000000006AA0000.00000010.00000800.00020000.00000000.sdmp, Offset: 06AA0000, based on PE: false
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_0_2_6aa0000_mshta.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID:
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID:
                                                                                                                                                                    • Opcode ID: d01243d30d7a15b8af5196df933bdf8aaba44409edc6a01ba4558f01e0b1b708
                                                                                                                                                                    • Instruction ID: 686820dca3963c21a3d3bef694e2d999e78a944a5853475e377f21e0a1e00040
                                                                                                                                                                    • Opcode Fuzzy Hash: d01243d30d7a15b8af5196df933bdf8aaba44409edc6a01ba4558f01e0b1b708
                                                                                                                                                                    • Instruction Fuzzy Hash:
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000000.00000002.1546708039.0000000006AA0000.00000010.00000800.00020000.00000000.sdmp, Offset: 06AA0000, based on PE: false
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_0_2_6aa0000_mshta.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID:
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID:
                                                                                                                                                                    • Opcode ID: d01243d30d7a15b8af5196df933bdf8aaba44409edc6a01ba4558f01e0b1b708
                                                                                                                                                                    • Instruction ID: 686820dca3963c21a3d3bef694e2d999e78a944a5853475e377f21e0a1e00040
                                                                                                                                                                    • Opcode Fuzzy Hash: d01243d30d7a15b8af5196df933bdf8aaba44409edc6a01ba4558f01e0b1b708
                                                                                                                                                                    • Instruction Fuzzy Hash:
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000000.00000002.1546708039.0000000006AA0000.00000010.00000800.00020000.00000000.sdmp, Offset: 06AA0000, based on PE: false
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_0_2_6aa0000_mshta.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID:
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID:
                                                                                                                                                                    • Opcode ID: d01243d30d7a15b8af5196df933bdf8aaba44409edc6a01ba4558f01e0b1b708
                                                                                                                                                                    • Instruction ID: 686820dca3963c21a3d3bef694e2d999e78a944a5853475e377f21e0a1e00040
                                                                                                                                                                    • Opcode Fuzzy Hash: d01243d30d7a15b8af5196df933bdf8aaba44409edc6a01ba4558f01e0b1b708
                                                                                                                                                                    • Instruction Fuzzy Hash:
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000000.00000002.1546708039.0000000006AA0000.00000010.00000800.00020000.00000000.sdmp, Offset: 06AA0000, based on PE: false
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_0_2_6aa0000_mshta.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID:
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID:
                                                                                                                                                                    • Opcode ID: d01243d30d7a15b8af5196df933bdf8aaba44409edc6a01ba4558f01e0b1b708
                                                                                                                                                                    • Instruction ID: 686820dca3963c21a3d3bef694e2d999e78a944a5853475e377f21e0a1e00040
                                                                                                                                                                    • Opcode Fuzzy Hash: d01243d30d7a15b8af5196df933bdf8aaba44409edc6a01ba4558f01e0b1b708
                                                                                                                                                                    • Instruction Fuzzy Hash:
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000000.00000002.1546708039.0000000006AA0000.00000010.00000800.00020000.00000000.sdmp, Offset: 06AA0000, based on PE: false
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_0_2_6aa0000_mshta.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID:
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID:
                                                                                                                                                                    • Opcode ID: d01243d30d7a15b8af5196df933bdf8aaba44409edc6a01ba4558f01e0b1b708
                                                                                                                                                                    • Instruction ID: 686820dca3963c21a3d3bef694e2d999e78a944a5853475e377f21e0a1e00040
                                                                                                                                                                    • Opcode Fuzzy Hash: d01243d30d7a15b8af5196df933bdf8aaba44409edc6a01ba4558f01e0b1b708
                                                                                                                                                                    • Instruction Fuzzy Hash:
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000000.00000002.1546708039.0000000006AA0000.00000010.00000800.00020000.00000000.sdmp, Offset: 06AA0000, based on PE: false
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_0_2_6aa0000_mshta.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID:
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID:
                                                                                                                                                                    • Opcode ID: d01243d30d7a15b8af5196df933bdf8aaba44409edc6a01ba4558f01e0b1b708
                                                                                                                                                                    • Instruction ID: 686820dca3963c21a3d3bef694e2d999e78a944a5853475e377f21e0a1e00040
                                                                                                                                                                    • Opcode Fuzzy Hash: d01243d30d7a15b8af5196df933bdf8aaba44409edc6a01ba4558f01e0b1b708
                                                                                                                                                                    • Instruction Fuzzy Hash:
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000000.00000002.1546708039.0000000006AA0000.00000010.00000800.00020000.00000000.sdmp, Offset: 06AA0000, based on PE: false
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_0_2_6aa0000_mshta.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID:
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID:
                                                                                                                                                                    • Opcode ID: d01243d30d7a15b8af5196df933bdf8aaba44409edc6a01ba4558f01e0b1b708
                                                                                                                                                                    • Instruction ID: 686820dca3963c21a3d3bef694e2d999e78a944a5853475e377f21e0a1e00040
                                                                                                                                                                    • Opcode Fuzzy Hash: d01243d30d7a15b8af5196df933bdf8aaba44409edc6a01ba4558f01e0b1b708
                                                                                                                                                                    • Instruction Fuzzy Hash:
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000000.00000002.1546708039.0000000006AA0000.00000010.00000800.00020000.00000000.sdmp, Offset: 06AA0000, based on PE: false
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_0_2_6aa0000_mshta.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID:
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID:
                                                                                                                                                                    • Opcode ID: d01243d30d7a15b8af5196df933bdf8aaba44409edc6a01ba4558f01e0b1b708
                                                                                                                                                                    • Instruction ID: 686820dca3963c21a3d3bef694e2d999e78a944a5853475e377f21e0a1e00040
                                                                                                                                                                    • Opcode Fuzzy Hash: d01243d30d7a15b8af5196df933bdf8aaba44409edc6a01ba4558f01e0b1b708
                                                                                                                                                                    • Instruction Fuzzy Hash:
                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                    • Source File: 00000000.00000002.1546708039.0000000006AA0000.00000010.00000800.00020000.00000000.sdmp, Offset: 06AA0000, based on PE: false
                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                    • Snapshot File: hcaresult_0_2_6aa0000_mshta.jbxd
                                                                                                                                                                    Similarity
                                                                                                                                                                    • API ID:
                                                                                                                                                                    • String ID:
                                                                                                                                                                    • API String ID:
                                                                                                                                                                    • Opcode ID: d01243d30d7a15b8af5196df933bdf8aaba44409edc6a01ba4558f01e0b1b708
                                                                                                                                                                    • Instruction ID: 686820dca3963c21a3d3bef694e2d999e78a944a5853475e377f21e0a1e00040
                                                                                                                                                                    • Opcode Fuzzy Hash: d01243d30d7a15b8af5196df933bdf8aaba44409edc6a01ba4558f01e0b1b708
                                                                                                                                                                    • Instruction Fuzzy Hash: