Joe Sandbox Cloud Basic Analysis Report
Edit tour

Windows Analysis Report
PROD_Start_DriverPack.hta

Overview

General Information

Sample Name:PROD_Start_DriverPack.hta
Analysis ID:882168
MD5:dda846a4704efc2a03e1f8392e6f1ffc
SHA1:387171a06eee5a76aaedc3664385bb89703cf6df
SHA256:e9dc9648d8fb7d943431459f49a7d9926197c2d60b3c2b6a58294fd75b672b25
Infos:

Detection

Score:52
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for domain / URL
Writes or reads registry keys via WMI
Queries the volume information (name, serial number etc) of a device
Searches for the Microsoft Outlook file path
Uses a known web browser user agent for HTTP communication
IP address seen in connection with other malware

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious

Process Tree

  • System is w10x64
  • mshta.exe (PID: 4764 cmdline: mshta.exe "C:\Users\user\Desktop\PROD_Start_DriverPack.hta" MD5: 7083239CE743FDB68DFC933B7308E80A)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Snort Signatures

No Snort rule has matched

Joe Sandbox Signatures

  • AV Detection
  • Networking
  • System Summary
  • Hooking and other Techniques for Hiding and Protection
  • Malware Analysis System Evasion
  • Anti Debugging
  • Language, Device and Operating System Detection

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Source: dwrapper-prod.herokuapp.comVirustotal: Detection: 7%Perma Link
Source: global trafficHTTP traffic detected: GET /bin/step1_av.html HTTP/1.1Accept: */*Accept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: dwrapper-prod.herokuapp.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /bin/src/style.css HTTP/1.1Accept: */*Referer: http://dwrapper-prod.herokuapp.com/bin/step1_av.htmlAccept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: dwrapper-prod.herokuapp.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /bin/src/missing-scripts-detector.js HTTP/1.1Accept: */*Referer: http://dwrapper-prod.herokuapp.com/bin/step1_av.htmlAccept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: dwrapper-prod.herokuapp.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /client_ip.js HTTP/1.1Accept: */*Referer: http://dwrapper-prod.herokuapp.com/bin/step1_av.htmlAccept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: dwrapper-prod.herokuapp.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /bin/src/variables/1.js HTTP/1.1Accept: */*Referer: http://dwrapper-prod.herokuapp.com/bin/step1_av.htmlAccept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: dwrapper-prod.herokuapp.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /bin/src/variables/2.js HTTP/1.1Accept: */*Referer: http://dwrapper-prod.herokuapp.com/bin/step1_av.htmlAccept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: dwrapper-prod.herokuapp.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /bin/src/variables/3.js HTTP/1.1Accept: */*Referer: http://dwrapper-prod.herokuapp.com/bin/step1_av.htmlAccept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: dwrapper-prod.herokuapp.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /bin/src/variables/4.js HTTP/1.1Accept: */*Referer: http://dwrapper-prod.herokuapp.com/bin/step1_av.htmlAccept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: dwrapper-prod.herokuapp.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /bin/src/variables/5.js HTTP/1.1Accept: */*Referer: http://dwrapper-prod.herokuapp.com/bin/step1_av.htmlAccept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: dwrapper-prod.herokuapp.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /bin/src/script.js HTTP/1.1Accept: */*Referer: http://dwrapper-prod.herokuapp.com/bin/step1_av.htmlAccept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: dwrapper-prod.herokuapp.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /bin/src/statistics.js HTTP/1.1Accept: */*Referer: http://dwrapper-prod.herokuapp.com/bin/step1_av.htmlAccept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: dwrapper-prod.herokuapp.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /bin/src/lang.js HTTP/1.1Accept: */*Referer: http://dwrapper-prod.herokuapp.com/bin/step1_av.htmlAccept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: dwrapper-prod.herokuapp.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /matomo.php?idsite=1&rec=1&rand=55936274&apiv=1&cookie=1&bots=1&res=1280x1024&h=23&m=31&s=42&uid=10212914377202365&action_name=Wrapper%20%2F%20Start%20screen%20page&url=https%3A%2F%2Fmy-domain.com%2Fstart_screen.html HTTP/1.1Accept: */*Referer: http://dwrapper-prod.herokuapp.com/bin/step1_av.htmlAccept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: example-dwrapper.matomo.cloudConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /matomo.php?idsite=1&rec=1&rand=97815994&apiv=1&cookie=1&bots=1&res=1280x1024&h=23&m=31&s=43&uid=10212914377202365&e_c=Wrapper%20%2F%20Errors%20%2F%20Missing%20scripts&e_a=%D0%92%D1%81%D0%B5%20%D1%81%D0%BA%D1%80%D0%B8%D0%BF%D1%82%D1%8B%20%D1%83%D1%81%D0%BF%D0%B5%D1%88%D0%BD%D0%BE%20%D0%B7%D0%B0%D0%B3%D1%80%D1%83%D0%B7%D0%B8%D0%BB%D0%B8%D1%81%D1%8C&e_n=&e_v=&ca=1 HTTP/1.1Accept: */*Referer: http://dwrapper-prod.herokuapp.com/bin/step1_av.htmlAccept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: example-dwrapper.matomo.cloudConnection: Keep-Alive
Source: Joe Sandbox ViewIP Address: 18.157.122.248 18.157.122.248
Source: unknownDNS traffic detected: queries for: dwrapper-prod.herokuapp.com
Source: global trafficHTTP traffic detected: GET /bin/step1_av.html HTTP/1.1Accept: */*Accept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: dwrapper-prod.herokuapp.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /bin/src/style.css HTTP/1.1Accept: */*Referer: http://dwrapper-prod.herokuapp.com/bin/step1_av.htmlAccept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: dwrapper-prod.herokuapp.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /bin/src/missing-scripts-detector.js HTTP/1.1Accept: */*Referer: http://dwrapper-prod.herokuapp.com/bin/step1_av.htmlAccept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: dwrapper-prod.herokuapp.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /client_ip.js HTTP/1.1Accept: */*Referer: http://dwrapper-prod.herokuapp.com/bin/step1_av.htmlAccept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: dwrapper-prod.herokuapp.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /bin/src/variables/1.js HTTP/1.1Accept: */*Referer: http://dwrapper-prod.herokuapp.com/bin/step1_av.htmlAccept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: dwrapper-prod.herokuapp.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /bin/src/variables/2.js HTTP/1.1Accept: */*Referer: http://dwrapper-prod.herokuapp.com/bin/step1_av.htmlAccept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: dwrapper-prod.herokuapp.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /bin/src/variables/3.js HTTP/1.1Accept: */*Referer: http://dwrapper-prod.herokuapp.com/bin/step1_av.htmlAccept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: dwrapper-prod.herokuapp.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /bin/src/variables/4.js HTTP/1.1Accept: */*Referer: http://dwrapper-prod.herokuapp.com/bin/step1_av.htmlAccept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: dwrapper-prod.herokuapp.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /bin/src/variables/5.js HTTP/1.1Accept: */*Referer: http://dwrapper-prod.herokuapp.com/bin/step1_av.htmlAccept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: dwrapper-prod.herokuapp.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /bin/src/script.js HTTP/1.1Accept: */*Referer: http://dwrapper-prod.herokuapp.com/bin/step1_av.htmlAccept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: dwrapper-prod.herokuapp.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /bin/src/statistics.js HTTP/1.1Accept: */*Referer: http://dwrapper-prod.herokuapp.com/bin/step1_av.htmlAccept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: dwrapper-prod.herokuapp.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /bin/src/lang.js HTTP/1.1Accept: */*Referer: http://dwrapper-prod.herokuapp.com/bin/step1_av.htmlAccept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: dwrapper-prod.herokuapp.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /matomo.php?idsite=1&rec=1&rand=55936274&apiv=1&cookie=1&bots=1&res=1280x1024&h=23&m=31&s=42&uid=10212914377202365&action_name=Wrapper%20%2F%20Start%20screen%20page&url=https%3A%2F%2Fmy-domain.com%2Fstart_screen.html HTTP/1.1Accept: */*Referer: http://dwrapper-prod.herokuapp.com/bin/step1_av.htmlAccept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: example-dwrapper.matomo.cloudConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /matomo.php?idsite=1&rec=1&rand=97815994&apiv=1&cookie=1&bots=1&res=1280x1024&h=23&m=31&s=43&uid=10212914377202365&e_c=Wrapper%20%2F%20Errors%20%2F%20Missing%20scripts&e_a=%D0%92%D1%81%D0%B5%20%D1%81%D0%BA%D1%80%D0%B8%D0%BF%D1%82%D1%8B%20%D1%83%D1%81%D0%BF%D0%B5%D1%88%D0%BD%D0%BE%20%D0%B7%D0%B0%D0%B3%D1%80%D1%83%D0%B7%D0%B8%D0%BB%D0%B8%D1%81%D1%8C&e_n=&e_v=&ca=1 HTTP/1.1Accept: */*Referer: http://dwrapper-prod.herokuapp.com/bin/step1_av.htmlAccept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: example-dwrapper.matomo.cloudConnection: Keep-Alive
Source: global trafficHTTP traffic detected: HTTP/1.1 503 Service UnavailableDate: Mon, 05 Jun 2023 21:31:43 GMTContent-Type: image/gifContent-Length: 50Connection: keep-aliveServer: ApacheCache-Control: no-storeVary: X-Forwarded-Port-Override,X-Forwarded-Proto-Override,Accept-Encoding,User-AgentContent-Encoding: gzipData Raw: 1f 8b 08 00 00 00 00 00 00 03 73 f7 74 b3 b0 4c 64 64 60 64 68 60 80 02 c5 9f 2c 8c 20 5a 07 44 80 64 18 98 98 5c 18 19 ac 01 76 bd 68 ab 2b 00 00 00 Data Ascii: stLdd`dh`, ZDd\vh+
Source: global trafficHTTP traffic detected: HTTP/1.1 503 Service UnavailableDate: Mon, 05 Jun 2023 21:31:43 GMTContent-Type: image/gifContent-Length: 50Connection: keep-aliveServer: ApacheCache-Control: no-storeVary: X-Forwarded-Port-Override,X-Forwarded-Proto-Override,Accept-Encoding,User-AgentContent-Encoding: gzipData Raw: 1f 8b 08 00 00 00 00 00 00 03 73 f7 74 b3 b0 4c 64 64 60 64 68 60 80 02 c5 9f 2c 8c 20 5a 07 44 80 64 18 98 98 5c 18 19 ac 01 76 bd 68 ab 2b 00 00 00 Data Ascii: stLdd`dh`, ZDd\vh+
Source: mshta.exe, 00000000.00000002.614773962.00000000026E8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsuperokuapp.com/
Source: mshta.exe, 00000000.00000002.615911265.00000000084FC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://dwrapper-prod.herokuapp.com/
Source: mshta.exe, 00000000.00000002.615911265.00000000084FC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/s
Source: mshta.exe, 00000000.00000002.615661543.0000000007EC5000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.615911265.000000000853C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.614773962.000000000265C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.614773962.0000000002683000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/src/lang.js
Source: mshta.exe, 00000000.00000002.615911265.000000000853C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/src/lang.jsC:
Source: mshta.exe, 00000000.00000002.615911265.000000000853C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/src/lang.jsE?
Source: mshta.exe, 00000000.00000002.615911265.000000000853C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/src/lang.jsT
Source: mshta.exe, 00000000.00000002.614773962.000000000265C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/src/lang.jsZ
Source: mshta.exe, 00000000.00000002.615911265.00000000084FC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/src/lang.jscs.jsT
Source: mshta.exe, 00000000.00000002.615911265.000000000853C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/src/lang.jsnt
Source: mshta.exe, 00000000.00000002.614773962.00000000026E8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/src/lang.jss
Source: mshta.exe, 00000000.00000002.615661543.0000000007EC5000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.615911265.00000000084DC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.615911265.000000000853C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.614773962.000000000272B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.614773962.000000000265C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/src/missing-scripts-detector.js
Source: mshta.exe, 00000000.00000002.615911265.000000000853C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/src/missing-scripts-detector.js8
Source: mshta.exe, 00000000.00000002.614773962.000000000265C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/src/missing-scripts-detector.jsC:
Source: mshta.exe, 00000000.00000002.615911265.000000000853C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.614773962.00000000026E8000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.614773962.0000000002683000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/src/script.js
Source: mshta.exe, 00000000.00000002.614773962.00000000026D7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/src/script.js5.js
Source: mshta.exe, 00000000.00000002.615911265.000000000853C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/src/script.jsC:
Source: mshta.exe, 00000000.00000002.615911265.00000000084FC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/src/statistics.js
Source: mshta.exe, 00000000.00000002.615911265.000000000853C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/src/statistics.js-detector.jsS
Source: mshta.exe, 00000000.00000002.615911265.00000000084FC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/src/statistics.jsS
Source: mshta.exe, 00000000.00000002.615911265.00000000084FC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/src/statistics.jsc
Source: mshta.exe, 00000000.00000002.615911265.00000000084FC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/src/statistics.jsnuuU
Source: mshta.exe, 00000000.00000002.615911265.00000000084FC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/src/statistics.jstUp
Source: mshta.exe, 00000000.00000002.614773962.00000000026E8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/src/style.css
Source: mshta.exe, 00000000.00000002.614773962.00000000026E8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/src/style.css_
Source: mshta.exe, 00000000.00000002.614773962.000000000265C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/src/style.cssoC:
Source: mshta.exe, 00000000.00000002.614773962.00000000026E8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/src/style.css~
Source: mshta.exe, 00000000.00000002.615911265.00000000084FC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/src/variables/1.js
Source: mshta.exe, 00000000.00000002.615911265.000000000853C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/src/variables/1.js-detector.js
Source: mshta.exe, 00000000.00000002.614773962.000000000265C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/src/variables/1.jsL
Source: mshta.exe, 00000000.00000002.615911265.00000000084FC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/src/variables/2.js
Source: mshta.exe, 00000000.00000002.615911265.00000000084FC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/src/variables/2.jsC
Source: mshta.exe, 00000000.00000002.615911265.000000000853C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/src/variables/2.jsC:
Source: mshta.exe, 00000000.00000002.614773962.00000000026D7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/src/variables/2.jsL
Source: mshta.exe, 00000000.00000002.614773962.000000000265C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/src/variables/2.jskl
Source: mshta.exe, 00000000.00000002.615911265.00000000084FC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/src/variables/3.js
Source: mshta.exe, 00000000.00000002.615661543.0000000007EC5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/src/variables/3.jshttp://dwrapper-prod.herokuapp.com/bin/src/
Source: mshta.exe, 00000000.00000002.615911265.00000000084FC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/src/variables/3.jss
Source: mshta.exe, 00000000.00000002.615911265.00000000084FC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/src/variables/4.js
Source: mshta.exe, 00000000.00000002.615911265.00000000084FC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/src/variables/5.js
Source: mshta.exe, 00000000.00000002.615911265.00000000084FC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/src/variables/5.js#
Source: mshta.exe, 00000000.00000002.615911265.00000000084FC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/src/variables/5.js3
Source: mshta.exe, 00000000.00000002.615911265.00000000084FC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/src/variables/5.jsD
Source: mshta.exe, 00000000.00000002.615911265.00000000084FC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/src/variables/5.jsS
Source: mshta.exe, 00000000.00000002.615911265.00000000084FC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/src/variables/5.jsc
Source: mshta.exe, 00000000.00000002.615661543.0000000007EC5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/src/variables/5.jshttp://dwrapper-prod.herokuapp.com/bin/src/
Source: mshta.exe, 00000000.00000002.614773962.000000000272B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/src/variables/5.jsrtcuts
Source: mshta.exe, 00000000.00000002.615911265.00000000084FC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/src/variables/5.jss
Source: mshta.exe, 00000000.00000002.615911265.00000000084FC000.00000004.00000020.00020000.00000000.sdmp, PROD_Start_DriverPack.htaString found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/step1_av.html
Source: mshta.exe, 00000000.00000002.614773962.00000000026D7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/step1_av.html$
Source: mshta.exe, 00000000.00000002.614773962.000000000265C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/step1_av.html...
Source: mshta.exe, 00000000.00000002.614773962.00000000026E8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/step1_av.html32
Source: mshta.exe, 00000000.00000002.614773962.0000000002683000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/step1_av.html?KQ
Source: mshta.exe, 00000000.00000002.614773962.00000000026E8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/step1_av.htmlC:
Source: mshta.exe, 00000000.00000002.615911265.000000000853C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/step1_av.htmlJ
Source: mshta.exe, 00000000.00000002.614773962.00000000026E8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/step1_av.htmlO
Source: mshta.exe, 00000000.00000002.614773962.0000000002683000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/step1_av.htmlQJ
Source: mshta.exe, 00000000.00000002.615911265.000000000853C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/step1_av.htmlZ?
Source: mshta.exe, 00000000.00000002.615911265.000000000852E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/step1_av.htmle
Source: mshta.exe, 00000000.00000002.614773962.00000000026D7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/step1_av.htmlhta
Source: mshta.exe, 00000000.00000002.614773962.00000000026D7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/step1_av.htmlhtache
Source: mshta.exe, 00000000.00000002.615661543.0000000007EC5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/step1_av.htmlhttp://dwrapper-prod.herokuapp.com/bin/step1_av.
Source: mshta.exe, 00000000.00000002.614773962.00000000026E8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/step1_av.htmli
Source: mshta.exe, 00000000.00000002.614773962.00000000026E8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/step1_av.htmlj
Source: mshta.exe, 00000000.00000002.614773962.00000000026E8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/step1_av.htmll
Source: mshta.exe, 00000000.00000002.614773962.0000000002683000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/step1_av.htmllbJ
Source: mshta.exe, 00000000.00000002.615911265.000000000853C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/step1_av.htmllu
Source: mshta.exe, 00000000.00000002.614773962.0000000002683000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/step1_av.htmlmJ
Source: mshta.exe, 00000000.00000002.615911265.000000000853C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.614773962.00000000026D7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/step1_av.htmls
Source: mshta.exe, 00000000.00000002.614773962.00000000026E8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://dwrapper-prod.herokuapp.com/c
Source: mshta.exe, 00000000.00000002.615911265.00000000084DC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.615911265.000000000853C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.614773962.000000000265C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.614773962.00000000026E8000.00000004.00000020.00020000.00000000.sdmp, step1_av[1].htm.0.drString found in binary or memory: http://dwrapper-prod.herokuapp.com/client_ip.js
Source: mshta.exe, 00000000.00000002.615911265.00000000084DC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://dwrapper-prod.herokuapp.com/client_ip.jsB
Source: mshta.exe, 00000000.00000003.358546608.00000000086EF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://dwrapper-prod.herokuapp.com/client_ip.jsINFO:
Source: mshta.exe, 00000000.00000002.615911265.000000000853C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://dwrapper-prod.herokuapp.com/client_ip.jsLMEM
Source: mshta.exe, 00000000.00000002.614773962.000000000265C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://dwrapper-prod.herokuapp.com/client_ip.jsPack.htaDrive
Source: mshta.exe, 00000000.00000002.614773962.00000000026D7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://dwrapper-prod.herokuapp.com/client_ip.jshtmlhta.dll
Source: mshta.exe, 00000000.00000002.615661543.0000000007EC5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://dwrapper-prod.herokuapp.com/client_ip.jshttp://dwrapper-prod.herokuapp.com/bin/src/variables/
Source: mshta.exe, 00000000.00000002.614773962.000000000265C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://dwrapper-prod.herokuapp.com/client_ip.jsng-scripts-detector.jsO
Source: mshta.exe, 00000000.00000002.615911265.00000000084FC000.00000004.00000020.00020000.00000000.sdmp, style[1].css.0.drString found in binary or memory: http://emojipedia-us.s3.dualstack.us-west-1.amazonaws.com/thumbs/240/apple/285/white-heavy-check-mar
Source: mshta.exe, 00000000.00000002.615911265.000000000853C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.615911265.00000000084FC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://example-dwrapper.matomo.cloud/
Source: mshta.exe, 00000000.00000002.615911265.00000000084FC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://example-dwrapper.matomo.cloud/Wp
Source: mshta.exe, 00000000.00000002.615911265.00000000084FC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://example-dwrapper.matomo.cloud/d
Source: mshta.exe, 00000000.00000002.615911265.000000000855F000.00000004.00000020.00020000.00000000.sdmp, statistics[1].js.0.drString found in binary or memory: http://example-dwrapper.matomo.cloud/matomo.php
Source: mshta.exe, 00000000.00000002.615687229.0000000007ED0000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.364242235.0000000007ECF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://example-dwrapper.matomo.cloud/matomo.php.
Source: mshta.exe, 00000000.00000002.615911265.000000000853C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://example-dwrapper.matomo.cloud/matomo.php?idsite=1&rec=1&rand=55936274&apiv=1&cookie=1&bots=1&
Source: mshta.exe, 00000000.00000002.615911265.00000000084FC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://example-dwrapper.matomo.cloud/matomo.php?idsite=1&rec=1&rand=97815994&apiv=1&cookie=1&bots=1&
Source: mshta.exe, 00000000.00000002.615911265.000000000855F000.00000004.00000020.00020000.00000000.sdmp, statistics[1].js.0.drString found in binary or memory: https://developer.matomo.org/api-reference/tracking-api
Source: mshta.exe, 00000000.00000002.614773962.000000000272B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com
Source: mshta.exe, 00000000.00000002.615911265.000000000855F000.00000004.00000020.00020000.00000000.sdmp, statistics[1].js.0.drString found in binary or memory: https://my-domain.com
Source: mshta.exe, 00000000.00000002.615661543.0000000007EC5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://my-domain.com&queuedtracking=0&apiv=1&cookie=1&bots=1i

System Summary

barindex
Source: C:\Windows\SysWOW64\mshta.exeWMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
Source: C:\Windows\SysWOW64\mshta.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXEJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: classification engineClassification label: mal52.winHTA@1/12@2/2
Source: C:\Windows\SysWOW64\mshta.exeFile read: C:\Users\desktop.iniJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{25336920-03F9-11CF-8FD0-00AA00686F13}\InProcServer32Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SettingsJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: mshta.exe, 00000000.00000002.615911265.00000000084DC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.614773962.00000000026E8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
Source: C:\Windows\SysWOW64\mshta.exeMemory allocated: page read and write | page guardJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\mshta.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformationJump to behavior

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid Accounts1
Windows Management Instrumentation		Path InterceptionPath Interception1
Masquerading		OS Credential Dumping1
Security Software Discovery		Remote Services1
Email Collection		Exfiltration Over Other Network Medium3
Non-Application Layer Protocol		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
Disable or Modify Tools		LSASS Memory1
File and Directory Discovery		Remote Desktop ProtocolData from Removable MediaExfiltration Over Bluetooth13
Application Layer Protocol		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Obfuscated Files or InformationSecurity Account Manager12
System Information Discovery		SMB/Windows Admin SharesData from Network Shared DriveAutomated Exfiltration3
Ingress Tool Transfer		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Binary PaddingNTDS1
Remote System Discovery		Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 882168 Sample: PROD_Start_DriverPack.hta Startdate: 05/06/2023 Architecture: WINDOWS Score: 52 13 Multi AV Scanner detection for domain / URL 2->13 5 mshta.exe 1 37 2->5         started        process3 dnsIp4 9 example-dwrapper.matomo.cloud 18.157.122.248, 49701, 80 AMAZON-02US United States 5->9 11 dwrapper-prod.herokuapp.com 46.137.15.86, 49699, 49700, 80 AMAZON-02US Ireland 5->11 15 Writes or reads registry keys via WMI 5->15 signatures5

Screenshots

Download Video

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
PROD_Start_DriverPack.hta0%ReversingLabs
PROD_Start_DriverPack.hta0%VirustotalBrowse

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

SourceDetectionScannerLabelLink
example-dwrapper.matomo.cloud0%VirustotalBrowse
dwrapper-prod.herokuapp.com8%VirustotalBrowse

URLs

SourceDetectionScannerLabelLink
http://dwrapper-prod.herokuapp.com/bin/step1_av.html0%Avira URL Cloudsafe
http://dwrapper-prod.herokuapp.com/bin/step1_av.htmle0%Avira URL Cloudsafe
http://dwrapper-prod.herokuapp.com/bin/src/variables/2.jsL0%Avira URL Cloudsafe
http://dwrapper-prod.herokuapp.com/bin/src/lang.jsE?0%Avira URL Cloudsafe
http://dwrapper-prod.herokuapp.com/bin/src/statistics.jsc0%Avira URL Cloudsafe
http://example-dwrapper.matomo.cloud/matomo.php?idsite=1&rec=1&rand=55936274&apiv=1&cookie=1&bots=1&res=1280x1024&h=23&m=31&s=42&uid=10212914377202365&action_name=Wrapper%20%2F%20Start%20screen%20page&url=https%3A%2F%2Fmy-domain.com%2Fstart_screen.html0%Avira URL Cloudsafe
http://dwrapper-prod.herokuapp.com/bin/src/missing-scripts-detector.js0%Avira URL Cloudsafe
http://dwrapper-prod.herokuapp.com/bin/src/style.css~0%Avira URL Cloudsafe
http://dwrapper-prod.herokuapp.com/bin/src/variables/4.js0%Avira URL Cloudsafe
http://example-dwrapper.matomo.cloud/0%Avira URL Cloudsafe
http://dwrapper-prod.herokuapp.com/bin/step1_av.html320%Avira URL Cloudsafe
http://dwrapper-prod.herokuapp.com/client_ip.jsng-scripts-detector.jsO0%Avira URL Cloudsafe
http://dwrapper-prod.herokuapp.com/bin/src/statistics.js-detector.jsS0%Avira URL Cloudsafe
http://dwrapper-prod.herokuapp.com/bin/step1_av.htmlhtache0%Avira URL Cloudsafe
http://dwrapper-prod.herokuapp.com/bin/src/variables/2.jsC0%Avira URL Cloudsafe
http://dwrapper-prod.herokuapp.com/bin/step1_av.htmls0%Avira URL Cloudsafe
http://example-dwrapper.matomo.cloud/matomo.php?idsite=1&rec=1&rand=97815994&apiv=1&cookie=1&bots=1&0%Avira URL Cloudsafe
http://dwrapper-prod.herokuapp.com/bin/step1_av.htmlC:0%Avira URL Cloudsafe
http://dwrapper-prod.herokuapp.com/bin/step1_av.htmlj0%Avira URL Cloudsafe
http://dwrapper-prod.herokuapp.com/client_ip.jsLMEM0%Avira URL Cloudsafe
http://dwrapper-prod.herokuapp.com/bin/src/variables/1.jsL0%Avira URL Cloudsafe
http://dwrapper-prod.herokuapp.com/bin/step1_av.htmli0%Avira URL Cloudsafe
http://dwrapper-prod.herokuapp.com/bin/src/variables/3.jss0%Avira URL Cloudsafe
http://dwrapper-prod.herokuapp.com/bin/step1_av.htmll0%Avira URL Cloudsafe
http://dwrapper-prod.herokuapp.com/bin/src/variables/5.js0%Avira URL Cloudsafe
http://dwrapper-prod.herokuapp.com/client_ip.jsB0%Avira URL Cloudsafe
http://dwrapper-prod.herokuapp.com/bin/src/script.js0%Avira URL Cloudsafe
http://dwrapper-prod.herokuapp.com/bin/src/statistics.js0%Avira URL Cloudsafe
http://dwrapper-prod.herokuapp.com/bin/src/variables/2.jskl0%Avira URL Cloudsafe
http://dwrapper-prod.herokuapp.com/bin/step1_av.htmlhttp://dwrapper-prod.herokuapp.com/bin/step1_av.0%Avira URL Cloudsafe
http://example-dwrapper.matomo.cloud/matomo.php0%Avira URL Cloudsafe
http://dwrapper-prod.herokuapp.com/bin/src/statistics.jsnuuU0%Avira URL Cloudsafe
http://dwrapper-prod.herokuapp.com/bin/src/variables/1.js0%Avira URL Cloudsafe
http://dwrapper-prod.herokuapp.com/bin/src/variables/2.jsC:0%Avira URL Cloudsafe
http://dwrapper-prod.herokuapp.com/client_ip.jsINFO:0%Avira URL Cloudsafe
http://dwrapper-prod.herokuapp.com/bin/src/script.js5.js0%Avira URL Cloudsafe
http://dwrapper-prod.herokuapp.com/bin/src/variables/5.js#0%Avira URL Cloudsafe
http://dwrapper-prod.herokuapp.com/bin/step1_av.htmlhta0%Avira URL Cloudsafe
http://example-dwrapper.matomo.cloud/matomo.php?idsite=1&rec=1&rand=97815994&apiv=1&cookie=1&bots=1&res=1280x1024&h=23&m=31&s=43&uid=10212914377202365&e_c=Wrapper%20%2F%20Errors%20%2F%20Missing%20scripts&e_a=%D0%92%D1%81%D0%B5%20%D1%81%D0%BA%D1%80%D0%B8%D0%BF%D1%82%D1%8B%20%D1%83%D1%81%D0%BF%D0%B5%D1%88%D0%BD%D0%BE%20%D0%B7%D0%B0%D0%B3%D1%80%D1%83%D0%B7%D0%B8%D0%BB%D0%B8%D1%81%D1%8C&e_n=&e_v=&ca=10%Avira URL Cloudsafe
http://example-dwrapper.matomo.cloud/matomo.php.0%Avira URL Cloudsafe
https://my-domain.com0%Avira URL Cloudsafe
http://dwrapper-prod.herokuapp.com/client_ip.jshtmlhta.dll0%Avira URL Cloudsafe
http://example-dwrapper.matomo.cloud/d0%Avira URL Cloudsafe
http://dwrapper-prod.herokuapp.com/bin/src/variables/5.js30%Avira URL Cloudsafe
http://dwrapper-prod.herokuapp.com/bin/src/lang.jsC:0%Avira URL Cloudsafe
http://dwrapper-prod.herokuapp.com/bin/src/variables/5.jsrtcuts0%Avira URL Cloudsafe
http://dwrapper-prod.herokuapp.com/bin/src/lang.jsZ0%Avira URL Cloudsafe
http://dwrapper-prod.herokuapp.com/bin/step1_av.html...0%Avira URL Cloudsafe
http://dwrapper-prod.herokuapp.com/bin/src/lang.jsT0%Avira URL Cloudsafe
http://dwrapper-prod.herokuapp.com/bin/src/variables/5.jshttp://dwrapper-prod.herokuapp.com/bin/src/0%Avira URL Cloudsafe
http://dwrapper-prod.herokuapp.com/bin/step1_av.htmlZ?0%Avira URL Cloudsafe
http://dwrapper-prod.herokuapp.com/bin/src/style.css0%Avira URL Cloudsafe
http://dwrapper-prod.herokuapp.com/bin/step1_av.html$0%Avira URL Cloudsafe
http://dwrapper-prod.herokuapp.com/bin/step1_av.htmlQJ0%Avira URL Cloudsafe
http://dwrapper-prod.herokuapp.com/bin/src/variables/3.jshttp://dwrapper-prod.herokuapp.com/bin/src/0%Avira URL Cloudsafe
http://dwrapper-prod.herokuapp.com/bin/src/variables/2.js0%Avira URL Cloudsafe
http://dwrapper-prod.herokuapp.com/0%Avira URL Cloudsafe
http://dwrapper-prod.herokuapp.com/bin/src/variables/5.jsD0%Avira URL Cloudsafe
http://dwrapper-prod.herokuapp.com/client_ip.jshttp://dwrapper-prod.herokuapp.com/bin/src/variables/0%Avira URL Cloudsafe
http://dwrapper-prod.herokuapp.com/bin/s0%Avira URL Cloudsafe
http://dwrapper-prod.herokuapp.com/bin/src/lang.jscs.jsT0%Avira URL Cloudsafe
http://dwrapper-prod.herokuapp.com/bin/src/missing-scripts-detector.jsC:0%Avira URL Cloudsafe
http://dwrapper-prod.herokuapp.com/bin/step1_av.htmllu0%Avira URL Cloudsafe
https://my-domain.com&queuedtracking=0&apiv=1&cookie=1&bots=1i0%Avira URL Cloudsafe
http://dwrapper-prod.herokuapp.com/bin/src/variables/5.jsS0%Avira URL Cloudsafe
http://ctldl.windowsuperokuapp.com/0%Avira URL Cloudsafe
http://dwrapper-prod.herokuapp.com/bin/step1_av.html?KQ0%Avira URL Cloudsafe
http://example-dwrapper.matomo.cloud/Wp0%Avira URL Cloudsafe
http://dwrapper-prod.herokuapp.com/client_ip.js0%Avira URL Cloudsafe
http://dwrapper-prod.herokuapp.com/bin/src/lang.jss0%Avira URL Cloudsafe
http://example-dwrapper.matomo.cloud/matomo.php?idsite=1&rec=1&rand=55936274&apiv=1&cookie=1&bots=1&0%Avira URL Cloudsafe
http://dwrapper-prod.herokuapp.com/bin/src/lang.js0%Avira URL Cloudsafe
http://dwrapper-prod.herokuapp.com/bin/src/script.jsC:0%Avira URL Cloudsafe
http://dwrapper-prod.herokuapp.com/client_ip.jsPack.htaDrive0%Avira URL Cloudsafe
http://dwrapper-prod.herokuapp.com/bin/src/variables/1.js-detector.js0%Avira URL Cloudsafe
http://dwrapper-prod.herokuapp.com/bin/src/style.css_0%Avira URL Cloudsafe
http://dwrapper-prod.herokuapp.com/bin/step1_av.htmlmJ0%Avira URL Cloudsafe
http://dwrapper-prod.herokuapp.com/bin/src/variables/5.jsc0%Avira URL Cloudsafe
http://dwrapper-prod.herokuapp.com/bin/src/variables/3.js0%Avira URL Cloudsafe
http://dwrapper-prod.herokuapp.com/bin/step1_av.htmllbJ0%Avira URL Cloudsafe
http://dwrapper-prod.herokuapp.com/bin/src/missing-scripts-detector.js80%Avira URL Cloudsafe
http://dwrapper-prod.herokuapp.com/bin/src/lang.jsnt0%Avira URL Cloudsafe
http://dwrapper-prod.herokuapp.com/bin/src/style.cssoC:0%Avira URL Cloudsafe
http://dwrapper-prod.herokuapp.com/c0%Avira URL Cloudsafe
http://dwrapper-prod.herokuapp.com/bin/src/statistics.jsS0%Avira URL Cloudsafe
http://dwrapper-prod.herokuapp.com/bin/src/statistics.jstUp0%Avira URL Cloudsafe
http://dwrapper-prod.herokuapp.com/bin/step1_av.htmlO0%Avira URL Cloudsafe

Domains and IPs

Download Network PCAP: filteredfull

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
example-dwrapper.matomo.cloud
18.157.122.248
truefalseunknown
dwrapper-prod.herokuapp.com
46.137.15.86
truefalseunknown

Contacted URLs

NameMaliciousAntivirus DetectionReputation
http://dwrapper-prod.herokuapp.com/bin/step1_av.htmltrue
  • Avira URL Cloud: safe
unknown
http://example-dwrapper.matomo.cloud/matomo.php?idsite=1&rec=1&rand=55936274&apiv=1&cookie=1&bots=1&res=1280x1024&h=23&m=31&s=42&uid=10212914377202365&action_name=Wrapper%20%2F%20Start%20screen%20page&url=https%3A%2F%2Fmy-domain.com%2Fstart_screen.htmlfalse
  • Avira URL Cloud: safe
unknown
http://dwrapper-prod.herokuapp.com/bin/src/missing-scripts-detector.jstrue
  • Avira URL Cloud: safe
unknown
http://dwrapper-prod.herokuapp.com/bin/src/variables/4.jstrue
  • Avira URL Cloud: safe
unknown
http://dwrapper-prod.herokuapp.com/bin/src/variables/5.jstrue
  • Avira URL Cloud: safe
unknown
http://dwrapper-prod.herokuapp.com/bin/src/script.jstrue
  • Avira URL Cloud: safe
unknown
http://dwrapper-prod.herokuapp.com/bin/src/statistics.jstrue
  • Avira URL Cloud: safe
unknown
http://dwrapper-prod.herokuapp.com/bin/src/variables/1.jstrue
  • Avira URL Cloud: safe
unknown
http://example-dwrapper.matomo.cloud/matomo.php?idsite=1&rec=1&rand=97815994&apiv=1&cookie=1&bots=1&res=1280x1024&h=23&m=31&s=43&uid=10212914377202365&e_c=Wrapper%20%2F%20Errors%20%2F%20Missing%20scripts&e_a=%D0%92%D1%81%D0%B5%20%D1%81%D0%BA%D1%80%D0%B8%D0%BF%D1%82%D1%8B%20%D1%83%D1%81%D0%BF%D0%B5%D1%88%D0%BD%D0%BE%20%D0%B7%D0%B0%D0%B3%D1%80%D1%83%D0%B7%D0%B8%D0%BB%D0%B8%D1%81%D1%8C&e_n=&e_v=&ca=1false
  • Avira URL Cloud: safe
unknown
http://dwrapper-prod.herokuapp.com/bin/src/style.csstrue
  • Avira URL Cloud: safe
unknown
http://dwrapper-prod.herokuapp.com/bin/src/variables/2.jstrue
  • Avira URL Cloud: safe
unknown
http://dwrapper-prod.herokuapp.com/client_ip.jstrue
  • Avira URL Cloud: safe
unknown
http://dwrapper-prod.herokuapp.com/bin/src/lang.jstrue
  • Avira URL Cloud: safe
unknown
http://dwrapper-prod.herokuapp.com/bin/src/variables/3.jstrue
  • Avira URL Cloud: safe
unknown
NameSourceMaliciousAntivirus DetectionReputation
http://dwrapper-prod.herokuapp.com/bin/src/lang.jsE?mshta.exe, 00000000.00000002.615911265.000000000853C000.00000004.00000020.00020000.00000000.sdmptrue
  • Avira URL Cloud: safe
unknown
http://dwrapper-prod.herokuapp.com/bin/step1_av.htmlemshta.exe, 00000000.00000002.615911265.000000000852E000.00000004.00000020.00020000.00000000.sdmptrue
  • Avira URL Cloud: safe
unknown
http://dwrapper-prod.herokuapp.com/bin/src/variables/2.jsLmshta.exe, 00000000.00000002.614773962.00000000026D7000.00000004.00000020.00020000.00000000.sdmptrue
  • Avira URL Cloud: safe
unknown
http://dwrapper-prod.herokuapp.com/bin/src/statistics.jscmshta.exe, 00000000.00000002.615911265.00000000084FC000.00000004.00000020.00020000.00000000.sdmptrue
  • Avira URL Cloud: safe
unknown
http://dwrapper-prod.herokuapp.com/bin/src/style.css~mshta.exe, 00000000.00000002.614773962.00000000026E8000.00000004.00000020.00020000.00000000.sdmptrue
  • Avira URL Cloud: safe
unknown
http://dwrapper-prod.herokuapp.com/bin/step1_av.html32mshta.exe, 00000000.00000002.614773962.00000000026E8000.00000004.00000020.00020000.00000000.sdmptrue
  • Avira URL Cloud: safe
unknown
http://dwrapper-prod.herokuapp.com/client_ip.jsng-scripts-detector.jsOmshta.exe, 00000000.00000002.614773962.000000000265C000.00000004.00000020.00020000.00000000.sdmptrue
  • Avira URL Cloud: safe
unknown
http://example-dwrapper.matomo.cloud/mshta.exe, 00000000.00000002.615911265.000000000853C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.615911265.00000000084FC000.00000004.00000020.00020000.00000000.sdmpfalse
  • Avira URL Cloud: safe
unknown
http://dwrapper-prod.herokuapp.com/bin/src/statistics.js-detector.jsSmshta.exe, 00000000.00000002.615911265.000000000853C000.00000004.00000020.00020000.00000000.sdmptrue
  • Avira URL Cloud: safe
unknown
http://dwrapper-prod.herokuapp.com/bin/step1_av.htmlhtachemshta.exe, 00000000.00000002.614773962.00000000026D7000.00000004.00000020.00020000.00000000.sdmptrue
  • Avira URL Cloud: safe
unknown
http://dwrapper-prod.herokuapp.com/bin/src/variables/2.jsCmshta.exe, 00000000.00000002.615911265.00000000084FC000.00000004.00000020.00020000.00000000.sdmptrue
  • Avira URL Cloud: safe
unknown
http://dwrapper-prod.herokuapp.com/bin/step1_av.htmlsmshta.exe, 00000000.00000002.615911265.000000000853C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.614773962.00000000026D7000.00000004.00000020.00020000.00000000.sdmptrue
  • Avira URL Cloud: safe
unknown
http://example-dwrapper.matomo.cloud/matomo.php?idsite=1&rec=1&rand=97815994&apiv=1&cookie=1&bots=1&mshta.exe, 00000000.00000002.615911265.00000000084FC000.00000004.00000020.00020000.00000000.sdmpfalse
  • Avira URL Cloud: safe
unknown
http://dwrapper-prod.herokuapp.com/bin/step1_av.htmlC:mshta.exe, 00000000.00000002.614773962.00000000026E8000.00000004.00000020.00020000.00000000.sdmptrue
  • Avira URL Cloud: safe
unknown
http://dwrapper-prod.herokuapp.com/bin/step1_av.htmljmshta.exe, 00000000.00000002.614773962.00000000026E8000.00000004.00000020.00020000.00000000.sdmptrue
  • Avira URL Cloud: safe
unknown
http://dwrapper-prod.herokuapp.com/client_ip.jsLMEMmshta.exe, 00000000.00000002.615911265.000000000853C000.00000004.00000020.00020000.00000000.sdmptrue
  • Avira URL Cloud: safe
unknown
http://dwrapper-prod.herokuapp.com/bin/src/variables/1.jsLmshta.exe, 00000000.00000002.614773962.000000000265C000.00000004.00000020.00020000.00000000.sdmptrue
  • Avira URL Cloud: safe
unknown
http://dwrapper-prod.herokuapp.com/bin/step1_av.htmlimshta.exe, 00000000.00000002.614773962.00000000026E8000.00000004.00000020.00020000.00000000.sdmptrue
  • Avira URL Cloud: safe
unknown
http://dwrapper-prod.herokuapp.com/bin/src/variables/3.jssmshta.exe, 00000000.00000002.615911265.00000000084FC000.00000004.00000020.00020000.00000000.sdmptrue
  • Avira URL Cloud: safe
unknown
http://dwrapper-prod.herokuapp.com/bin/step1_av.htmllmshta.exe, 00000000.00000002.614773962.00000000026E8000.00000004.00000020.00020000.00000000.sdmptrue
  • Avira URL Cloud: safe
unknown
http://dwrapper-prod.herokuapp.com/client_ip.jsBmshta.exe, 00000000.00000002.615911265.00000000084DC000.00000004.00000020.00020000.00000000.sdmptrue
  • Avira URL Cloud: safe
unknown
http://dwrapper-prod.herokuapp.com/bin/src/variables/2.jsklmshta.exe, 00000000.00000002.614773962.000000000265C000.00000004.00000020.00020000.00000000.sdmptrue
  • Avira URL Cloud: safe
unknown
http://dwrapper-prod.herokuapp.com/bin/step1_av.htmlhttp://dwrapper-prod.herokuapp.com/bin/step1_av.mshta.exe, 00000000.00000002.615661543.0000000007EC5000.00000004.00000800.00020000.00000000.sdmptrue
  • Avira URL Cloud: safe
unknown
http://example-dwrapper.matomo.cloud/matomo.phpmshta.exe, 00000000.00000002.615911265.000000000855F000.00000004.00000020.00020000.00000000.sdmp, statistics[1].js.0.drfalse
  • Avira URL Cloud: safe
unknown
http://dwrapper-prod.herokuapp.com/bin/src/statistics.jsnuuUmshta.exe, 00000000.00000002.615911265.00000000084FC000.00000004.00000020.00020000.00000000.sdmptrue
  • Avira URL Cloud: safe
unknown
http://dwrapper-prod.herokuapp.com/bin/src/variables/2.jsC:mshta.exe, 00000000.00000002.615911265.000000000853C000.00000004.00000020.00020000.00000000.sdmptrue
  • Avira URL Cloud: safe
unknown
http://dwrapper-prod.herokuapp.com/client_ip.jsINFO:mshta.exe, 00000000.00000003.358546608.00000000086EF000.00000004.00000800.00020000.00000000.sdmptrue
  • Avira URL Cloud: safe
unknown
http://dwrapper-prod.herokuapp.com/bin/src/script.js5.jsmshta.exe, 00000000.00000002.614773962.00000000026D7000.00000004.00000020.00020000.00000000.sdmptrue
  • Avira URL Cloud: safe
unknown
http://dwrapper-prod.herokuapp.com/bin/src/variables/5.js#mshta.exe, 00000000.00000002.615911265.00000000084FC000.00000004.00000020.00020000.00000000.sdmptrue
  • Avira URL Cloud: safe
unknown
http://dwrapper-prod.herokuapp.com/bin/step1_av.htmlhtamshta.exe, 00000000.00000002.614773962.00000000026D7000.00000004.00000020.00020000.00000000.sdmptrue
  • Avira URL Cloud: safe
unknown
http://example-dwrapper.matomo.cloud/matomo.php.mshta.exe, 00000000.00000002.615687229.0000000007ED0000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.364242235.0000000007ECF000.00000004.00000800.00020000.00000000.sdmpfalse
  • Avira URL Cloud: safe
unknown
https://my-domain.commshta.exe, 00000000.00000002.615911265.000000000855F000.00000004.00000020.00020000.00000000.sdmp, statistics[1].js.0.drfalse
  • Avira URL Cloud: safe
unknown
http://dwrapper-prod.herokuapp.com/client_ip.jshtmlhta.dllmshta.exe, 00000000.00000002.614773962.00000000026D7000.00000004.00000020.00020000.00000000.sdmptrue
  • Avira URL Cloud: safe
unknown
http://example-dwrapper.matomo.cloud/dmshta.exe, 00000000.00000002.615911265.00000000084FC000.00000004.00000020.00020000.00000000.sdmpfalse
  • Avira URL Cloud: safe
unknown
http://dwrapper-prod.herokuapp.com/bin/src/variables/5.js3mshta.exe, 00000000.00000002.615911265.00000000084FC000.00000004.00000020.00020000.00000000.sdmptrue
  • Avira URL Cloud: safe
unknown
http://emojipedia-us.s3.dualstack.us-west-1.amazonaws.com/thumbs/240/apple/285/white-heavy-check-marmshta.exe, 00000000.00000002.615911265.00000000084FC000.00000004.00000020.00020000.00000000.sdmp, style[1].css.0.drfalse
    		high
    http://dwrapper-prod.herokuapp.com/bin/src/lang.jsC:mshta.exe, 00000000.00000002.615911265.000000000853C000.00000004.00000020.00020000.00000000.sdmptrue
    • Avira URL Cloud: safe
    		unknown
    http://dwrapper-prod.herokuapp.com/bin/src/variables/5.jsrtcutsmshta.exe, 00000000.00000002.614773962.000000000272B000.00000004.00000020.00020000.00000000.sdmptrue
    • Avira URL Cloud: safe
    		unknown
    http://dwrapper-prod.herokuapp.com/bin/src/lang.jsZmshta.exe, 00000000.00000002.614773962.000000000265C000.00000004.00000020.00020000.00000000.sdmptrue
    • Avira URL Cloud: safe
    		unknown
    http://dwrapper-prod.herokuapp.com/bin/step1_av.html...mshta.exe, 00000000.00000002.614773962.000000000265C000.00000004.00000020.00020000.00000000.sdmptrue
    • Avira URL Cloud: safe
    		unknown
    https://developer.matomo.org/api-reference/tracking-apimshta.exe, 00000000.00000002.615911265.000000000855F000.00000004.00000020.00020000.00000000.sdmp, statistics[1].js.0.drfalse
      		high
      http://dwrapper-prod.herokuapp.com/bin/src/lang.jsTmshta.exe, 00000000.00000002.615911265.000000000853C000.00000004.00000020.00020000.00000000.sdmptrue
      • Avira URL Cloud: safe
      		unknown
      http://dwrapper-prod.herokuapp.com/bin/src/variables/5.jshttp://dwrapper-prod.herokuapp.com/bin/src/mshta.exe, 00000000.00000002.615661543.0000000007EC5000.00000004.00000800.00020000.00000000.sdmptrue
      • Avira URL Cloud: safe
      		unknown
      http://dwrapper-prod.herokuapp.com/bin/step1_av.htmlZ?mshta.exe, 00000000.00000002.615911265.000000000853C000.00000004.00000020.00020000.00000000.sdmptrue
      • Avira URL Cloud: safe
      		unknown
      http://dwrapper-prod.herokuapp.com/bin/step1_av.html$mshta.exe, 00000000.00000002.614773962.00000000026D7000.00000004.00000020.00020000.00000000.sdmptrue
      • Avira URL Cloud: safe
      		unknown
      http://dwrapper-prod.herokuapp.com/bin/step1_av.htmlQJmshta.exe, 00000000.00000002.614773962.0000000002683000.00000004.00000020.00020000.00000000.sdmptrue
      • Avira URL Cloud: safe
      		unknown
      http://dwrapper-prod.herokuapp.com/bin/src/variables/3.jshttp://dwrapper-prod.herokuapp.com/bin/src/mshta.exe, 00000000.00000002.615661543.0000000007EC5000.00000004.00000800.00020000.00000000.sdmptrue
      • Avira URL Cloud: safe
      		unknown
      http://dwrapper-prod.herokuapp.com/mshta.exe, 00000000.00000002.615911265.00000000084FC000.00000004.00000020.00020000.00000000.sdmptrue
      • Avira URL Cloud: safe
      		unknown
      http://dwrapper-prod.herokuapp.com/bin/src/variables/5.jsDmshta.exe, 00000000.00000002.615911265.00000000084FC000.00000004.00000020.00020000.00000000.sdmptrue
      • Avira URL Cloud: safe
      		unknown
      http://dwrapper-prod.herokuapp.com/client_ip.jshttp://dwrapper-prod.herokuapp.com/bin/src/variables/mshta.exe, 00000000.00000002.615661543.0000000007EC5000.00000004.00000800.00020000.00000000.sdmptrue
      • Avira URL Cloud: safe
      		unknown
      http://dwrapper-prod.herokuapp.com/bin/smshta.exe, 00000000.00000002.615911265.00000000084FC000.00000004.00000020.00020000.00000000.sdmptrue
      • Avira URL Cloud: safe
      		unknown
      http://dwrapper-prod.herokuapp.com/bin/src/lang.jscs.jsTmshta.exe, 00000000.00000002.615911265.00000000084FC000.00000004.00000020.00020000.00000000.sdmptrue
      • Avira URL Cloud: safe
      		unknown
      http://dwrapper-prod.herokuapp.com/bin/src/missing-scripts-detector.jsC:mshta.exe, 00000000.00000002.614773962.000000000265C000.00000004.00000020.00020000.00000000.sdmptrue
      • Avira URL Cloud: safe
      		unknown
      http://dwrapper-prod.herokuapp.com/bin/step1_av.htmllumshta.exe, 00000000.00000002.615911265.000000000853C000.00000004.00000020.00020000.00000000.sdmptrue
      • Avira URL Cloud: safe
      		unknown
      https://my-domain.com&queuedtracking=0&apiv=1&cookie=1&bots=1imshta.exe, 00000000.00000002.615661543.0000000007EC5000.00000004.00000800.00020000.00000000.sdmpfalse
      • Avira URL Cloud: safe
      		low
      http://dwrapper-prod.herokuapp.com/bin/src/variables/5.jsSmshta.exe, 00000000.00000002.615911265.00000000084FC000.00000004.00000020.00020000.00000000.sdmptrue
      • Avira URL Cloud: safe
      		unknown
      http://ctldl.windowsuperokuapp.com/mshta.exe, 00000000.00000002.614773962.00000000026E8000.00000004.00000020.00020000.00000000.sdmpfalse
      • Avira URL Cloud: safe
      		unknown
      http://dwrapper-prod.herokuapp.com/bin/step1_av.html?KQmshta.exe, 00000000.00000002.614773962.0000000002683000.00000004.00000020.00020000.00000000.sdmptrue
      • Avira URL Cloud: safe
      		unknown
      http://example-dwrapper.matomo.cloud/Wpmshta.exe, 00000000.00000002.615911265.00000000084FC000.00000004.00000020.00020000.00000000.sdmpfalse
      • Avira URL Cloud: safe
      		unknown
      http://example-dwrapper.matomo.cloud/matomo.php?idsite=1&rec=1&rand=55936274&apiv=1&cookie=1&bots=1&mshta.exe, 00000000.00000002.615911265.000000000853C000.00000004.00000020.00020000.00000000.sdmpfalse
      • Avira URL Cloud: safe
      		unknown
      http://dwrapper-prod.herokuapp.com/bin/src/lang.jssmshta.exe, 00000000.00000002.614773962.00000000026E8000.00000004.00000020.00020000.00000000.sdmptrue
      • Avira URL Cloud: safe
      		unknown
      http://dwrapper-prod.herokuapp.com/bin/src/script.jsC:mshta.exe, 00000000.00000002.615911265.000000000853C000.00000004.00000020.00020000.00000000.sdmptrue
      • Avira URL Cloud: safe
      		unknown
      http://dwrapper-prod.herokuapp.com/client_ip.jsPack.htaDrivemshta.exe, 00000000.00000002.614773962.000000000265C000.00000004.00000020.00020000.00000000.sdmptrue
      • Avira URL Cloud: safe
      		unknown
      http://dwrapper-prod.herokuapp.com/bin/src/variables/1.js-detector.jsmshta.exe, 00000000.00000002.615911265.000000000853C000.00000004.00000020.00020000.00000000.sdmptrue
      • Avira URL Cloud: safe
      		unknown
      http://dwrapper-prod.herokuapp.com/bin/src/style.css_mshta.exe, 00000000.00000002.614773962.00000000026E8000.00000004.00000020.00020000.00000000.sdmptrue
      • Avira URL Cloud: safe
      		unknown
      http://dwrapper-prod.herokuapp.com/bin/step1_av.htmlmJmshta.exe, 00000000.00000002.614773962.0000000002683000.00000004.00000020.00020000.00000000.sdmptrue
      • Avira URL Cloud: safe
      		unknown
      http://dwrapper-prod.herokuapp.com/bin/src/variables/5.jscmshta.exe, 00000000.00000002.615911265.00000000084FC000.00000004.00000020.00020000.00000000.sdmptrue
      • Avira URL Cloud: safe
      		unknown
      http://dwrapper-prod.herokuapp.com/bin/step1_av.htmllbJmshta.exe, 00000000.00000002.614773962.0000000002683000.00000004.00000020.00020000.00000000.sdmptrue
      • Avira URL Cloud: safe
      		unknown
      http://dwrapper-prod.herokuapp.com/bin/src/missing-scripts-detector.js8mshta.exe, 00000000.00000002.615911265.000000000853C000.00000004.00000020.00020000.00000000.sdmptrue
      • Avira URL Cloud: safe
      		unknown
      http://dwrapper-prod.herokuapp.com/bin/src/lang.jsntmshta.exe, 00000000.00000002.615911265.000000000853C000.00000004.00000020.00020000.00000000.sdmptrue
      • Avira URL Cloud: safe
      		unknown
      http://dwrapper-prod.herokuapp.com/bin/src/style.cssoC:mshta.exe, 00000000.00000002.614773962.000000000265C000.00000004.00000020.00020000.00000000.sdmptrue
      • Avira URL Cloud: safe
      		unknown
      http://dwrapper-prod.herokuapp.com/cmshta.exe, 00000000.00000002.614773962.00000000026E8000.00000004.00000020.00020000.00000000.sdmptrue
      • Avira URL Cloud: safe
      		unknown
      http://dwrapper-prod.herokuapp.com/bin/step1_av.htmlJmshta.exe, 00000000.00000002.615911265.000000000853C000.00000004.00000020.00020000.00000000.sdmptrue
        		unknown
        http://dwrapper-prod.herokuapp.com/bin/src/statistics.jsSmshta.exe, 00000000.00000002.615911265.00000000084FC000.00000004.00000020.00020000.00000000.sdmptrue
        • Avira URL Cloud: safe
        		unknown
        http://dwrapper-prod.herokuapp.com/bin/src/statistics.jstUpmshta.exe, 00000000.00000002.615911265.00000000084FC000.00000004.00000020.00020000.00000000.sdmptrue
        • Avira URL Cloud: safe
        		unknown
        http://dwrapper-prod.herokuapp.com/bin/step1_av.htmlOmshta.exe, 00000000.00000002.614773962.00000000026E8000.00000004.00000020.00020000.00000000.sdmptrue
        • Avira URL Cloud: safe
        		unknown
        http://dwrapper-prod.herokuapp.com/bin/src/variables/5.jssmshta.exe, 00000000.00000002.615911265.00000000084FC000.00000004.00000020.00020000.00000000.sdmptrue
          		unknown

          World Map of Contacted IPs

          • No. of IPs < 25%
          • 25% < No. of IPs < 50%
          • 50% < No. of IPs < 75%
          • 75% < No. of IPs

          Public IPs

          IPDomainCountryFlagASNASN NameMalicious
          18.157.122.248
          		example-dwrapper.matomo.cloudUnited States
          		16509AMAZON-02USfalse
          46.137.15.86
          		dwrapper-prod.herokuapp.comIreland
          		16509AMAZON-02USfalse

          General Information

          Joe Sandbox Version:37.1.0 Beryl
          Analysis ID:882168
          Start date and time:2023-06-05 23:30:51 +02:00
          Joe Sandbox Product:CloudBasic
          Overall analysis duration:0h 5m 21s
          Hypervisor based Inspection enabled:false
          Report type:full
          Cookbook file name:default.jbs
          Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
          Number of analysed new started processes analysed:6
          Number of new started drivers analysed:0
          Number of existing processes analysed:0
          Number of existing drivers analysed:0
          Number of injected processes analysed:0
          Technologies:
          • HCA enabled
          • EGA enabled
          • HDC enabled
          • AMSI enabled
          Analysis Mode:default
          Analysis stop reason:Timeout
          Sample file name:PROD_Start_DriverPack.hta
          Detection:MAL
          Classification:mal52.winHTA@1/12@2/2
          EGA Information:Failed
          HDC Information:Failed
          HCA Information:
          • Successful, ratio: 100%
          • Number of executed functions: 28
          • Number of non-executed functions: 0
          Cookbook Comments:
          • Found application associated with file extension: .hta
          • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, WMIADAP.exe, conhost.exe, WmiPrvSE.exe
          • Execution Graph export aborted for target mshta.exe, PID 4764 because it is empty
          • Not all processes where analyzed, report is missing behavior information
          • Report size getting too big, too many NtAllocateVirtualMemory calls found.
          • Report size getting too big, too many NtOpenKeyEx calls found.
          • Report size getting too big, too many NtProtectVirtualMemory calls found.
          • Report size getting too big, too many NtQueryValueKey calls found.

          Simulations

          Behavior and APIs

          TimeTypeDescription
          23:31:42API Interceptor1x Sleep call for process: mshta.exe modified

          Joe Sandbox View / Context

          IPs

          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
          18.157.122.248https://aaaaqwertygwfry6.info/Get hashmaliciousUnknownBrowse
            https://uiqqdwnrwo6.info/Get hashmaliciousUnknownBrowse
              https://ontvangen-2023.icu/be/ontvang/fluvius.phpGet hashmaliciousUnknownBrowse
                https://pointsbet-rewardz.com/giveaway/giveaway/Get hashmaliciousUnknownBrowse
                  https://driverpack.io/en/devices/printer/canon/canon-generic-plus-ps3Get hashmaliciousUnknownBrowse
                    https://fractal.ai/trial-run/Get hashmaliciousUnknownBrowse
                      http://ppt.cc/frAq1xGet hashmaliciousUnknownBrowse
                        https://www.paperturn-view.com/?pid=MzA301539&v=1.1Get hashmaliciousUnknownBrowse
                          https://siasky.net/fAVxIY-BAyF91PE9bapXfxarSwNlAPiY99R5ZaDlegY_SgGet hashmaliciousHTMLPhisherBrowse
                            http://siasky.netGet hashmaliciousUnknownBrowse
                              Bill of Lading.htmGet hashmaliciousHTMLPhisherBrowse
                                46.137.15.86https://driverpack.io/en/devices/printer/canon/canon-generic-plus-ps3Get hashmaliciousUnknownBrowse

                                  Domains

                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                  dwrapper-prod.herokuapp.comhttps://driverpack.io/en/devices/printer/canon/canon-generic-plus-ps3Get hashmaliciousUnknownBrowse
                                  • 46.137.15.86
                                  example-dwrapper.matomo.cloudhttps://driverpack.io/en/devices/printer/canon/canon-generic-plus-ps3Get hashmaliciousUnknownBrowse
                                  • 18.157.122.248

                                  ASNs

                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                  AMAZON-02USOriginalMessage.txt.msgGet hashmaliciousHTMLPhisherBrowse
                                  • 65.9.86.17
                                  uF45UExu43.elfGet hashmaliciousMiraiBrowse
                                  • 13.232.173.27
                                  3luvCkj1b3.elfGet hashmaliciousMiraiBrowse
                                  • 157.175.68.154
                                  http://ec2-52-33-3-241.us-west-2.compute.amazonaws.com/x/d?c=32300543&l=c3d48ee0-0e52-4b07-8793-5d6862cbbf84&r=5125c3db-a385-4f4a-99e2-b3f14dffbbc9Get hashmaliciousUnknownBrowse
                                  • 44.241.81.217
                                  https://docmsghome.weebly.com/Get hashmaliciousUnknownBrowse
                                  • 108.138.36.102
                                  sj7dF6aMC2.elfGet hashmaliciousMoobotBrowse
                                  • 108.135.213.213
                                  https://signalspotharshly.comGet hashmaliciousHTMLPhisherBrowse
                                  • 108.156.2.62
                                  http://tenetfinancialgroup.comGet hashmaliciousGRQ ScamBrowse
                                  • 108.138.36.108
                                  message (2).htmlGet hashmaliciousUnknownBrowse
                                  • 52.16.253.114
                                  868448F6C06D672FD544F64AE73CA4B1FE8403AF947B8.exeGet hashmaliciousNjratBrowse
                                  • 18.136.148.247
                                  http://att-102339.weeblysite.comGet hashmaliciousUnknownBrowse
                                  • 108.138.40.116
                                  RqLpAg8ESo.elfGet hashmaliciousMiraiBrowse
                                  • 35.152.84.52
                                  K5G4L10cJk.elfGet hashmaliciousMiraiBrowse
                                  • 122.248.242.225
                                  wuXRy6x0DL.elfGet hashmaliciousMiraiBrowse
                                  • 18.190.189.22
                                  Zv1SmFNtGA.elfGet hashmaliciousMiraiBrowse
                                  • 18.191.249.250
                                  OqSfWBACO2.elfGet hashmaliciousMiraiBrowse
                                  • 108.139.154.222
                                  5H03jNOGVb.elfGet hashmaliciousMiraiBrowse
                                  • 34.249.145.219
                                  a61xSJtZrA.elfGet hashmaliciousMirai, MoobotBrowse
                                  • 157.175.218.210
                                  dIYehW6ter.elfGet hashmaliciousMirai, MoobotBrowse
                                  • 52.18.4.136
                                  YmT728moee.elfGet hashmaliciousMirai, MoobotBrowse
                                  • 108.131.138.72
                                  AMAZON-02USOriginalMessage.txt.msgGet hashmaliciousHTMLPhisherBrowse
                                  • 65.9.86.17
                                  uF45UExu43.elfGet hashmaliciousMiraiBrowse
                                  • 13.232.173.27
                                  3luvCkj1b3.elfGet hashmaliciousMiraiBrowse
                                  • 157.175.68.154
                                  http://ec2-52-33-3-241.us-west-2.compute.amazonaws.com/x/d?c=32300543&l=c3d48ee0-0e52-4b07-8793-5d6862cbbf84&r=5125c3db-a385-4f4a-99e2-b3f14dffbbc9Get hashmaliciousUnknownBrowse
                                  • 44.241.81.217
                                  https://docmsghome.weebly.com/Get hashmaliciousUnknownBrowse
                                  • 108.138.36.102
                                  sj7dF6aMC2.elfGet hashmaliciousMoobotBrowse
                                  • 108.135.213.213
                                  https://signalspotharshly.comGet hashmaliciousHTMLPhisherBrowse
                                  • 108.156.2.62
                                  http://tenetfinancialgroup.comGet hashmaliciousGRQ ScamBrowse
                                  • 108.138.36.108
                                  message (2).htmlGet hashmaliciousUnknownBrowse
                                  • 52.16.253.114
                                  868448F6C06D672FD544F64AE73CA4B1FE8403AF947B8.exeGet hashmaliciousNjratBrowse
                                  • 18.136.148.247
                                  http://att-102339.weeblysite.comGet hashmaliciousUnknownBrowse
                                  • 108.138.40.116
                                  RqLpAg8ESo.elfGet hashmaliciousMiraiBrowse
                                  • 35.152.84.52
                                  K5G4L10cJk.elfGet hashmaliciousMiraiBrowse
                                  • 122.248.242.225
                                  wuXRy6x0DL.elfGet hashmaliciousMiraiBrowse
                                  • 18.190.189.22
                                  Zv1SmFNtGA.elfGet hashmaliciousMiraiBrowse
                                  • 18.191.249.250
                                  OqSfWBACO2.elfGet hashmaliciousMiraiBrowse
                                  • 108.139.154.222
                                  5H03jNOGVb.elfGet hashmaliciousMiraiBrowse
                                  • 34.249.145.219
                                  a61xSJtZrA.elfGet hashmaliciousMirai, MoobotBrowse
                                  • 157.175.218.210
                                  dIYehW6ter.elfGet hashmaliciousMirai, MoobotBrowse
                                  • 52.18.4.136
                                  YmT728moee.elfGet hashmaliciousMirai, MoobotBrowse
                                  • 108.131.138.72

                                  JA3 Fingerprints

                                  No context

                                  Dropped Files

                                  No context

                                  Created / dropped Files

                                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\1[1].js

                                  Download File
                                  Process:C:\Windows\SysWOW64\mshta.exe
                                  File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                  Category:dropped
                                  Size (bytes):1304
                                  Entropy (8bit):5.371258741762522
                                  Encrypted:false
                                  SSDEEP:24:JmXoFt/9j3riN7RaM3MxvKrRrkE+u3mcJI6c/22bv27jPQzLkKWyU:YYFneUvaF3lJIR/2YsszAKWyU
                                  MD5:4BDB642A191FD4BF5A806A7B7478633A
                                  SHA1:2A7CDBB5C072655F4B4899FCE40AA273037495B7
                                  SHA-256:494AACB6BA9D44FED47D20ADEA0FF2C597E6E1439C4D0694BC9EECB4AF77D096
                                  SHA-512:63C248F44E4F93E5D6E513D19E526D77C7D483FC36182951805552E87BC8E4C7DF79BF63407AE382C9804A915D4C576FE5ECDE1E464EB87FDECEFF21B34CADFE
                                  Malicious:false
                                  Reputation:low
                                  Preview:.if (typeof loadedJS !== "undefined") { loadedJS.push("1.js"); }....var version = "0.14";..var buildDate = "2023/04/02"; // YYYY/MM/DD..var Reg = "HKCU\\SOFTWARE\\dwrapper\\";....var WshShell = new ActiveXObject("WScript.Shell");..var WshEnv = WshShell.Environment("PROCESS");..var AppData = WshShell.SpecialFolders("AppData");..var ProgramFiles = WshShell.ExpandEnvironmentStrings("%ProgramFiles%");..var ProgramFilesX86 = WshShell.ExpandEnvironmentStrings("%ProgramFiles(x86)%");..var tempDir = WshShell.ExpandEnvironmentStrings("%TEMP%");..var fso = new ActiveXObject("Scripting.FileSystemObject");..var locator = new ActiveXObject("WbemScripting.SWbemLocator");..var objWMIService = locator.ConnectServer(null, "root\\cimv2");..var objShell = new ActiveXObject("Shell.Application");..document.title = document.title + " " + version;....//Resize window../*..(function () {...try {....var screenWidth = (screen.availWidth ? screen.availWidth : screen.width);....var screenHeight = (screen.availHe

                                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\2[1].js

                                  Download File
                                  Process:C:\Windows\SysWOW64\mshta.exe
                                  File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                  Category:dropped
                                  Size (bytes):5086
                                  Entropy (8bit):5.422218540561902
                                  Encrypted:false
                                  SSDEEP:96:Q+LHTI2QlTMWpFuh5mS2huO4KzbNgT5cN2yd6uAcq1BLYaX2Vv5I9Ffv5+T0iNDW:QSTI28TMWXu4caWT5cZIvgILZ+AkDC5
                                  MD5:22D3D08CBEC1245327396FAA5B60725A
                                  SHA1:71DFB22D57F73CD5390F1991B6013AB44CD7351A
                                  SHA-256:923CBFF9E47CA64E292A8932A13ED11F9E4A488DC20775181B010231F15E3E26
                                  SHA-512:D90B4C383077038D436B9E125240B62CFD928D24940E464A93FC88A0C76F1F1EE79E617CCCE0F41FBF1DF3D660C3764E323F02674E2F45BBA0CD31B957E09D92
                                  Malicious:false
                                  Reputation:low
                                  Preview:.if (typeof loadedJS !== "undefined") { loadedJS.push("2.js"); }....function getCurrentDirectory() {...var fso = new ActiveXObject("Scripting.FileSystemObject");...var htaPath = fso.GetAbsolutePathName(document.location.pathname);...var directory = fso.GetParentFolderName(htaPath);.....var baseUrl = document.location.href.split("/").slice(0, -1).join("/");...var htaUrl = baseUrl + "/" + fso.GetFileName(htaPath);...if (htaUrl === document.location.href) {....return baseUrl;...}...return directory;..}..var current_dir = getCurrentDirectory();........// Detect OS..var is64 = false;..if (WshShell.ExpandEnvironmentStrings("%PROCESSOR_ARCHITECTURE%") == "AMD64"...|| WshShell.ExpandEnvironmentStrings("%PROCESSOR_ARCHITEW6432%") != "%PROCESSOR_ARCHITEW6432%") {...is64 = true;..}......var OSVersion = 5;..var OSVersionSP = 0;....var colItems = objWMIService.ExecQuery("SELECT * FROM Win32_OperatingSystem", "WQL");..var enumItems = new Enumerator(colItems);..for (; !enumItems.atEnd(); enumItems.

                                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\3[1].js

                                  Download File
                                  Process:C:\Windows\SysWOW64\mshta.exe
                                  File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                  Category:dropped
                                  Size (bytes):2538
                                  Entropy (8bit):5.676353904867985
                                  Encrypted:false
                                  SSDEEP:48:YPpaPGzh7iHgZ03jZ4onR1AF3R8I/idgw6+9dSVlhHH7QpZXKxDU:BP+EgZ0TZRu/id66wVD1Y
                                  MD5:CC9E168614A8D567352E24F970CA21E0
                                  SHA1:623C06BB9699F5AD91C4D19199A0F3780FC76A4D
                                  SHA-256:578820B83CD0244FFC068665C531A8C7D633F890A927A682A1708B84B7A08702
                                  SHA-512:A98DACDE394030A590E9D31941F71B8FBA3544EDCA2F17188FA940B314E58A8139FD62CF664A3D49264C8812053F5E869ECB6700A2B2A7BDCABD3C731C224D2F
                                  Malicious:false
                                  Reputation:low
                                  Preview:.if (typeof loadedJS !== "undefined") { loadedJS.push("3.js"); }....// Read registry..// ToDo: ......... ....-.....!!!..function RegRead(key) {.....key = key.replace('HKEY_LOCAL_MACHINE\\', 'HKLM\\');...key = key.replace('HKEY_CURRENT_USER\\', 'HKCU\\');.....ret = RegRead32(key);.....if ((!ret) && (key.indexOf('\\SOFTWARE\\Microsoft\\') != -1)) {....var t_key = key.replace('\\SOFTWARE\\Microsoft\\', '\\SOFTWARE\\Wow6432Node\\Microsoft\\');......ret = RegRead32(t_key);...}.....if (!ret && is64) {....ret = RegRead64(key);...}.....return ret;....}....function RegRead32(key) {...var ret = "";...try { ret = WshShell.RegRead(key); }...catch (e) { ret = ""; }...return ret;..}......function RegRead64(key) {...try {....var HKEY_LOCAL_MACHINE = 0x80000002;....var HKEY_CURRENT_USER = 0x80000001;......var context = new ActiveXObject("WbemScripting.SWbemNamedValueSet");....context.Add("__ProviderArchitecture", 64);....context.Add("__RequiredArchitecture", true);....var locator =

                                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\4[1].js

                                  Download File
                                  Process:C:\Windows\SysWOW64\mshta.exe
                                  File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                  Category:dropped
                                  Size (bytes):1157
                                  Entropy (8bit):5.443625546433963
                                  Encrypted:false
                                  SSDEEP:24:JmrIkiNpip1BYNeupYeuHgk2x3HN5E1vIfooGUeerKeQ3No:YrMNpTnanuH/Emf+UJrKeiNo
                                  MD5:B21247B2428E6D9F72405EB1A2F5F75C
                                  SHA1:11C6612989710432AE9730C2C20CE7EE9F0DF609
                                  SHA-256:9DDF298484BD63F71CFF04DD81E00913266FA8D71793E2C26F3B7B215067812C
                                  SHA-512:D3060F786D378680DA1917F7E00878A2012C6B9C497693B0C01BECF5D896F2681E851FB4F6724710A6E9C755D988A0828DF55B0966B431A38756355B9ACD0EBB
                                  Malicious:false
                                  Reputation:low
                                  Preview:.if (typeof loadedJS !== "undefined") { loadedJS.push("4.js"); }....function generateClientID() {...var generateRandomNumber = Math.floor(Math.random() * 1e16);...var getCurrentTimestamp = new Date().getTime();...return generateRandomNumber + "." + getCurrentTimestamp;..}....// .......... . ....... Client ID..if (RegExists(Reg + 'clientID')) {...window.clientID = RegRead(Reg + 'clientID');..}..else {...window.clientID = generateClientID();...RegWrite(Reg + 'clientID', window.clientID)..}......// Open url..function goToUrl(url) {...lf('goToUrl');...try {....defBrowser = RegRead("HKCU\\SOFTWARE\\Clients\\StartMenuInternet\\");....if (!defBrowser) defBrowser = RegRead("HKLM\\SOFTWARE\\Clients\\StartMenuInternet\\");....runComm = RegRead("HKLM\\SOFTWARE\\Clients\\StartMenuInternet\\" + defBrowser + "\\shell\\open\\command\\");....runComm = runComm.replace(/"/ig, '');....if (runComm).....WshShell.Run('"' + runComm + '" ' + '"' + url + '"', 1, false);....else.....window.o

                                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\5[1].js

                                  Download File
                                  Process:C:\Windows\SysWOW64\mshta.exe
                                  File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                  Category:dropped
                                  Size (bytes):538
                                  Entropy (8bit):5.280112968479041
                                  Encrypted:false
                                  SSDEEP:12:JqdCBVoflqnKA1B8lsD20X9koquJYVaXBZVz1odqnA:JmCBCflGN162auVVWVGm+A
                                  MD5:AEEE81BB12D7059393E42828191765C2
                                  SHA1:733A7D859097567B2B7FEAACE0498AD68C0F429D
                                  SHA-256:F9156E0C0A06207EB66A51AB364A05E37E0273242F9373F8378F6E0DEB705D0B
                                  SHA-512:E0ACB5A0A51677276124BEFD4AE8AAB0558C0BC95C5E7B70F6F2212367ECCFA9BEC85827D9CE6FD8BEF09A59D48A262CC0C155B72FAAECF897154E35C9219189
                                  Malicious:false
                                  Preview:.if (typeof loadedJS !== "undefined") { loadedJS.push("5.js"); }....function addLoadEvent(func) {...var oldonload = window.onload;...if (typeof window.onload != "function") {....window.onload = func;...} else {....window.onload = function () {.....if (oldonload) {......oldonload();.....}.....func();....};...}...// ......... ......... ......... . ........ ....... ..... .., .... ........ ... ...........if (document.readyState === "complete") {....func();...}..}

                                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\lang[1].js

                                  Download File
                                  Process:C:\Windows\SysWOW64\mshta.exe
                                  File Type:HTML document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                  Category:dropped
                                  Size (bytes):67231
                                  Entropy (8bit):5.549452833601988
                                  Encrypted:false
                                  SSDEEP:768:FSkBQstkitLTvcQ4p61Hh3ehnspXqDqIjvZq6mfUJTHe7tvnx8PZXJRr2z5t9rya:+sbv22VeIxcwz5jG14useIEBDGx
                                  MD5:0F8AA7C95F02FF49F1FBAE3D5817F2F9
                                  SHA1:3FEC254401BCDEC1D2DB5F23F9E02155E096571F
                                  SHA-256:685F7D5BF2AF77F561B24F8E4B2363503A76690D70B179BB55B161317BA47676
                                  SHA-512:CA3B3AB35E5F79A734727642A2AC76EBE20BED0552ECDDB116CFDF903BA1666A6A48B5837FD1F06B1B3969C360F5F07A6ED73D8882C7C09DBFFB919D9BB1CB8C
                                  Malicious:false
                                  Preview:.if (typeof loadedJS !== "undefined") { loadedJS.push("lang.js"); }....var l = {.. ru: {.. 'defender_instruction_win7_1': '1. ........ ......... ..........: <a href="#" onclick="openDefenderSettingsWin7(); return false;">......... Windows Defender</a><br>',.. 'defender_instruction_win7_2': '2. ....... .. ...... "........." . ....... ...... ....<br>',.. 'defender_instruction_win7_3': '3. . ....... "...... . ........ ......." ....... ...... . ..... "............ ...... . ...... ......... ......."<br>',.. 'defender_instruction_win7_4': '4. ....... .. ...... ".........".<br><br>',.... 'defender_instruction_win8_1': '1. ........ ......... ..........: <a href="#" onclick="openDefenderSettingsWin7(); return false;">......... Wind

                                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\script[1].js

                                  Download File
                                  Process:C:\Windows\SysWOW64\mshta.exe
                                  File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                  Category:dropped
                                  Size (bytes):3549
                                  Entropy (8bit):5.718751523287771
                                  Encrypted:false
                                  SSDEEP:96:eGTzm4iZlN7GC+Ec4iGTzVbi+nMGTViBaHxWrsJrbOPFvJ+8Xu:Bm4eX7GFr9czV2CwaHygyx4
                                  MD5:5C4131C3255CB275FB6D7D2F2B6A1FB8
                                  SHA1:FF24D538B653C455865D6133AF5FF768FDADB32E
                                  SHA-256:75733A0CB0D087048775602B5AB85D081F5B26330189FD187529CDA95CB9A518
                                  SHA-512:4051ED5B1A4819E6EAFB0BF0E2DD4ED214EF9DC8DCCB1490D4AD59731B7B250DBC31E0B162C44B9E67A2DE071985B122C2C93117D8D1F4667FE3983B54A0ADA0
                                  Malicious:false
                                  Preview:.if (typeof loadedJS !== "undefined") { loadedJS.push("script.js"); }....var windowWidth = 700;..var windowHeight = 600;..function resizeWindow() {...var screenWidth = screen.availWidth;...var screenHeight = screen.availHeight;.....var newX = (screenWidth - windowWidth) / 2;...var newY = (screenHeight - windowHeight) / 2;.....var randomNumber = Math.floor(Math.random() * 5) + 1;.....try {....window.resizeTo(windowWidth, windowHeight + randomNumber);....window.moveTo(newX, newY);...} catch (e) { }..}..if ((typeof autoResizeNoNeed != 'undefined') && (autoResizeNoNeed !== true)) {...resizeWindow();...setTimeout(resizeWindow, 1000);..}....function closeHTA() {...window.moveTo(-1000, -1000)...setTimeout(function () { window.close(); }, 1000);.....sendMatomoEvent({....trackEvent: {.....category: 'Wrapper',.....action: 'Application closed'....}...});..}..function openPageHTA(url, target) {...try {....if (target) {.....WshShell.Run('%windir%\\system32\\mshta.exe "' + url + '"', 1, false);...

                                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\statistics[1].js

                                  Download File
                                  Process:C:\Windows\SysWOW64\mshta.exe
                                  File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                  Category:dropped
                                  Size (bytes):8133
                                  Entropy (8bit):5.512060404041763
                                  Encrypted:false
                                  SSDEEP:192:rLVRyhuoevivVLbVxe9zTTQsy/VGL5u5hKj631NFlJ6WNbjSb1pxCE8qbJ:GhyUCTTQ8kizh
                                  MD5:B2343F840D0138C1D34648AF653617AF
                                  SHA1:ABC1F107DFBAA67F7FADC6B03F2A69C561C51247
                                  SHA-256:8ECA86E628A4BF5C7CB78DB8654CE749E5BB4A3DAA5FE79ED61045CBF3A97E73
                                  SHA-512:8616D5865BF1C511F6E4C3E3CC5CBB1B2C4C71ECB255B3CB6EEF900EE3C9961E828A264F03436CAE7A7E430567BB397087550BADCCB83811C188CB90759F5B7C
                                  Malicious:false
                                  Preview:.if (typeof loadedJS !== "undefined") { loadedJS.push("statistics.js"); }..../*..// ............ .. Matomo Tracking HTTP API..// https://developer.matomo.org/api-reference/tracking-api......// ... ......... ........ ...... ....... sendMatomoEvent() . .......... ...........:..sendMatomoEvent({.. title: 'Menu',.. url: 'https://example.com/menu'..});....// ........ ....... . ............. . .......... URL:..sendMatomoEvent({.. title: 'Homepage',.. url: '/home'..});....// ........ ....... . .........., ........., ...... . .........:..sendMatomoEvent({.. trackEvent: {.. category: 'User Interaction',.. action: 'Click',.. name: 'Button 1',.. value: '10'.. }..});....// ........ ....... . ................. ....... (_cvar) . ........... .... (goalId):..sendMatomoE

                                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\client_ip[1].js

                                  Download File
                                  Process:C:\Windows\SysWOW64\mshta.exe
                                  File Type:ASCII text, with no line terminators
                                  Category:dropped
                                  Size (bytes):32
                                  Entropy (8bit):4.366729296672174
                                  Encrypted:false
                                  SSDEEP:3:qYwmHMwMgRzn:qY3HMwMgRzn
                                  MD5:B097BC01F54B411CCD715DF31A02165A
                                  SHA1:42AEF60341257F6915AD99236674F0834CC6219A
                                  SHA-256:A8C62167EDF230A9096B4ADEE7EB1FC6F5E320A75278955E80F393C2B3AE4CB4
                                  SHA-512:558D274427F96D3E0FA49F43BADD674C2125356371B0119E4D78032793E023E360E4CF76357A2E54BCA6DF940203159956446A3FCD32F1ECC297775020FC5EA7
                                  Malicious:false
                                  Preview:var clientIp = "102.129.143.77";

                                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\missing-scripts-detector[1].js

                                  Download File
                                  Process:C:\Windows\SysWOW64\mshta.exe
                                  File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                  Category:dropped
                                  Size (bytes):1807
                                  Entropy (8bit):4.663040957738839
                                  Encrypted:false
                                  SSDEEP:24:cuM2VgeG3RWZQericn0EG1WGDROQP/YZqpMT6BM393pfb0+4p3wdJOIC5ypfLLcD:cDcgnwfiOGWK77iiM5FI5C2ylGf
                                  MD5:5BB70933199563BD95A85E9D58D0920B
                                  SHA1:1E0322DD237C61A911D58D11F3A2879D78A36444
                                  SHA-256:915A03DDD5D887CE43185A21FD9927FFCFC6E8F373D80D6FB0BFE96E65C029CD
                                  SHA-512:7F727D6F0ABB14746B24D10E7D2A532B20BA44B0E177C4B1D778BDF8EA3AC4D8B4D644EBEC169DAA4777DFFD22B376D1DAFB0EF790815558A665922598DA24EB
                                  Malicious:false
                                  Preview:.var loadedJS = [];..if (typeof loadedJS !== "undefined") { loadedJS.push("missing-scripts-detector.js"); }....function getScriptNames() {.. var scripts = document.getElementsByTagName("script");.. var names = [];.... for (var i = 0; i < scripts.length; i++) {.. var url = scripts[i].src;.. if ((url) && (url.indexOf("client_ip.js") === -1)) {.. var parts = url.split("/");.. var name = parts[parts.length - 1];.. names.push(name);.. }.. }.... return names;..}....function logMissingScripts() {.. var allJS = getScriptNames();.. var missingJS = [];.... for (var i = 0; i < allJS.length; i++) {.. var isLoaded = false;.... for (var j = 0; j < loadedJS.length; j++) {.. if (typeof loadedJS[j] === "string" && loadedJS[j] === allJS[i]) {.. isLoaded = true;.. break;.. }.. }.... if (!isLoaded) {.. missingJS.push(allJS[i]);..

                                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\step1_av[1].htm

                                  Download File
                                  Process:C:\Windows\SysWOW64\mshta.exe
                                  File Type:HTML document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                  Category:dropped
                                  Size (bytes):3369
                                  Entropy (8bit):5.647548365349031
                                  Encrypted:false
                                  SSDEEP:48:uMD2epuqggNwVngUF2EJDi+33Ld9oFWLCd6MVCON5p49TpNHkN/NyNdNfNjNsC8q:l73ZNengUdY8C6K5ul7E1OvVp+OIgp
                                  MD5:D9C4EDD8648B146931B486C8FC4853F1
                                  SHA1:4B5C47AD23061C8E225E7F6BBC3F116100DA296F
                                  SHA-256:C36CFE0BBA2E4B111968E9899B82A5FD6829949D8BA4BF31D0448C86904D7AA0
                                  SHA-512:1541027AD8D858F4A584E18CAE73BE9BD4E9EA3ECC670D76AAF24A833D11B8A199CDAA4735A27E70A870426C98E25DAFD642E6530D712A3D1A82CAE8A61C5346
                                  Malicious:false
                                  Preview:.<!DOCTYPE html>..<html>....<head>...<title>Launcher</title>... ->.. <meta http-equiv="X-UA-Compatible" content="IE=7">.. -->...<HTA:APPLICATION ID="dwrapper" APPLICATIONNAME="dwrapper" ICON="%windir%\System32\magnify.exe" WIDTH="700"....HEIGHT="600" CONTEXTMENU="yes" SELECTION="yes" APPLICATION="no" BORDER="none" CAPTION="no" INNERBORDER="no"....MAXIMIZEBUTTON="yes" MINIMIZEBUTTON="yes" NAVIGABLE="yes" SCROLL="no" SCROLLFLAT="no" SHOWINTASKBAR="yes"....SINGLEINSTANCE="no" SYSMENU="yes" VERSION="0.1" WINDOWSTATE="normal" />.....<script type="text/javascript">....window.onload = function () {.....//window.focus();.....sendMatomoEvent({......title: 'Wrapper / Start screen page',......url: '/start_screen.html'.....});.....setTimeout(function () {......if (typeof logMissingScripts !== "undefined") {.......logMissingScripts();......}......else {.......sendMatomoEvent({........trackEvent: {.........category: 'Wrapper / Errors',.........action: '...... ......

                                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\style[1].css

                                  Download File
                                  Process:C:\Windows\SysWOW64\mshta.exe
                                  File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                  Category:dropped
                                  Size (bytes):2981
                                  Entropy (8bit):5.119918146134988
                                  Encrypted:false
                                  SSDEEP:48:fsCKWBr6pIl8r3yCyTprhGMCkMaJ7re6VOrnAM/TESJFBIr9U5JReskpUVh5buU2:fnxGp48hyTHbCFWS6VOz/TESJ7IK5JRi
                                  MD5:817F995CDDC5BB427032EB7286FCDA39
                                  SHA1:C676C64C0D0C902C66E8448680846FF45D388E8B
                                  SHA-256:F3BDB1D94F79EFD344620028E69EB6BC4AADCA69081E9A9E91D5389E6BFD6DFB
                                  SHA-512:4ECA49C7041A35125031188716F341E1E7081FD7A4C7E505606E4FD38143164C36E461D42308D9633CCD89F113BBF4E77DE6C01DB60B0E4C29F447A7FB0CA4F6
                                  Malicious:false
                                  Preview:.html,..body {...height: 100%;...margin: 0;...padding: 0;.../*overflow-x: hidden;*/...overflow-y: auto;..}....body {...font-family: Calibri, 'Segoe UI', Verdana, Tahoma, Geneva, sans-serif;...font-weight: lighter;...font-size: 19px;..}.......close-btn {...position: absolute;...top: 0px;...right: 17px;...font-size: 30px;...cursor: pointer;..}....#language {...position: absolute;...bottom: 30px;...right: 37px;..}....#versionLabel {...left: 10px;...margin-left: 10px;...bottom: 10px;...font-size: 13px;...font-family: Geneva, Tahoma, sans-serif;..}.....antivirus-info {...margin-bottom: 20px;..}.....antivirus-info span {...display: block;..}....img {...max-width: 100%;..}.....content {...margin-top: 20px;..}....ul {...list-style: none;...padding: 0;..}....h1 {...text-align: center;..}....#download-button {...display: inline-block;...background-color: #0078D7;...color: white;...font-size: 20px;...text-decoration: none;...padding: 15px 30px;...margin: 10px;...border-radius: 10px;..}....#chec

                                  Static File Info

                                  General

                                  File type:HTML document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                  Entropy (8bit):5.121271796929296
                                  TrID:
                                  • HyperText Markup Language (15004/1) 83.32%
                                  • Text - UTF-8 encoded (3003/1) 16.68%
                                  File name:PROD_Start_DriverPack.hta
                                  File size:1672
                                  MD5:dda846a4704efc2a03e1f8392e6f1ffc
                                  SHA1:387171a06eee5a76aaedc3664385bb89703cf6df
                                  SHA256:e9dc9648d8fb7d943431459f49a7d9926197c2d60b3c2b6a58294fd75b672b25
                                  SHA512:5cc5ad3fbdf083a87a65be76869bca844faa2d9be25657b45ad070531892f20d9337739590dd8995bca03ce23e9cb611129fe2f8457879b6263825d6df49da7a
                                  SSDEEP:48:uzK1vpKljUYpuqgs1pxXzOSRByHCpmF50bxxdW6kI:qiIT3BjNOSOGmF50tKA
                                  TLSH:34310E660D56902090372A6247FE620AEB73A5631289E752B8CC914F3F70B439E43BE8
                                  File Content Preview:...<!DOCTYPE html>..<html>....<head>.. <title>Starting...</title>.. ->.. <meta http-equiv="X-UA-Compatible" content="IE=7">.. -->.... { IF [NOSCRIPT] } -->.. .. <noscript>.. <meta http-equiv="refresh" c

                                  Network Behavior

                                  Download Network PCAP: filteredfull

                                  Network Port Distribution

                                  • Total Packets: 121
                                  • 80 (HTTP)
                                  • 53 (DNS)
                                  TimestampSource PortDest PortSource IPDest IP
                                  Jun 5, 2023 23:31:41.364528894 CEST4969980192.168.2.346.137.15.86
                                  Jun 5, 2023 23:31:41.409316063 CEST804969946.137.15.86192.168.2.3
                                  Jun 5, 2023 23:31:41.409446001 CEST4969980192.168.2.346.137.15.86
                                  Jun 5, 2023 23:31:41.409811974 CEST4969980192.168.2.346.137.15.86
                                  Jun 5, 2023 23:31:41.453984022 CEST804969946.137.15.86192.168.2.3
                                  Jun 5, 2023 23:31:41.455796957 CEST804969946.137.15.86192.168.2.3
                                  Jun 5, 2023 23:31:41.455882072 CEST804969946.137.15.86192.168.2.3
                                  Jun 5, 2023 23:31:41.455894947 CEST4969980192.168.2.346.137.15.86
                                  Jun 5, 2023 23:31:41.455941916 CEST804969946.137.15.86192.168.2.3
                                  Jun 5, 2023 23:31:41.455950975 CEST4969980192.168.2.346.137.15.86
                                  Jun 5, 2023 23:31:41.455993891 CEST804969946.137.15.86192.168.2.3
                                  Jun 5, 2023 23:31:41.456044912 CEST4969980192.168.2.346.137.15.86
                                  Jun 5, 2023 23:31:41.456065893 CEST4969980192.168.2.346.137.15.86
                                  Jun 5, 2023 23:31:41.469209909 CEST4969980192.168.2.346.137.15.86
                                  Jun 5, 2023 23:31:41.471534967 CEST4970080192.168.2.346.137.15.86
                                  Jun 5, 2023 23:31:41.513608932 CEST804969946.137.15.86192.168.2.3
                                  Jun 5, 2023 23:31:41.515221119 CEST804969946.137.15.86192.168.2.3
                                  Jun 5, 2023 23:31:41.515336037 CEST4969980192.168.2.346.137.15.86
                                  Jun 5, 2023 23:31:41.515465975 CEST804969946.137.15.86192.168.2.3
                                  Jun 5, 2023 23:31:41.515535116 CEST804969946.137.15.86192.168.2.3
                                  Jun 5, 2023 23:31:41.515551090 CEST4969980192.168.2.346.137.15.86
                                  Jun 5, 2023 23:31:41.515580893 CEST804970046.137.15.86192.168.2.3
                                  Jun 5, 2023 23:31:41.515595913 CEST4969980192.168.2.346.137.15.86
                                  Jun 5, 2023 23:31:41.515666962 CEST4970080192.168.2.346.137.15.86
                                  Jun 5, 2023 23:31:41.516076088 CEST4970080192.168.2.346.137.15.86
                                  Jun 5, 2023 23:31:41.518364906 CEST4969980192.168.2.346.137.15.86
                                  Jun 5, 2023 23:31:41.559454918 CEST804970046.137.15.86192.168.2.3
                                  Jun 5, 2023 23:31:41.561242104 CEST804970046.137.15.86192.168.2.3
                                  Jun 5, 2023 23:31:41.561340094 CEST804970046.137.15.86192.168.2.3
                                  Jun 5, 2023 23:31:41.561358929 CEST4970080192.168.2.346.137.15.86
                                  Jun 5, 2023 23:31:41.561408997 CEST4970080192.168.2.346.137.15.86
                                  Jun 5, 2023 23:31:41.562438011 CEST804969946.137.15.86192.168.2.3
                                  Jun 5, 2023 23:31:41.563178062 CEST4970080192.168.2.346.137.15.86
                                  Jun 5, 2023 23:31:41.563694000 CEST804969946.137.15.86192.168.2.3
                                  Jun 5, 2023 23:31:41.563817024 CEST4969980192.168.2.346.137.15.86
                                  Jun 5, 2023 23:31:41.566026926 CEST4969980192.168.2.346.137.15.86
                                  Jun 5, 2023 23:31:41.606405973 CEST804970046.137.15.86192.168.2.3
                                  Jun 5, 2023 23:31:41.608189106 CEST804970046.137.15.86192.168.2.3
                                  Jun 5, 2023 23:31:41.608237028 CEST804970046.137.15.86192.168.2.3
                                  Jun 5, 2023 23:31:41.608303070 CEST4970080192.168.2.346.137.15.86
                                  Jun 5, 2023 23:31:41.608529091 CEST4970080192.168.2.346.137.15.86
                                  Jun 5, 2023 23:31:41.610080004 CEST804969946.137.15.86192.168.2.3
                                  Jun 5, 2023 23:31:41.610392094 CEST4970080192.168.2.346.137.15.86
                                  Jun 5, 2023 23:31:41.611664057 CEST804969946.137.15.86192.168.2.3
                                  Jun 5, 2023 23:31:41.611713886 CEST804969946.137.15.86192.168.2.3
                                  Jun 5, 2023 23:31:41.611759901 CEST804969946.137.15.86192.168.2.3
                                  Jun 5, 2023 23:31:41.611776114 CEST4969980192.168.2.346.137.15.86
                                  Jun 5, 2023 23:31:41.611776114 CEST4969980192.168.2.346.137.15.86
                                  Jun 5, 2023 23:31:41.611805916 CEST804969946.137.15.86192.168.2.3
                                  Jun 5, 2023 23:31:41.611819029 CEST4969980192.168.2.346.137.15.86
                                  Jun 5, 2023 23:31:41.611845970 CEST804969946.137.15.86192.168.2.3
                                  Jun 5, 2023 23:31:41.611861944 CEST4969980192.168.2.346.137.15.86
                                  Jun 5, 2023 23:31:41.611901045 CEST4969980192.168.2.346.137.15.86
                                  Jun 5, 2023 23:31:41.613610983 CEST4969980192.168.2.346.137.15.86
                                  Jun 5, 2023 23:31:41.653543949 CEST804970046.137.15.86192.168.2.3
                                  Jun 5, 2023 23:31:41.659137964 CEST804970046.137.15.86192.168.2.3
                                  Jun 5, 2023 23:31:41.659203053 CEST804970046.137.15.86192.168.2.3
                                  Jun 5, 2023 23:31:41.659256935 CEST4970080192.168.2.346.137.15.86
                                  Jun 5, 2023 23:31:41.659256935 CEST4970080192.168.2.346.137.15.86
                                  Jun 5, 2023 23:31:41.659303904 CEST804970046.137.15.86192.168.2.3
                                  Jun 5, 2023 23:31:41.659353971 CEST4970080192.168.2.346.137.15.86
                                  Jun 5, 2023 23:31:41.659966946 CEST804969946.137.15.86192.168.2.3
                                  Jun 5, 2023 23:31:41.660104990 CEST804969946.137.15.86192.168.2.3
                                  Jun 5, 2023 23:31:41.660109997 CEST4969980192.168.2.346.137.15.86
                                  Jun 5, 2023 23:31:41.660162926 CEST4969980192.168.2.346.137.15.86
                                  Jun 5, 2023 23:31:41.672878981 CEST4970080192.168.2.346.137.15.86
                                  Jun 5, 2023 23:31:41.683690071 CEST4969980192.168.2.346.137.15.86
                                  Jun 5, 2023 23:31:41.716243982 CEST804970046.137.15.86192.168.2.3
                                  Jun 5, 2023 23:31:41.717969894 CEST804970046.137.15.86192.168.2.3
                                  Jun 5, 2023 23:31:41.718157053 CEST4970080192.168.2.346.137.15.86
                                  Jun 5, 2023 23:31:41.730541945 CEST804969946.137.15.86192.168.2.3
                                  Jun 5, 2023 23:31:41.730623007 CEST804969946.137.15.86192.168.2.3
                                  Jun 5, 2023 23:31:41.730690002 CEST804969946.137.15.86192.168.2.3
                                  Jun 5, 2023 23:31:41.730727911 CEST4969980192.168.2.346.137.15.86
                                  Jun 5, 2023 23:31:41.730742931 CEST804969946.137.15.86192.168.2.3
                                  Jun 5, 2023 23:31:41.730783939 CEST4969980192.168.2.346.137.15.86
                                  Jun 5, 2023 23:31:41.730784893 CEST4969980192.168.2.346.137.15.86
                                  Jun 5, 2023 23:31:41.730808973 CEST4969980192.168.2.346.137.15.86
                                  Jun 5, 2023 23:31:41.760950089 CEST4970080192.168.2.346.137.15.86
                                  Jun 5, 2023 23:31:41.762079000 CEST4969980192.168.2.346.137.15.86
                                  Jun 5, 2023 23:31:41.806013107 CEST804970046.137.15.86192.168.2.3
                                  Jun 5, 2023 23:31:41.806086063 CEST804970046.137.15.86192.168.2.3
                                  Jun 5, 2023 23:31:41.806137085 CEST4970080192.168.2.346.137.15.86
                                  Jun 5, 2023 23:31:41.806168079 CEST4970080192.168.2.346.137.15.86
                                  Jun 5, 2023 23:31:41.806224108 CEST804970046.137.15.86192.168.2.3
                                  Jun 5, 2023 23:31:41.806292057 CEST804970046.137.15.86192.168.2.3
                                  Jun 5, 2023 23:31:41.806307077 CEST4970080192.168.2.346.137.15.86
                                  Jun 5, 2023 23:31:41.806348085 CEST4970080192.168.2.346.137.15.86
                                  Jun 5, 2023 23:31:41.806385040 CEST804970046.137.15.86192.168.2.3
                                  Jun 5, 2023 23:31:41.806437016 CEST4970080192.168.2.346.137.15.86
                                  Jun 5, 2023 23:31:41.806464911 CEST804970046.137.15.86192.168.2.3
                                  Jun 5, 2023 23:31:41.806528091 CEST804970046.137.15.86192.168.2.3
                                  Jun 5, 2023 23:31:41.806546926 CEST4970080192.168.2.346.137.15.86
                                  Jun 5, 2023 23:31:41.806587934 CEST4970080192.168.2.346.137.15.86
                                  Jun 5, 2023 23:31:41.807476044 CEST804969946.137.15.86192.168.2.3
                                  Jun 5, 2023 23:31:41.807547092 CEST804969946.137.15.86192.168.2.3
                                  Jun 5, 2023 23:31:41.807579041 CEST4969980192.168.2.346.137.15.86
                                  Jun 5, 2023 23:31:41.807611942 CEST804969946.137.15.86192.168.2.3
                                  Jun 5, 2023 23:31:41.807627916 CEST4969980192.168.2.346.137.15.86
                                  Jun 5, 2023 23:31:41.807673931 CEST4969980192.168.2.346.137.15.86
                                  Jun 5, 2023 23:31:41.807674885 CEST804969946.137.15.86192.168.2.3
                                  Jun 5, 2023 23:31:41.807733059 CEST804969946.137.15.86192.168.2.3
                                  Jun 5, 2023 23:31:41.807790995 CEST804969946.137.15.86192.168.2.3
                                  Jun 5, 2023 23:31:41.807810068 CEST4969980192.168.2.346.137.15.86
                                  Jun 5, 2023 23:31:41.807810068 CEST4969980192.168.2.346.137.15.86
                                  Jun 5, 2023 23:31:41.807842016 CEST4969980192.168.2.346.137.15.86
                                  Jun 5, 2023 23:31:41.807846069 CEST804969946.137.15.86192.168.2.3
                                  Jun 5, 2023 23:31:41.807902098 CEST4969980192.168.2.346.137.15.86
                                  Jun 5, 2023 23:31:41.807904005 CEST804969946.137.15.86192.168.2.3
                                  Jun 5, 2023 23:31:41.807961941 CEST4969980192.168.2.346.137.15.86
                                  Jun 5, 2023 23:31:41.807962894 CEST804969946.137.15.86192.168.2.3
                                  Jun 5, 2023 23:31:41.808018923 CEST4969980192.168.2.346.137.15.86
                                  Jun 5, 2023 23:31:41.808022022 CEST804969946.137.15.86192.168.2.3
                                  Jun 5, 2023 23:31:41.808082104 CEST4969980192.168.2.346.137.15.86
                                  Jun 5, 2023 23:31:41.852169037 CEST804969946.137.15.86192.168.2.3
                                  Jun 5, 2023 23:31:41.852302074 CEST804969946.137.15.86192.168.2.3
                                  Jun 5, 2023 23:31:41.852340937 CEST4969980192.168.2.346.137.15.86
                                  Jun 5, 2023 23:31:41.852382898 CEST804969946.137.15.86192.168.2.3
                                  Jun 5, 2023 23:31:41.852385998 CEST4969980192.168.2.346.137.15.86
                                  Jun 5, 2023 23:31:41.852456093 CEST804969946.137.15.86192.168.2.3
                                  Jun 5, 2023 23:31:41.852458954 CEST4969980192.168.2.346.137.15.86
                                  Jun 5, 2023 23:31:41.852528095 CEST4969980192.168.2.346.137.15.86
                                  Jun 5, 2023 23:31:41.852528095 CEST804969946.137.15.86192.168.2.3
                                  Jun 5, 2023 23:31:41.852606058 CEST4969980192.168.2.346.137.15.86
                                  Jun 5, 2023 23:31:41.852607012 CEST804969946.137.15.86192.168.2.3
                                  Jun 5, 2023 23:31:41.852690935 CEST4969980192.168.2.346.137.15.86
                                  Jun 5, 2023 23:31:41.852691889 CEST804969946.137.15.86192.168.2.3
                                  Jun 5, 2023 23:31:41.852758884 CEST804969946.137.15.86192.168.2.3
                                  Jun 5, 2023 23:31:41.852819920 CEST4969980192.168.2.346.137.15.86
                                  Jun 5, 2023 23:31:41.852827072 CEST804969946.137.15.86192.168.2.3
                                  Jun 5, 2023 23:31:41.852876902 CEST4969980192.168.2.346.137.15.86
                                  Jun 5, 2023 23:31:41.852896929 CEST804969946.137.15.86192.168.2.3
                                  Jun 5, 2023 23:31:41.852931023 CEST4969980192.168.2.346.137.15.86
                                  Jun 5, 2023 23:31:41.852965117 CEST804969946.137.15.86192.168.2.3
                                  Jun 5, 2023 23:31:41.852988005 CEST4969980192.168.2.346.137.15.86
                                  Jun 5, 2023 23:31:41.853034019 CEST804969946.137.15.86192.168.2.3
                                  Jun 5, 2023 23:31:41.853039026 CEST4969980192.168.2.346.137.15.86
                                  Jun 5, 2023 23:31:41.853101969 CEST804969946.137.15.86192.168.2.3
                                  Jun 5, 2023 23:31:41.853106022 CEST4969980192.168.2.346.137.15.86
                                  Jun 5, 2023 23:31:41.853168964 CEST804969946.137.15.86192.168.2.3
                                  Jun 5, 2023 23:31:41.853176117 CEST4969980192.168.2.346.137.15.86
                                  Jun 5, 2023 23:31:41.853238106 CEST804969946.137.15.86192.168.2.3
                                  Jun 5, 2023 23:31:41.853244066 CEST4969980192.168.2.346.137.15.86
                                  Jun 5, 2023 23:31:41.853305101 CEST804969946.137.15.86192.168.2.3
                                  Jun 5, 2023 23:31:41.853343010 CEST4969980192.168.2.346.137.15.86
                                  Jun 5, 2023 23:31:41.853373051 CEST804969946.137.15.86192.168.2.3
                                  Jun 5, 2023 23:31:41.853384972 CEST4969980192.168.2.346.137.15.86
                                  Jun 5, 2023 23:31:41.853441000 CEST804969946.137.15.86192.168.2.3
                                  Jun 5, 2023 23:31:41.853451967 CEST4969980192.168.2.346.137.15.86
                                  Jun 5, 2023 23:31:41.853507042 CEST804969946.137.15.86192.168.2.3
                                  Jun 5, 2023 23:31:41.853518009 CEST4969980192.168.2.346.137.15.86
                                  Jun 5, 2023 23:31:41.853579044 CEST804969946.137.15.86192.168.2.3
                                  Jun 5, 2023 23:31:41.853585005 CEST4969980192.168.2.346.137.15.86
                                  Jun 5, 2023 23:31:41.853657007 CEST4969980192.168.2.346.137.15.86
                                  Jun 5, 2023 23:31:41.897675991 CEST804969946.137.15.86192.168.2.3
                                  Jun 5, 2023 23:31:41.897706985 CEST804969946.137.15.86192.168.2.3
                                  Jun 5, 2023 23:31:41.897732973 CEST804969946.137.15.86192.168.2.3
                                  Jun 5, 2023 23:31:41.897758961 CEST804969946.137.15.86192.168.2.3
                                  Jun 5, 2023 23:31:41.897785902 CEST804969946.137.15.86192.168.2.3
                                  Jun 5, 2023 23:31:41.897810936 CEST804969946.137.15.86192.168.2.3
                                  Jun 5, 2023 23:31:41.897834063 CEST804969946.137.15.86192.168.2.3
                                  Jun 5, 2023 23:31:41.897860050 CEST804969946.137.15.86192.168.2.3
                                  Jun 5, 2023 23:31:41.897862911 CEST4969980192.168.2.346.137.15.86
                                  Jun 5, 2023 23:31:41.897862911 CEST4969980192.168.2.346.137.15.86
                                  Jun 5, 2023 23:31:41.897862911 CEST4969980192.168.2.346.137.15.86
                                  Jun 5, 2023 23:31:41.897887945 CEST804969946.137.15.86192.168.2.3
                                  Jun 5, 2023 23:31:41.897914886 CEST804969946.137.15.86192.168.2.3
                                  Jun 5, 2023 23:31:41.897924900 CEST4969980192.168.2.346.137.15.86
                                  Jun 5, 2023 23:31:41.897926092 CEST4969980192.168.2.346.137.15.86
                                  Jun 5, 2023 23:31:41.897942066 CEST804969946.137.15.86192.168.2.3
                                  Jun 5, 2023 23:31:41.897948027 CEST4969980192.168.2.346.137.15.86
                                  Jun 5, 2023 23:31:41.897972107 CEST804969946.137.15.86192.168.2.3
                                  Jun 5, 2023 23:31:41.897979021 CEST4969980192.168.2.346.137.15.86
                                  Jun 5, 2023 23:31:41.897998095 CEST4969980192.168.2.346.137.15.86
                                  Jun 5, 2023 23:31:41.898000002 CEST804969946.137.15.86192.168.2.3
                                  Jun 5, 2023 23:31:41.898025036 CEST804969946.137.15.86192.168.2.3
                                  Jun 5, 2023 23:31:41.898030996 CEST4969980192.168.2.346.137.15.86
                                  Jun 5, 2023 23:31:41.898049116 CEST4969980192.168.2.346.137.15.86
                                  Jun 5, 2023 23:31:41.898051023 CEST804969946.137.15.86192.168.2.3
                                  Jun 5, 2023 23:31:41.898075104 CEST804969946.137.15.86192.168.2.3
                                  Jun 5, 2023 23:31:41.898078918 CEST4969980192.168.2.346.137.15.86
                                  Jun 5, 2023 23:31:41.898101091 CEST804969946.137.15.86192.168.2.3
                                  Jun 5, 2023 23:31:41.898102045 CEST4969980192.168.2.346.137.15.86
                                  Jun 5, 2023 23:31:41.898128986 CEST804969946.137.15.86192.168.2.3
                                  Jun 5, 2023 23:31:41.898144960 CEST4969980192.168.2.346.137.15.86
                                  Jun 5, 2023 23:31:41.898158073 CEST804969946.137.15.86192.168.2.3
                                  Jun 5, 2023 23:31:41.898164988 CEST4969980192.168.2.346.137.15.86
                                  Jun 5, 2023 23:31:41.898188114 CEST4969980192.168.2.346.137.15.86
                                  Jun 5, 2023 23:31:41.898189068 CEST804969946.137.15.86192.168.2.3
                                  Jun 5, 2023 23:31:41.898219109 CEST804969946.137.15.86192.168.2.3
                                  Jun 5, 2023 23:31:41.898238897 CEST4969980192.168.2.346.137.15.86
                                  Jun 5, 2023 23:31:41.898247004 CEST804969946.137.15.86192.168.2.3
                                  Jun 5, 2023 23:31:41.898273945 CEST804969946.137.15.86192.168.2.3
                                  Jun 5, 2023 23:31:41.898293018 CEST4969980192.168.2.346.137.15.86
                                  Jun 5, 2023 23:31:41.898300886 CEST804969946.137.15.86192.168.2.3
                                  Jun 5, 2023 23:31:41.898317099 CEST4969980192.168.2.346.137.15.86
                                  Jun 5, 2023 23:31:41.898317099 CEST4969980192.168.2.346.137.15.86
                                  Jun 5, 2023 23:31:41.898339033 CEST4969980192.168.2.346.137.15.86
                                  Jun 5, 2023 23:31:41.898379087 CEST4969980192.168.2.346.137.15.86
                                  Jun 5, 2023 23:31:43.087299109 CEST4970180192.168.2.318.157.122.248
                                  Jun 5, 2023 23:31:43.107964039 CEST804970118.157.122.248192.168.2.3
                                  Jun 5, 2023 23:31:43.108094931 CEST4970180192.168.2.318.157.122.248
                                  Jun 5, 2023 23:31:43.121170998 CEST4970180192.168.2.318.157.122.248
                                  Jun 5, 2023 23:31:43.140350103 CEST804970118.157.122.248192.168.2.3
                                  Jun 5, 2023 23:31:43.150623083 CEST804970118.157.122.248192.168.2.3
                                  Jun 5, 2023 23:31:43.150777102 CEST4970180192.168.2.318.157.122.248
                                  Jun 5, 2023 23:31:43.490397930 CEST4970180192.168.2.318.157.122.248
                                  Jun 5, 2023 23:31:43.521100998 CEST804970118.157.122.248192.168.2.3
                                  Jun 5, 2023 23:31:43.521383047 CEST4970180192.168.2.318.157.122.248
                                  Jun 5, 2023 23:31:56.853729010 CEST804970046.137.15.86192.168.2.3
                                  Jun 5, 2023 23:31:56.853934050 CEST4970080192.168.2.346.137.15.86
                                  Jun 5, 2023 23:31:56.951406002 CEST804969946.137.15.86192.168.2.3
                                  Jun 5, 2023 23:31:56.951562881 CEST4969980192.168.2.346.137.15.86
                                  Jun 5, 2023 23:32:11.905899048 CEST804970046.137.15.86192.168.2.3
                                  Jun 5, 2023 23:32:11.906006098 CEST4970080192.168.2.346.137.15.86
                                  Jun 5, 2023 23:32:12.183543921 CEST804969946.137.15.86192.168.2.3
                                  Jun 5, 2023 23:32:12.183689117 CEST4969980192.168.2.346.137.15.86
                                  Jun 5, 2023 23:32:27.009798050 CEST804970046.137.15.86192.168.2.3
                                  Jun 5, 2023 23:32:27.010900974 CEST4970080192.168.2.346.137.15.86
                                  Jun 5, 2023 23:32:27.287658930 CEST804969946.137.15.86192.168.2.3
                                  Jun 5, 2023 23:32:27.287858963 CEST4969980192.168.2.346.137.15.86
                                  Jun 5, 2023 23:32:41.806559086 CEST804970046.137.15.86192.168.2.3
                                  Jun 5, 2023 23:32:41.807533026 CEST4970080192.168.2.346.137.15.86
                                  Jun 5, 2023 23:32:41.809568882 CEST804969946.137.15.86192.168.2.3
                                  Jun 5, 2023 23:32:41.809763908 CEST4969980192.168.2.346.137.15.86
                                  Jun 5, 2023 23:33:31.292181015 CEST4970180192.168.2.318.157.122.248
                                  Jun 5, 2023 23:33:31.292517900 CEST4969980192.168.2.346.137.15.86
                                  Jun 5, 2023 23:33:31.292887926 CEST4970080192.168.2.346.137.15.86
                                  Jun 5, 2023 23:33:31.312350988 CEST804970118.157.122.248192.168.2.3
                                  Jun 5, 2023 23:33:31.312634945 CEST4970180192.168.2.318.157.122.248
                                  Jun 5, 2023 23:33:31.336008072 CEST804970046.137.15.86192.168.2.3
                                  Jun 5, 2023 23:33:31.336505890 CEST804969946.137.15.86192.168.2.3
                                  TimestampSource PortDest PortSource IPDest IP
                                  Jun 5, 2023 23:31:41.325001955 CEST5238753192.168.2.38.8.8.8
                                  Jun 5, 2023 23:31:41.352510929 CEST53523878.8.8.8192.168.2.3
                                  Jun 5, 2023 23:31:42.996372938 CEST5692453192.168.2.38.8.8.8
                                  Jun 5, 2023 23:31:43.074219942 CEST53569248.8.8.8192.168.2.3

                                  DNS Queries

                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                  Jun 5, 2023 23:31:41.325001955 CEST192.168.2.38.8.8.80x2dc5Standard query (0)dwrapper-prod.herokuapp.comA (IP address)IN (0x0001)false
                                  Jun 5, 2023 23:31:42.996372938 CEST192.168.2.38.8.8.80x2c48Standard query (0)example-dwrapper.matomo.cloudA (IP address)IN (0x0001)false

                                  DNS Answers

                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                  Jun 5, 2023 23:31:41.352510929 CEST8.8.8.8192.168.2.30x2dc5No error (0)dwrapper-prod.herokuapp.com46.137.15.86A (IP address)IN (0x0001)false
                                  Jun 5, 2023 23:31:41.352510929 CEST8.8.8.8192.168.2.30x2dc5No error (0)dwrapper-prod.herokuapp.com54.220.192.176A (IP address)IN (0x0001)false
                                  Jun 5, 2023 23:31:41.352510929 CEST8.8.8.8192.168.2.30x2dc5No error (0)dwrapper-prod.herokuapp.com54.73.53.134A (IP address)IN (0x0001)false
                                  Jun 5, 2023 23:31:43.074219942 CEST8.8.8.8192.168.2.30x2c48No error (0)example-dwrapper.matomo.cloud18.157.122.248A (IP address)IN (0x0001)false
                                  Jun 5, 2023 23:31:43.074219942 CEST8.8.8.8192.168.2.30x2c48No error (0)example-dwrapper.matomo.cloud18.195.235.189A (IP address)IN (0x0001)false
                                  Jun 5, 2023 23:31:43.074219942 CEST8.8.8.8192.168.2.30x2c48No error (0)example-dwrapper.matomo.cloud3.126.133.169A (IP address)IN (0x0001)false

                                  HTTP Request Dependency Graph

                                  • dwrapper-prod.herokuapp.com
                                    • example-dwrapper.matomo.cloud

                                  HTTP Packets

                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                  0192.168.2.34969946.137.15.8680C:\Windows\SysWOW64\mshta.exe
                                  TimestampkBytes transferredDirectionData
                                  Jun 5, 2023 23:31:41.409811974 CEST92OUTGET /bin/step1_av.html HTTP/1.1
                                  Accept: */*
                                  Accept-Language: en-US
                                  Accept-Encoding: gzip, deflate
                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
                                  Host: dwrapper-prod.herokuapp.com
                                  Connection: Keep-Alive
                                  Jun 5, 2023 23:31:41.455796957 CEST92INHTTP/1.1 200 OK
                                  Connection: keep-alive
                                  Server: nginx
                                  Date: Mon, 05 Jun 2023 21:31:41 GMT
                                  Content-Type: text/html
                                  Last-Modified: Fri, 12 May 2023 13:29:43 GMT
                                  Transfer-Encoding: chunked
                                  Etag: W/"645e3f47-d29"
                                  Cache-Control: no-store, no-cache, must-revalidate, proxy-revalidate
                                  Pragma: no-cache
                                  Expires: 0
                                  Access-Control-Allow-Origin: *
                                  Content-Encoding: gzip
                                  Via: 1.1 vegur
                                  Jun 5, 2023 23:31:41.455882072 CEST94INData Raw: 35 61 39 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ad 57 ef 6e db 36 10 ff ac 01 7b 07 56 40 17 07 a8 ac a4 5d 57 20 b1 02 28 b6 d6 08 f3 9f 20 76 9a 76 28 10 d0 12 ed a8 91 45 8d a2 9d 1a 43 80 34 c5 b0 02 2d d6 37 18 b0 4f fb da 16 ed 96 ad 5d f2 0a
                                  Data Ascii: 5a9Wn6{V@]W ( vv(EC4-7O]v$%C1;w;'+VsoA;||E%+}*<!YaV1\1?pxlQy4$:-x#idq[M,c8i7i[m5-^
                                  Jun 5, 2023 23:31:41.455941916 CEST94INData Raw: 98 2d 7a 51 a3 50 4e 71 88 61 ee 2f cb 3e 2d 35 55 eb 8f b1 98 73 92 5c 2f a4 09 31 ba 3c 92 77 bd 09 25 33 83 17 9d b9 5c a0 f7 4e 5b bb a8 5b 79 ad 82 ab d6 66 42 18 52 37 0b b8 6b e4 2b 18 a6 55 e1 14 d9 71 7c 7e e8 a2 7d 04 a3 14 62 03 b9 98
                                  Data Ascii: -zQPNqa/>-5Us\/1<w%3\N[[yfBR7k+Uq|~}bfYz@+d8C:7b-''B.}PsL%?G)
                                  Jun 5, 2023 23:31:41.455993891 CEST94INData Raw: 30 0d 0a 0d 0a
                                  Data Ascii: 0
                                  Jun 5, 2023 23:31:41.469209909 CEST95OUTGET /bin/src/style.css HTTP/1.1
                                  Accept: */*
                                  Referer: http://dwrapper-prod.herokuapp.com/bin/step1_av.html
                                  Accept-Language: en-US
                                  Accept-Encoding: gzip, deflate
                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
                                  Host: dwrapper-prod.herokuapp.com
                                  Connection: Keep-Alive
                                  Jun 5, 2023 23:31:41.515221119 CEST96INHTTP/1.1 200 OK
                                  Connection: keep-alive
                                  Server: nginx
                                  Date: Mon, 05 Jun 2023 21:31:41 GMT
                                  Content-Type: text/css
                                  Content-Length: 2981
                                  Last-Modified: Fri, 12 May 2023 13:29:43 GMT
                                  Etag: "645e3f47-ba5"
                                  Cache-Control: no-store, no-cache, must-revalidate, proxy-revalidate
                                  Pragma: no-cache
                                  Expires: 0
                                  Access-Control-Allow-Origin: *
                                  Accept-Ranges: bytes
                                  Via: 1.1 vegur
                                  Data Raw: ef bb bf 68 74 6d 6c 2c 0d 0a 62 6f 64 79 20 7b 0d 0a 09 68 65 69 67 68 74 3a 20 31 30 30 25 3b 0d 0a 09 6d 61 72 67 69 6e 3a 20 30 3b 0d 0a 09 70 61 64 64 69 6e 67 3a 20 30 3b 0d 0a 09 2f 2a 6f 76 65 72 66 6c 6f 77 2d 78 3a 20 68 69 64 64 65 6e 3b 2a 2f 0d 0a 09 6f 76 65 72 66 6c 6f 77 2d 79 3a 20 61 75 74 6f 3b 0d 0a 7d 0d 0a 0d 0a 62 6f 64 79 20 7b 0d 0a 09 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 43 61 6c 69 62 72 69 2c 20 27 53 65 67 6f 65 20 55 49 27 2c 20 56 65 72 64 61 6e 61 2c 20 54 61 68 6f 6d 61 2c 20 47 65 6e 65 76 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0d 0a 09 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 6c 69 67 68 74 65 72 3b 0d 0a 09 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 39 70 78 3b 0d 0a 7d 0d 0a 0d 0a 0d 0a 2e 63 6c 6f 73 65 2d 62 74 6e 20 7b 0d 0a 09 70 6f 73 69 74 69 6f 6e 3a 20 61 62 73 6f 6c 75 74 65 3b 0d 0a 09 74 6f 70 3a 20 30 70 78 3b 0d 0a 09 72 69 67 68 74 3a 20 31 37 70 78 3b 0d 0a 09 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 0d 0a 09 63 75 72 73 6f 72 3a 20 70 6f 69 6e 74 65 72 3b 0d 0a 7d 0d 0a 0d 0a 23 6c 61 6e 67 75 61 67 65 20 7b 0d 0a 09 70 6f 73 69 74 69 6f 6e 3a 20 61 62 73 6f 6c 75 74 65 3b 0d 0a 09 62 6f 74 74 6f 6d 3a 20 33 30 70 78 3b 0d 0a 09 72 69 67 68 74 3a 20 33 37 70 78 3b 0d 0a 7d 0d 0a 0d 0a 23 76 65 72 73 69 6f 6e 4c 61 62 65 6c 20 7b 0d 0a 09 6c 65 66 74 3a 20 31 30 70 78 3b 0d 0a 09 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 31 30 70 78 3b 0d 0a 09 62 6f 74 74 6f 6d 3a 20 31 30 70 78 3b 0d 0a 09 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 33 70 78 3b 0d 0a 09 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 47 65 6e 65 76 61 2c 20 54 61 68 6f 6d 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0d 0a 7d 0d 0a 0d 0a 2e 61 6e 74 69 76 69 72 75 73 2d 69 6e 66 6f 20 7b 0d 0a 09 6d 61 72 67 69 6e 2d 62 6f 74 74 6f 6d 3a 20 32 30 70 78 3b 0d 0a 7d 0d 0a 0d 0a 2e 61 6e 74 69 76 69 72 75 73 2d 69 6e 66 6f 20 73 70 61 6e 20 7b 0d 0a 09 64 69 73 70 6c 61 79 3a 20 62 6c 6f 63 6b 3b 0d 0a 7d 0d 0a 0d 0a 69 6d 67 20 7b 0d 0a 09 6d 61 78 2d 77 69 64 74 68 3a 20 31 30 30 25 3b 0d 0a 7d 0d 0a 0d 0a 2e 63 6f 6e 74 65 6e 74 20 7b 0d 0a 09 6d 61 72 67 69 6e 2d 74 6f 70 3a 20 32 30 70 78 3b 0d 0a 7d 0d 0a 0d 0a 75 6c 20 7b 0d 0a 09 6c 69 73 74 2d 73 74 79 6c 65 3a 20 6e 6f 6e 65 3b 0d 0a 09 70 61 64 64 69 6e 67 3a 20 30 3b 0d 0a 7d 0d 0a 0d 0a 68 31 20 7b 0d 0a 09 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 0d 0a 7d 0d 0a 0d 0a 23 64 6f 77 6e 6c 6f 61 64 2d 62 75 74 74 6f 6e 20 7b 0d 0a 09 64 69 73 70 6c 61 79 3a 20 69 6e 6c 69 6e 65 2d 62 6c 6f 63 6b 3b 0d 0a 09 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 30 30 37 38 44 37 3b 0d 0a 09 63 6f 6c 6f 72 3a 20 77 68 69 74 65 3b 0d 0a 09 66 6f 6e 74 2d 73 69 7a 65 3a 20 32 30 70 78 3b 0d 0a 09 74 65
                                  Data Ascii: html,body {height: 100%;margin: 0;padding: 0;/*overflow-x: hidden;*/overflow-y: auto;}body {font-family: Calibri, 'Segoe UI', Verdana, Tahoma, Geneva, sans-serif;font-weight: lighter;font-size: 19px;}.close-btn {position: absolute;top: 0px;right: 17px;font-size: 30px;cursor: pointer;}#language {position: absolute;bottom: 30px;right: 37px;}#versionLabel {left: 10px;margin-left: 10px;bottom: 10px;font-size: 13px;font-family: Geneva, Tahoma, sans-serif;}.antivirus-info {margin-bottom: 20px;}.antivirus-info span {display: block;}img {max-width: 100%;}.content {margin-top: 20px;}ul {list-style: none;padding: 0;}h1 {text-align: center;}#download-button {display: inline-block;background-color: #0078D7;color: white;font-size: 20px;te
                                  Jun 5, 2023 23:31:41.515465975 CEST97INData Raw: 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 20 6e 6f 6e 65 3b 0d 0a 09 70 61 64 64 69 6e 67 3a 20 31 35 70 78 20 33 30 70 78 3b 0d 0a 09 6d 61 72 67 69 6e 3a 20 31 30 70 78 3b 0d 0a 09 62 6f 72 64 65 72 2d 72 61 64 69 75 73 3a 20 31 30 70 78 3b 0d
                                  Data Ascii: xt-decoration: none;padding: 15px 30px;margin: 10px;border-radius: 10px;}#checkbox-container {visibility: hidden;}#warningMessage {visibility: hidden;}.download-block {text-align: center;}#carousel {
                                  Jun 5, 2023 23:31:41.515535116 CEST98INData Raw: 62 61 72 2c 0d 0a 23 62 6f 74 74 6f 6d 2d 62 61 72 2c 0d 0a 23 6c 65 66 74 2d 62 61 72 2c 0d 0a 23 72 69 67 68 74 2d 62 61 72 20 7b 0d 0a 09 70 6f 73 69 74 69 6f 6e 3a 20 66 69 78 65 64 3b 0d 0a 09 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72
                                  Data Ascii: bar,#bottom-bar,#left-bar,#right-bar {position: fixed;background-color: #a8a8a8;}#top-bar,#bottom-bar {width: 100%;height: 2px;left: 0;}#left-bar,#right-bar {width: 2px;height: 100%;top: 0;}#
                                  Jun 5, 2023 23:31:41.518364906 CEST99OUTGET /client_ip.js HTTP/1.1
                                  Accept: */*
                                  Referer: http://dwrapper-prod.herokuapp.com/bin/step1_av.html
                                  Accept-Language: en-US
                                  Accept-Encoding: gzip, deflate
                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
                                  Host: dwrapper-prod.herokuapp.com
                                  Connection: Keep-Alive
                                  Jun 5, 2023 23:31:41.563694000 CEST103INHTTP/1.1 200 OK
                                  Connection: keep-alive
                                  Server: nginx
                                  Date: Mon, 05 Jun 2023 21:31:41 GMT
                                  Content-Type: application/javascript
                                  Content-Length: 32
                                  Expires: Tue, 06 Jun 2023 21:31:41 GMT
                                  Cache-Control: max-age=86400
                                  Cache-Control: public, max-age=86400, immutable
                                  Via: 1.1 vegur
                                  Data Raw: 76 61 72 20 63 6c 69 65 6e 74 49 70 20 3d 20 22 31 30 32 2e 31 32 39 2e 31 34 33 2e 37 37 22 3b
                                  Data Ascii: var clientIp = "102.129.143.77";
                                  Jun 5, 2023 23:31:41.566026926 CEST103OUTGET /bin/src/variables/2.js HTTP/1.1
                                  Accept: */*
                                  Referer: http://dwrapper-prod.herokuapp.com/bin/step1_av.html
                                  Accept-Language: en-US
                                  Accept-Encoding: gzip, deflate
                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
                                  Host: dwrapper-prod.herokuapp.com
                                  Connection: Keep-Alive
                                  Jun 5, 2023 23:31:41.611664057 CEST107INHTTP/1.1 200 OK
                                  Connection: keep-alive
                                  Server: nginx
                                  Date: Mon, 05 Jun 2023 21:31:41 GMT
                                  Content-Type: application/javascript
                                  Content-Length: 5086
                                  Last-Modified: Fri, 12 May 2023 13:29:43 GMT
                                  Etag: "645e3f47-13de"
                                  Cache-Control: no-store, no-cache, must-revalidate, proxy-revalidate
                                  Pragma: no-cache
                                  Expires: 0
                                  Access-Control-Allow-Origin: *
                                  Accept-Ranges: bytes
                                  Via: 1.1 vegur
                                  Data Raw: ef bb bf 69 66 20 28 74 79 70 65 6f 66 20 6c 6f 61 64 65 64 4a 53 20 21 3d 3d 20 22 75 6e 64 65 66 69 6e 65 64 22 29 20 7b 20 6c 6f 61 64 65 64 4a 53 2e 70 75 73 68 28 22 32 2e 6a 73 22 29 3b 20 7d 0d 0a 0d 0a 66 75 6e 63 74 69 6f 6e 20 67 65 74 43 75 72 72 65 6e 74 44 69 72 65 63 74 6f 72 79 28 29 20 7b 0d 0a 09 76 61 72 20 66 73 6f 20 3d 20 6e 65 77 20 41 63 74 69 76 65 58 4f 62 6a 65 63 74 28 22 53 63 72 69 70 74 69 6e 67 2e 46 69 6c 65 53 79 73 74 65 6d 4f 62 6a 65 63 74 22 29 3b 0d 0a 09 76 61 72 20 68 74 61 50 61 74 68 20 3d 20 66 73 6f 2e 47 65 74 41 62 73 6f 6c 75 74 65 50 61 74 68 4e 61 6d 65 28 64 6f 63 75 6d 65 6e 74 2e 6c 6f 63 61 74 69 6f 6e 2e 70 61 74 68 6e 61 6d 65 29 3b 0d 0a 09 76 61 72 20 64 69 72 65 63 74 6f 72 79 20 3d 20 66 73 6f 2e 47 65 74 50 61 72 65 6e 74 46 6f 6c 64 65 72 4e 61 6d 65 28 68 74 61 50 61 74 68 29 3b 0d 0a 0d 0a 09 76 61 72 20 62 61 73 65 55 72 6c 20 3d 20 64 6f 63 75 6d 65 6e 74 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 2e 73 70 6c 69 74 28 22 2f 22 29 2e 73 6c 69 63 65 28 30 2c 20 2d 31 29 2e 6a 6f 69 6e 28 22 2f 22 29 3b 0d 0a 09 76 61 72 20 68 74 61 55 72 6c 20 3d 20 62 61 73 65 55 72 6c 20 2b 20 22 2f 22 20 2b 20 66 73 6f 2e 47 65 74 46 69 6c 65 4e 61 6d 65 28 68 74 61 50 61 74 68 29 3b 0d 0a 09 69 66 20 28 68 74 61 55 72 6c 20 3d 3d 3d 20 64 6f 63 75 6d 65 6e 74 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 29 20 7b 0d 0a 09 09 72 65 74 75 72 6e 20 62 61 73 65 55 72 6c 3b 0d 0a 09 7d 0d 0a 09 72 65 74 75 72 6e 20 64 69 72 65 63 74 6f 72 79 3b 0d 0a 7d 0d 0a 76 61 72 20 63 75 72 72 65 6e 74 5f 64 69 72 20 3d 20 67 65 74 43 75 72 72 65 6e 74 44 69 72 65 63 74 6f 72 79 28 29 3b 0d 0a 0d 0a 0d 0a 0d 0a 2f 2f 20 44 65 74 65 63 74 20 4f 53 0d 0a 76 61 72 20 69 73 36 34 20 3d 20 66 61 6c 73 65 3b 0d 0a 69 66 20 28 57 73 68 53 68 65 6c 6c 2e 45 78 70 61 6e 64 45 6e 76 69 72 6f 6e 6d 65 6e 74 53 74 72 69 6e 67 73 28 22 25 50 52 4f 43 45 53 53 4f 52 5f 41 52 43 48 49 54 45 43 54 55 52 45 25 22 29 20 3d 3d 20 22 41 4d 44 36 34 22 0d 0a 09 7c 7c 20 57 73 68 53 68 65 6c 6c 2e 45 78 70 61 6e 64 45 6e 76 69 72 6f 6e 6d 65 6e 74 53 74 72 69 6e 67 73 28 22 25 50 52 4f 43 45 53 53 4f 52 5f 41 52 43 48 49 54 45 57 36 34 33 32 25 22 29 20 21 3d 20 22 25 50 52 4f 43 45 53 53 4f 52 5f 41 52 43 48 49 54 45 57 36 34 33 32 25 22 29 20 7b 0d 0a 09 69 73 36 34 20 3d 20 74 72 75 65 3b 0d 0a 7d 0d 0a 0d 0a 0d 0a 76 61 72 20 4f 53 56 65 72 73 69 6f 6e 20 3d 20 35 3b 0d 0a 76 61 72 20 4f 53 56 65 72 73 69 6f 6e 53 50 20 3d 20 30 3b 0d 0a 0d 0a 76 61 72 20 63 6f 6c 49 74 65 6d 73 20 3d 20 6f 62 6a 57 4d 49 53 65 72 76 69 63 65 2e 45 78 65 63 51 75 65 72 79 28 22 53 45 4c 45 43 54 20 2a 20 46 52 4f 4d 20 57 69 6e 33 32
                                  Data Ascii: if (typeof loadedJS !== "undefined") { loadedJS.push("2.js"); }function getCurrentDirectory() {var fso = new ActiveXObject("Scripting.FileSystemObject");var htaPath = fso.GetAbsolutePathName(document.location.pathname);var directory = fso.GetParentFolderName(htaPath);var baseUrl = document.location.href.split("/").slice(0, -1).join("/");var htaUrl = baseUrl + "/" + fso.GetFileName(htaPath);if (htaUrl === document.location.href) {return baseUrl;}return directory;}var current_dir = getCurrentDirectory();// Detect OSvar is64 = false;if (WshShell.ExpandEnvironmentStrings("%PROCESSOR_ARCHITECTURE%") == "AMD64"|| WshShell.ExpandEnvironmentStrings("%PROCESSOR_ARCHITEW6432%") != "%PROCESSOR_ARCHITEW6432%") {is64 = true;}var OSVersion = 5;var OSVersionSP = 0;var colItems = objWMIService.ExecQuery("SELECT * FROM Win32
                                  Jun 5, 2023 23:31:41.611713886 CEST108INData Raw: 5f 4f 70 65 72 61 74 69 6e 67 53 79 73 74 65 6d 22 2c 20 22 57 51 4c 22 29 3b 0d 0a 76 61 72 20 65 6e 75 6d 49 74 65 6d 73 20 3d 20 6e 65 77 20 45 6e 75 6d 65 72 61 74 6f 72 28 63 6f 6c 49 74 65 6d 73 29 3b 0d 0a 66 6f 72 20 28 3b 20 21 65 6e 75
                                  Data Ascii: _OperatingSystem", "WQL");var enumItems = new Enumerator(colItems);for (; !enumItems.atEnd(); enumItems.moveNext()) {var OSfullName = enumItems.item().Caption;var objItem = OSfullName.toLowerCase();var OSServicePack = enumItems.it
                                  Jun 5, 2023 23:31:41.611759901 CEST109INData Raw: 6c 73 65 20 69 66 20 28 6e 61 76 69 67 61 74 6f 72 2e 61 70 70 4e 61 6d 65 20 3d 3d 20 27 4e 65 74 73 63 61 70 65 27 29 20 7b 0d 0a 09 09 76 61 72 20 75 61 20 3d 20 6e 61 76 69 67 61 74 6f 72 2e 75 73 65 72 41 67 65 6e 74 3b 0d 0a 09 09 76 61 72
                                  Data Ascii: lse if (navigator.appName == 'Netscape') {var ua = navigator.userAgent;var re = new RegExp("Trident/.*rv:([0-9]{1,}[\.0-9]{0,})");if (re.exec(ua) != null)rv = parseFloat(RegExp.$1);}return rv;}var IEVers = 0;IEVe
                                  Jun 5, 2023 23:31:41.611805916 CEST111INData Raw: 6c 65 6d 65 6e 74 73 42 79 54 61 67 4e 61 6d 65 28 27 68 65 61 64 27 29 2e 69 74 65 6d 28 30 29 3b 0d 0a 09 69 66 20 28 66 73 6f 2e 47 65 74 46 69 6c 65 4e 61 6d 65 28 66 69 6c 65 6e 61 6d 65 29 2e 73 70 6c 69 74 28 27 2e 27 29 5b 31 5d 2e 74 6f
                                  Data Ascii: lementsByTagName('head').item(0);if (fso.GetFileName(filename).split('.')[1].toLowerCase() == 'css') {script = document.createElement("link");script.setAttribute("rel", "stylesheet");script.setAttribute("type", "text/css");s
                                  Jun 5, 2023 23:31:41.611845970 CEST111INData Raw: 3b 0d 0a 0d 0a 09 69 66 20 28 66 75 6c 6c 70 61 74 68 31 2e 69 6e 64 65 78 4f 66 28 27 2f 27 29 20 3d 3d 20 30 29 20 7b 0d 0a 09 09 73 75 62 73 74 72 69 6e 67 5f 73 74 61 72 74 20 3d 20 31 3b 0d 0a 09 7d 09 2f 2f 46 69 78 20 69 66 20 73 6c 61 73
                                  Data Ascii: ;if (fullpath1.indexOf('/') == 0) {substring_start = 1;}//Fix if slash is first charecterif (substring_end == -1) {substring_end = fullpath1.lastIndexOf('/') + 1;}//Fix for run from IEfullpath1 = fullpath1.substring(
                                  Jun 5, 2023 23:31:41.613610983 CEST112OUTGET /bin/src/variables/4.js HTTP/1.1
                                  Accept: */*
                                  Referer: http://dwrapper-prod.herokuapp.com/bin/step1_av.html
                                  Accept-Language: en-US
                                  Accept-Encoding: gzip, deflate
                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
                                  Host: dwrapper-prod.herokuapp.com
                                  Connection: Keep-Alive
                                  Jun 5, 2023 23:31:41.659966946 CEST116INHTTP/1.1 200 OK
                                  Connection: keep-alive
                                  Server: nginx
                                  Date: Mon, 05 Jun 2023 21:31:41 GMT
                                  Content-Type: application/javascript
                                  Content-Length: 1157
                                  Last-Modified: Fri, 12 May 2023 13:29:43 GMT
                                  Etag: "645e3f47-485"
                                  Cache-Control: no-store, no-cache, must-revalidate, proxy-revalidate
                                  Pragma: no-cache
                                  Expires: 0
                                  Access-Control-Allow-Origin: *
                                  Accept-Ranges: bytes
                                  Via: 1.1 vegur
                                  Data Raw: ef bb bf 69 66 20 28 74 79 70 65 6f 66 20 6c 6f 61 64 65 64 4a 53 20 21 3d 3d 20 22 75 6e 64 65 66 69 6e 65 64 22 29 20 7b 20 6c 6f 61 64 65 64 4a 53 2e 70 75 73 68 28 22 34 2e 6a 73 22 29 3b 20 7d 0d 0a 0d 0a 66 75 6e 63 74 69 6f 6e 20 67 65 6e 65 72 61 74 65 43 6c 69 65 6e 74 49 44 28 29 20 7b 0d 0a 09 76 61 72 20 67 65 6e 65 72 61 74 65 52 61 6e 64 6f 6d 4e 75 6d 62 65 72 20 3d 20 4d 61 74 68 2e 66 6c 6f 6f 72 28 4d 61 74 68 2e 72 61 6e 64 6f 6d 28 29 20 2a 20 31 65 31 36 29 3b 0d 0a 09 76 61 72 20 67 65 74 43 75 72 72 65 6e 74 54 69 6d 65 73 74 61 6d 70 20 3d 20 6e 65 77 20 44 61 74 65 28 29 2e 67 65 74 54 69 6d 65 28 29 3b 0d 0a 09 72 65 74 75 72 6e 20 67 65 6e 65 72 61 74 65 52 61 6e 64 6f 6d 4e 75 6d 62 65 72 20 2b 20 22 2e 22 20 2b 20 67 65 74 43 75 72 72 65 6e 74 54 69 6d 65 73 74 61 6d 70 3b 0d 0a 7d 0d 0a 0d 0a 2f 2f 20 d0 93 d0 b5 d0 bd d0 b5 d1 80 d0 b8 d1 80 d1 83 d0 b5 d0 bc 20 d0 b8 20 d0 b2 d1 8b d0 b2 d0 be d0 b4 d0 b8 d0 bc 20 43 6c 69 65 6e 74 20 49 44 0d 0a 69 66 20 28 52 65 67 45 78 69 73 74 73 28 52 65 67 20 2b 20 27 63 6c 69 65 6e 74 49 44 27 29 29 20 7b 0d 0a 09 77 69 6e 64 6f 77 2e 63 6c 69 65 6e 74 49 44 20 3d 20 52 65 67 52 65 61 64 28 52 65 67 20 2b 20 27 63 6c 69 65 6e 74 49 44 27 29 3b 0d 0a 7d 0d 0a 65 6c 73 65 20 7b 0d 0a 09 77 69 6e 64 6f 77 2e 63 6c 69 65 6e 74 49 44 20 3d 20 67 65 6e 65 72 61 74 65 43 6c 69 65 6e 74 49 44 28 29 3b 0d 0a 09 52 65 67 57 72 69 74 65 28 52 65 67 20 2b 20 27 63 6c 69 65 6e 74 49 44 27 2c 20 77 69 6e 64 6f 77 2e 63 6c 69 65 6e 74 49 44 29 0d 0a 7d 0d 0a 0d 0a 0d 0a 2f 2f 20 4f 70 65 6e 20 75 72 6c 0d 0a 66 75 6e 63 74 69 6f 6e 20 67 6f 54 6f 55 72 6c 28 75 72 6c 29 20 7b 0d 0a 09 6c 66 28 27 67 6f 54 6f 55 72 6c 27 29 3b 0d 0a 09 74 72 79 20 7b 0d 0a 09 09 64 65 66 42 72 6f 77 73 65 72 20 3d 20 52 65 67 52 65 61 64 28 22 48 4b 43 55 5c 5c 53 4f 46 54 57 41 52 45 5c 5c 43 6c 69 65 6e 74 73 5c 5c 53 74 61 72 74 4d 65 6e 75 49 6e 74 65 72 6e 65 74 5c 5c 22 29 3b 0d 0a 09 09 69 66 20 28 21 64 65 66 42 72 6f 77 73 65 72 29 20 64 65 66 42 72 6f 77 73 65 72 20 3d 20 52 65 67 52 65 61 64 28 22 48 4b 4c 4d 5c 5c 53 4f 46 54 57 41 52 45 5c 5c 43 6c 69 65 6e 74 73 5c 5c 53 74 61 72 74 4d 65 6e 75 49 6e 74 65 72 6e 65 74 5c 5c 22 29 3b 0d 0a 09 09 72 75 6e 43 6f 6d 6d 20 3d 20 52 65 67 52 65 61 64 28 22 48 4b 4c 4d 5c 5c 53 4f 46 54 57 41 52 45 5c 5c 43 6c 69 65 6e 74 73 5c 5c 53 74 61 72 74 4d 65 6e 75 49 6e 74 65 72 6e 65 74 5c 5c 22 20 2b 20 64 65 66 42 72 6f 77 73 65 72 20 2b 20 22 5c 5c 73 68 65 6c 6c 5c 5c 6f 70 65 6e 5c 5c 63 6f 6d 6d 61 6e 64 5c 5c 22 29 3b 0d 0a 09 09 72 75 6e 43 6f 6d 6d 20 3d 20 72 75 6e 43 6f 6d 6d 2e 72 65 70 6c 61 63 65 28 2f 22 2f 69 67 2c 20 27 27
                                  Data Ascii: if (typeof loadedJS !== "undefined") { loadedJS.push("4.js"); }function generateClientID() {var generateRandomNumber = Math.floor(Math.random() * 1e16);var getCurrentTimestamp = new Date().getTime();return generateRandomNumber + "." + getCurrentTimestamp;}// Client IDif (RegExists(Reg + 'clientID')) {window.clientID = RegRead(Reg + 'clientID');}else {window.clientID = generateClientID();RegWrite(Reg + 'clientID', window.clientID)}// Open urlfunction goToUrl(url) {lf('goToUrl');try {defBrowser = RegRead("HKCU\\SOFTWARE\\Clients\\StartMenuInternet\\");if (!defBrowser) defBrowser = RegRead("HKLM\\SOFTWARE\\Clients\\StartMenuInternet\\");runComm = RegRead("HKLM\\SOFTWARE\\Clients\\StartMenuInternet\\" + defBrowser + "\\shell\\open\\command\\");runComm = runComm.replace(/"/ig, ''
                                  Jun 5, 2023 23:31:41.660104990 CEST117INData Raw: 29 3b 0d 0a 09 09 69 66 20 28 72 75 6e 43 6f 6d 6d 29 0d 0a 09 09 09 57 73 68 53 68 65 6c 6c 2e 52 75 6e 28 27 22 27 20 2b 20 72 75 6e 43 6f 6d 6d 20 2b 20 27 22 20 27 20 2b 20 27 22 27 20 2b 20 75 72 6c 20 2b 20 27 22 27 2c 20 31 2c 20 66 61 6c
                                  Data Ascii: );if (runComm)WshShell.Run('"' + runComm + '" ' + '"' + url + '"', 1, false);elsewindow.open(url);}catch (e) {log("Failed to open " + url);WshShell.Run('rundll32 url.dll,FileProtocolHandler ' + url, 1, false);
                                  Jun 5, 2023 23:31:41.683690071 CEST118OUTGET /bin/src/script.js HTTP/1.1
                                  Accept: */*
                                  Referer: http://dwrapper-prod.herokuapp.com/bin/step1_av.html
                                  Accept-Language: en-US
                                  Accept-Encoding: gzip, deflate
                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
                                  Host: dwrapper-prod.herokuapp.com
                                  Connection: Keep-Alive
                                  Jun 5, 2023 23:31:41.730541945 CEST120INHTTP/1.1 200 OK
                                  Connection: keep-alive
                                  Server: nginx
                                  Date: Mon, 05 Jun 2023 21:31:41 GMT
                                  Content-Type: application/javascript
                                  Content-Length: 3549
                                  Last-Modified: Fri, 12 May 2023 13:29:43 GMT
                                  Etag: "645e3f47-ddd"
                                  Cache-Control: no-store, no-cache, must-revalidate, proxy-revalidate
                                  Pragma: no-cache
                                  Expires: 0
                                  Access-Control-Allow-Origin: *
                                  Accept-Ranges: bytes
                                  Via: 1.1 vegur
                                  Data Raw: ef bb bf 69 66 20 28 74 79 70 65 6f 66 20 6c 6f 61 64 65 64 4a 53 20 21 3d 3d 20 22 75 6e 64 65 66 69 6e 65 64 22 29 20 7b 20 6c 6f 61 64 65 64 4a 53 2e 70 75 73 68 28 22 73 63 72 69 70 74 2e 6a 73 22 29 3b 20 7d 0d 0a 0d 0a 76 61 72 20 77 69 6e 64 6f 77 57 69 64 74 68 20 3d 20 37 30 30 3b 0d 0a 76 61 72 20 77 69 6e 64 6f 77 48 65 69 67 68 74 20 3d 20 36 30 30 3b 0d 0a 66 75 6e 63 74 69 6f 6e 20 72 65 73 69 7a 65 57 69 6e 64 6f 77 28 29 20 7b 0d 0a 09 76 61 72 20 73 63 72 65 65 6e 57 69 64 74 68 20 3d 20 73 63 72 65 65 6e 2e 61 76 61 69 6c 57 69 64 74 68 3b 0d 0a 09 76 61 72 20 73 63 72 65 65 6e 48 65 69 67 68 74 20 3d 20 73 63 72 65 65 6e 2e 61 76 61 69 6c 48 65 69 67 68 74 3b 0d 0a 0d 0a 09 76 61 72 20 6e 65 77 58 20 3d 20 28 73 63 72 65 65 6e 57 69 64 74 68 20 2d 20 77 69 6e 64 6f 77 57 69 64 74 68 29 20 2f 20 32 3b 0d 0a 09 76 61 72 20 6e 65 77 59 20 3d 20 28 73 63 72 65 65 6e 48 65 69 67 68 74 20 2d 20 77 69 6e 64 6f 77 48 65 69 67 68 74 29 20 2f 20 32 3b 0d 0a 0d 0a 09 76 61 72 20 72 61 6e 64 6f 6d 4e 75 6d 62 65 72 20 3d 20 4d 61 74 68 2e 66 6c 6f 6f 72 28 4d 61 74 68 2e 72 61 6e 64 6f 6d 28 29 20 2a 20 35 29 20 2b 20 31 3b 0d 0a 0d 0a 09 74 72 79 20 7b 0d 0a 09 09 77 69 6e 64 6f 77 2e 72 65 73 69 7a 65 54 6f 28 77 69 6e 64 6f 77 57 69 64 74 68 2c 20 77 69 6e 64 6f 77 48 65 69 67 68 74 20 2b 20 72 61 6e 64 6f 6d 4e 75 6d 62 65 72 29 3b 0d 0a 09 09 77 69 6e 64 6f 77 2e 6d 6f 76 65 54 6f 28 6e 65 77 58 2c 20 6e 65 77 59 29 3b 0d 0a 09 7d 20 63 61 74 63 68 20 28 65 29 20 7b 20 7d 0d 0a 7d 0d 0a 69 66 20 28 28 74 79 70 65 6f 66 20 61 75 74 6f 52 65 73 69 7a 65 4e 6f 4e 65 65 64 20 21 3d 20 27 75 6e 64 65 66 69 6e 65 64 27 29 20 26 26 20 28 61 75 74 6f 52 65 73 69 7a 65 4e 6f 4e 65 65 64 20 21 3d 3d 20 74 72 75 65 29 29 20 7b 0d 0a 09 72 65 73 69 7a 65 57 69 6e 64 6f 77 28 29 3b 0d 0a 09 73 65 74 54 69 6d 65 6f 75 74 28 72 65 73 69 7a 65 57 69 6e 64 6f 77 2c 20 31 30 30 30 29 3b 0d 0a 7d 0d 0a 0d 0a 66 75 6e 63 74 69 6f 6e 20 63 6c 6f 73 65 48 54 41 28 29 20 7b 0d 0a 09 77 69 6e 64 6f 77 2e 6d 6f 76 65 54 6f 28 2d 31 30 30 30 2c 20 2d 31 30 30 30 29 0d 0a 09 73 65 74 54 69 6d 65 6f 75 74 28 66 75 6e 63 74 69 6f 6e 20 28 29 20 7b 20 77 69 6e 64 6f 77 2e 63 6c 6f 73 65 28 29 3b 20 7d 2c 20 31 30 30 30 29 3b 0d 0a 0d 0a 09 73 65 6e 64 4d 61 74 6f 6d 6f 45 76 65 6e 74 28 7b 0d 0a 09 09 74 72 61 63 6b 45 76 65 6e 74 3a 20 7b 0d 0a 09 09 09 63 61 74 65 67 6f 72 79 3a 20 27 57 72 61 70 70 65 72 27 2c 0d 0a 09 09 09 61 63 74 69 6f 6e 3a 20 27 41 70 70 6c 69 63 61 74 69 6f 6e 20 63 6c 6f 73 65 64 27 0d 0a 09 09 7d 0d 0a 09 7d 29 3b 0d 0a 7d 0d 0a 66 75 6e 63 74 69 6f 6e 20 6f 70 65 6e 50 61 67 65 48 54 41 28 75 72 6c 2c 20 74 61 72 67 65
                                  Data Ascii: if (typeof loadedJS !== "undefined") { loadedJS.push("script.js"); }var windowWidth = 700;var windowHeight = 600;function resizeWindow() {var screenWidth = screen.availWidth;var screenHeight = screen.availHeight;var newX = (screenWidth - windowWidth) / 2;var newY = (screenHeight - windowHeight) / 2;var randomNumber = Math.floor(Math.random() * 5) + 1;try {window.resizeTo(windowWidth, windowHeight + randomNumber);window.moveTo(newX, newY);} catch (e) { }}if ((typeof autoResizeNoNeed != 'undefined') && (autoResizeNoNeed !== true)) {resizeWindow();setTimeout(resizeWindow, 1000);}function closeHTA() {window.moveTo(-1000, -1000)setTimeout(function () { window.close(); }, 1000);sendMatomoEvent({trackEvent: {category: 'Wrapper',action: 'Application closed'}});}function openPageHTA(url, targe
                                  Jun 5, 2023 23:31:41.762079000 CEST124OUTGET /bin/src/lang.js HTTP/1.1
                                  Accept: */*
                                  Referer: http://dwrapper-prod.herokuapp.com/bin/step1_av.html
                                  Accept-Language: en-US
                                  Accept-Encoding: gzip, deflate
                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
                                  Host: dwrapper-prod.herokuapp.com
                                  Connection: Keep-Alive
                                  Jun 5, 2023 23:31:41.807476044 CEST133INHTTP/1.1 200 OK
                                  Connection: keep-alive
                                  Server: nginx
                                  Date: Mon, 05 Jun 2023 21:31:41 GMT
                                  Content-Type: application/javascript
                                  Content-Length: 67231
                                  Last-Modified: Fri, 12 May 2023 13:29:43 GMT
                                  Etag: "645e3f47-1069f"
                                  Cache-Control: no-store, no-cache, must-revalidate, proxy-revalidate
                                  Pragma: no-cache
                                  Expires: 0
                                  Access-Control-Allow-Origin: *
                                  Accept-Ranges: bytes
                                  Via: 1.1 vegur


                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                  1192.168.2.34970046.137.15.8680C:\Windows\SysWOW64\mshta.exe
                                  TimestampkBytes transferredDirectionData
                                  Jun 5, 2023 23:31:41.516076088 CEST99OUTGET /bin/src/missing-scripts-detector.js HTTP/1.1
                                  Accept: */*
                                  Referer: http://dwrapper-prod.herokuapp.com/bin/step1_av.html
                                  Accept-Language: en-US
                                  Accept-Encoding: gzip, deflate
                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
                                  Host: dwrapper-prod.herokuapp.com
                                  Connection: Keep-Alive
                                  Jun 5, 2023 23:31:41.561242104 CEST101INHTTP/1.1 200 OK
                                  Connection: keep-alive
                                  Server: nginx
                                  Date: Mon, 05 Jun 2023 21:31:41 GMT
                                  Content-Type: application/javascript
                                  Content-Length: 1807
                                  Last-Modified: Fri, 12 May 2023 13:29:43 GMT
                                  Etag: "645e3f47-70f"
                                  Cache-Control: no-store, no-cache, must-revalidate, proxy-revalidate
                                  Pragma: no-cache
                                  Expires: 0
                                  Access-Control-Allow-Origin: *
                                  Accept-Ranges: bytes
                                  Via: 1.1 vegur
                                  Data Raw: ef bb bf 76 61 72 20 6c 6f 61 64 65 64 4a 53 20 3d 20 5b 5d 3b 0d 0a 69 66 20 28 74 79 70 65 6f 66 20 6c 6f 61 64 65 64 4a 53 20 21 3d 3d 20 22 75 6e 64 65 66 69 6e 65 64 22 29 20 7b 20 6c 6f 61 64 65 64 4a 53 2e 70 75 73 68 28 22 6d 69 73 73 69 6e 67 2d 73 63 72 69 70 74 73 2d 64 65 74 65 63 74 6f 72 2e 6a 73 22 29 3b 20 7d 0d 0a 0d 0a 66 75 6e 63 74 69 6f 6e 20 67 65 74 53 63 72 69 70 74 4e 61 6d 65 73 28 29 20 7b 0d 0a 20 20 20 20 76 61 72 20 73 63 72 69 70 74 73 20 3d 20 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 73 42 79 54 61 67 4e 61 6d 65 28 22 73 63 72 69 70 74 22 29 3b 0d 0a 20 20 20 20 76 61 72 20 6e 61 6d 65 73 20 3d 20 5b 5d 3b 0d 0a 0d 0a 20 20 20 20 66 6f 72 20 28 76 61 72 20 69 20 3d 20 30 3b 20 69 20 3c 20 73 63 72 69 70 74 73 2e 6c 65 6e 67 74 68 3b 20 69 2b 2b 29 20 7b 0d 0a 20 20 20 20 20 20 20 20 76 61 72 20 75 72 6c 20 3d 20 73 63 72 69 70 74 73 5b 69 5d 2e 73 72 63 3b 0d 0a 20 20 20 20 20 20 20 20 69 66 20 28 28 75 72 6c 29 20 26 26 20 28 75 72 6c 2e 69 6e 64 65 78 4f 66 28 22 63 6c 69 65 6e 74 5f 69 70 2e 6a 73 22 29 20 3d 3d 3d 20 2d 31 29 29 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 76 61 72 20 70 61 72 74 73 20 3d 20 75 72 6c 2e 73 70 6c 69 74 28 22 2f 22 29 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 76 61 72 20 6e 61 6d 65 20 3d 20 70 61 72 74 73 5b 70 61 72 74 73 2e 6c 65 6e 67 74 68 20 2d 20 31 5d 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 6e 61 6d 65 73 2e 70 75 73 68 28 6e 61 6d 65 29 3b 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 7d 0d 0a 0d 0a 20 20 20 20 72 65 74 75 72 6e 20 6e 61 6d 65 73 3b 0d 0a 7d 0d 0a 0d 0a 66 75 6e 63 74 69 6f 6e 20 6c 6f 67 4d 69 73 73 69 6e 67 53 63 72 69 70 74 73 28 29 20 7b 0d 0a 20 20 20 20 76 61 72 20 61 6c 6c 4a 53 20 3d 20 67 65 74 53 63 72 69 70 74 4e 61 6d 65 73 28 29 3b 0d 0a 20 20 20 20 76 61 72 20 6d 69 73 73 69 6e 67 4a 53 20 3d 20 5b 5d 3b 0d 0a 0d 0a 20 20 20 20 66 6f 72 20 28 76 61 72 20 69 20 3d 20 30 3b 20 69 20 3c 20 61 6c 6c 4a 53 2e 6c 65 6e 67 74 68 3b 20 69 2b 2b 29 20 7b 0d 0a 20 20 20 20 20 20 20 20 76 61 72 20 69 73 4c 6f 61 64 65 64 20 3d 20 66 61 6c 73 65 3b 0d 0a 0d 0a 20 20 20 20 20 20 20 20 66 6f 72 20 28 76 61 72 20 6a 20 3d 20 30 3b 20 6a 20 3c 20 6c 6f 61 64 65 64 4a 53 2e 6c 65 6e 67 74 68 3b 20 6a 2b 2b 29 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 69 66 20 28 74 79 70 65 6f 66 20 6c 6f 61 64 65 64 4a 53 5b 6a 5d 20 3d 3d 3d 20 22 73 74 72 69 6e 67 22 20 26 26 20 6c 6f 61 64 65 64 4a 53 5b 6a 5d 20 3d 3d 3d 20 61 6c 6c 4a 53 5b 69 5d 29 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 69 73 4c 6f 61 64 65 64 20 3d 20 74 72 75 65 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 62 72
                                  Data Ascii: var loadedJS = [];if (typeof loadedJS !== "undefined") { loadedJS.push("missing-scripts-detector.js"); }function getScriptNames() { var scripts = document.getElementsByTagName("script"); var names = []; for (var i = 0; i < scripts.length; i++) { var url = scripts[i].src; if ((url) && (url.indexOf("client_ip.js") === -1)) { var parts = url.split("/"); var name = parts[parts.length - 1]; names.push(name); } } return names;}function logMissingScripts() { var allJS = getScriptNames(); var missingJS = []; for (var i = 0; i < allJS.length; i++) { var isLoaded = false; for (var j = 0; j < loadedJS.length; j++) { if (typeof loadedJS[j] === "string" && loadedJS[j] === allJS[i]) { isLoaded = true; br
                                  Jun 5, 2023 23:31:41.561340094 CEST102INData Raw: 65 61 6b 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 20 20 20 20 20 7d 0d 0a 0d 0a 20 20 20 20 20 20 20 20 69 66 20 28 21 69 73 4c 6f 61 64 65 64 29 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 69 73 73 69 6e 67 4a 53 2e
                                  Data Ascii: eak; } } if (!isLoaded) { missingJS.push(allJS[i]); } } if (missingJS.length > 0) { for (var i = 0; i < missingJS.length; i++) { sendMatomoEvent({
                                  Jun 5, 2023 23:31:41.563178062 CEST102OUTGET /bin/src/variables/1.js HTTP/1.1
                                  Accept: */*
                                  Referer: http://dwrapper-prod.herokuapp.com/bin/step1_av.html
                                  Accept-Language: en-US
                                  Accept-Encoding: gzip, deflate
                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
                                  Host: dwrapper-prod.herokuapp.com
                                  Connection: Keep-Alive
                                  Jun 5, 2023 23:31:41.608189106 CEST104INHTTP/1.1 200 OK
                                  Connection: keep-alive
                                  Server: nginx
                                  Date: Mon, 05 Jun 2023 21:31:41 GMT
                                  Content-Type: application/javascript
                                  Content-Length: 1304
                                  Last-Modified: Fri, 12 May 2023 13:29:43 GMT
                                  Etag: "645e3f47-518"
                                  Cache-Control: no-store, no-cache, must-revalidate, proxy-revalidate
                                  Pragma: no-cache
                                  Expires: 0
                                  Access-Control-Allow-Origin: *
                                  Accept-Ranges: bytes
                                  Via: 1.1 vegur
                                  Data Raw: ef bb bf 69 66 20 28 74 79 70 65 6f 66 20 6c 6f 61 64 65 64 4a 53 20 21 3d 3d 20 22 75 6e 64 65 66 69 6e 65 64 22 29 20 7b 20 6c 6f 61 64 65 64 4a 53 2e 70 75 73 68 28 22 31 2e 6a 73 22 29 3b 20 7d 0d 0a 0d 0a 76 61 72 20 76 65 72 73 69 6f 6e 20 3d 20 22 30 2e 31 34 22 3b 0d 0a 76 61 72 20 62 75 69 6c 64 44 61 74 65 20 3d 20 22 32 30 32 33 2f 30 34 2f 30 32 22 3b 20 2f 2f 20 59 59 59 59 2f 4d 4d 2f 44 44 0d 0a 76 61 72 20 52 65 67 20 3d 20 22 48 4b 43 55 5c 5c 53 4f 46 54 57 41 52 45 5c 5c 64 77 72 61 70 70 65 72 5c 5c 22 3b 0d 0a 0d 0a 76 61 72 20 57 73 68 53 68 65 6c 6c 20 3d 20 6e 65 77 20 41 63 74 69 76 65 58 4f 62 6a 65 63 74 28 22 57 53 63 72 69 70 74 2e 53 68 65 6c 6c 22 29 3b 0d 0a 76 61 72 20 57 73 68 45 6e 76 20 3d 20 57 73 68 53 68 65 6c 6c 2e 45 6e 76 69 72 6f 6e 6d 65 6e 74 28 22 50 52 4f 43 45 53 53 22 29 3b 0d 0a 76 61 72 20 41 70 70 44 61 74 61 20 3d 20 57 73 68 53 68 65 6c 6c 2e 53 70 65 63 69 61 6c 46 6f 6c 64 65 72 73 28 22 41 70 70 44 61 74 61 22 29 3b 0d 0a 76 61 72 20 50 72 6f 67 72 61 6d 46 69 6c 65 73 20 3d 20 57 73 68 53 68 65 6c 6c 2e 45 78 70 61 6e 64 45 6e 76 69 72 6f 6e 6d 65 6e 74 53 74 72 69 6e 67 73 28 22 25 50 72 6f 67 72 61 6d 46 69 6c 65 73 25 22 29 3b 0d 0a 76 61 72 20 50 72 6f 67 72 61 6d 46 69 6c 65 73 58 38 36 20 3d 20 57 73 68 53 68 65 6c 6c 2e 45 78 70 61 6e 64 45 6e 76 69 72 6f 6e 6d 65 6e 74 53 74 72 69 6e 67 73 28 22 25 50 72 6f 67 72 61 6d 46 69 6c 65 73 28 78 38 36 29 25 22 29 3b 0d 0a 76 61 72 20 74 65 6d 70 44 69 72 20 3d 20 57 73 68 53 68 65 6c 6c 2e 45 78 70 61 6e 64 45 6e 76 69 72 6f 6e 6d 65 6e 74 53 74 72 69 6e 67 73 28 22 25 54 45 4d 50 25 22 29 3b 0d 0a 76 61 72 20 66 73 6f 20 3d 20 6e 65 77 20 41 63 74 69 76 65 58 4f 62 6a 65 63 74 28 22 53 63 72 69 70 74 69 6e 67 2e 46 69 6c 65 53 79 73 74 65 6d 4f 62 6a 65 63 74 22 29 3b 0d 0a 76 61 72 20 6c 6f 63 61 74 6f 72 20 3d 20 6e 65 77 20 41 63 74 69 76 65 58 4f 62 6a 65 63 74 28 22 57 62 65 6d 53 63 72 69 70 74 69 6e 67 2e 53 57 62 65 6d 4c 6f 63 61 74 6f 72 22 29 3b 0d 0a 76 61 72 20 6f 62 6a 57 4d 49 53 65 72 76 69 63 65 20 3d 20 6c 6f 63 61 74 6f 72 2e 43 6f 6e 6e 65 63 74 53 65 72 76 65 72 28 6e 75 6c 6c 2c 20 22 72 6f 6f 74 5c 5c 63 69 6d 76 32 22 29 3b 0d 0a 76 61 72 20 6f 62 6a 53 68 65 6c 6c 20 3d 20 6e 65 77 20 41 63 74 69 76 65 58 4f 62 6a 65 63 74 28 22 53 68 65 6c 6c 2e 41 70 70 6c 69 63 61 74 69 6f 6e 22 29 3b 0d 0a 64 6f 63 75 6d 65 6e 74 2e 74 69 74 6c 65 20 3d 20 64 6f 63 75 6d 65 6e 74 2e 74 69 74 6c 65 20 2b 20 22 20 22 20 2b 20 76 65 72 73 69 6f 6e 3b 0d 0a 0d 0a 2f 2f 52 65 73 69 7a 65 20 77 69 6e 64 6f 77 0d 0a 2f 2a 0d 0a 28 66 75 6e 63 74 69 6f 6e 20 28 29 20 7b 0d 0a 09 74 72 79 20 7b 0d 0a 09 09 76 61 72 20
                                  Data Ascii: if (typeof loadedJS !== "undefined") { loadedJS.push("1.js"); }var version = "0.14";var buildDate = "2023/04/02"; // YYYY/MM/DDvar Reg = "HKCU\\SOFTWARE\\dwrapper\\";var WshShell = new ActiveXObject("WScript.Shell");var WshEnv = WshShell.Environment("PROCESS");var AppData = WshShell.SpecialFolders("AppData");var ProgramFiles = WshShell.ExpandEnvironmentStrings("%ProgramFiles%");var ProgramFilesX86 = WshShell.ExpandEnvironmentStrings("%ProgramFiles(x86)%");var tempDir = WshShell.ExpandEnvironmentStrings("%TEMP%");var fso = new ActiveXObject("Scripting.FileSystemObject");var locator = new ActiveXObject("WbemScripting.SWbemLocator");var objWMIService = locator.ConnectServer(null, "root\\cimv2");var objShell = new ActiveXObject("Shell.Application");document.title = document.title + " " + version;//Resize window/*(function () {try {var
                                  Jun 5, 2023 23:31:41.608237028 CEST105INData Raw: 73 63 72 65 65 6e 57 69 64 74 68 20 3d 20 28 73 63 72 65 65 6e 2e 61 76 61 69 6c 57 69 64 74 68 20 3f 20 73 63 72 65 65 6e 2e 61 76 61 69 6c 57 69 64 74 68 20 3a 20 73 63 72 65 65 6e 2e 77 69 64 74 68 29 3b 0d 0a 09 09 76 61 72 20 73 63 72 65 65
                                  Data Ascii: screenWidth = (screen.availWidth ? screen.availWidth : screen.width);var screenHeight = (screen.availHeight ? screen.availHeight : screen.height);var windowWidth = 700;var windowHeight = 600;var newX = (screenWidth - windowWi
                                  Jun 5, 2023 23:31:41.610392094 CEST105OUTGET /bin/src/variables/3.js HTTP/1.1
                                  Accept: */*
                                  Referer: http://dwrapper-prod.herokuapp.com/bin/step1_av.html
                                  Accept-Language: en-US
                                  Accept-Encoding: gzip, deflate
                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
                                  Host: dwrapper-prod.herokuapp.com
                                  Connection: Keep-Alive
                                  Jun 5, 2023 23:31:41.659137964 CEST113INHTTP/1.1 200 OK
                                  Connection: keep-alive
                                  Server: nginx
                                  Date: Mon, 05 Jun 2023 21:31:41 GMT
                                  Content-Type: application/javascript
                                  Content-Length: 2538
                                  Last-Modified: Fri, 12 May 2023 13:29:43 GMT
                                  Etag: "645e3f47-9ea"
                                  Cache-Control: no-store, no-cache, must-revalidate, proxy-revalidate
                                  Pragma: no-cache
                                  Expires: 0
                                  Access-Control-Allow-Origin: *
                                  Accept-Ranges: bytes
                                  Via: 1.1 vegur
                                  Data Raw: ef bb bf 69 66 20 28 74 79 70 65 6f 66 20 6c 6f 61 64 65 64 4a 53 20 21 3d 3d 20 22 75 6e 64 65 66 69 6e 65 64 22 29 20 7b 20 6c 6f 61 64 65 64 4a 53 2e 70 75 73 68 28 22 33 2e 6a 73 22 29 3b 20 7d 0d 0a 0d 0a 2f 2f 20 52 65 61 64 20 72 65 67 69 73 74 72 79 0d 0a 2f 2f 20 54 6f 44 6f 3a 20 d0 9f d1 80 d0 b8 d0 b4 d1 83 d0 bc d0 b0 d1 82 d1 8c 20 d0 b0 d0 b2 d1 82 d0 be 2d d1 82 d0 b5 d1 81 d1 82 d1 8b 21 21 21 0d 0a 66 75 6e 63 74 69 6f 6e 20 52 65 67 52 65 61 64 28 6b 65 79 29 20 7b 0d 0a 0d 0a 09 6b 65 79 20 3d 20 6b 65 79 2e 72 65 70 6c 61 63 65 28 27 48 4b 45 59 5f 4c 4f 43 41 4c 5f 4d 41 43 48 49 4e 45 5c 5c 27 2c 20 27 48 4b 4c 4d 5c 5c 27 29 3b 0d 0a 09 6b 65 79 20 3d 20 6b 65 79 2e 72 65 70 6c 61 63 65 28 27 48 4b 45 59 5f 43 55 52 52 45 4e 54 5f 55 53 45 52 5c 5c 27 2c 20 27 48 4b 43 55 5c 5c 27 29 3b 0d 0a 0d 0a 09 72 65 74 20 3d 20 52 65 67 52 65 61 64 33 32 28 6b 65 79 29 3b 0d 0a 0d 0a 09 69 66 20 28 28 21 72 65 74 29 20 26 26 20 28 6b 65 79 2e 69 6e 64 65 78 4f 66 28 27 5c 5c 53 4f 46 54 57 41 52 45 5c 5c 4d 69 63 72 6f 73 6f 66 74 5c 5c 27 29 20 21 3d 20 2d 31 29 29 20 7b 0d 0a 09 09 76 61 72 20 74 5f 6b 65 79 20 3d 20 6b 65 79 2e 72 65 70 6c 61 63 65 28 27 5c 5c 53 4f 46 54 57 41 52 45 5c 5c 4d 69 63 72 6f 73 6f 66 74 5c 5c 27 2c 20 27 5c 5c 53 4f 46 54 57 41 52 45 5c 5c 57 6f 77 36 34 33 32 4e 6f 64 65 5c 5c 4d 69 63 72 6f 73 6f 66 74 5c 5c 27 29 3b 0d 0a 0d 0a 09 09 72 65 74 20 3d 20 52 65 67 52 65 61 64 33 32 28 74 5f 6b 65 79 29 3b 0d 0a 09 7d 0d 0a 0d 0a 09 69 66 20 28 21 72 65 74 20 26 26 20 69 73 36 34 29 20 7b 0d 0a 09 09 72 65 74 20 3d 20 52 65 67 52 65 61 64 36 34 28 6b 65 79 29 3b 0d 0a 09 7d 0d 0a 0d 0a 09 72 65 74 75 72 6e 20 72 65 74 3b 0d 0a 0d 0a 7d 0d 0a 0d 0a 66 75 6e 63 74 69 6f 6e 20 52 65 67 52 65 61 64 33 32 28 6b 65 79 29 20 7b 0d 0a 09 76 61 72 20 72 65 74 20 3d 20 22 22 3b 0d 0a 09 74 72 79 20 7b 20 72 65 74 20 3d 20 57 73 68 53 68 65 6c 6c 2e 52 65 67 52 65 61 64 28 6b 65 79 29 3b 20 7d 0d 0a 09 63 61 74 63 68 20 28 65 29 20 7b 20 72 65 74 20 3d 20 22 22 3b 20 7d 0d 0a 09 72 65 74 75 72 6e 20 72 65 74 3b 0d 0a 7d 0d 0a 0d 0a 0d 0a 66 75 6e 63 74 69 6f 6e 20 52 65 67 52 65 61 64 36 34 28 6b 65 79 29 20 7b 0d 0a 09 74 72 79 20 7b 0d 0a 09 09 76 61 72 20 48 4b 45 59 5f 4c 4f 43 41 4c 5f 4d 41 43 48 49 4e 45 20 3d 20 30 78 38 30 30 30 30 30 30 32 3b 0d 0a 09 09 76 61 72 20 48 4b 45 59 5f 43 55 52 52 45 4e 54 5f 55 53 45 52 20 3d 20 30 78 38 30 30 30 30 30 30 31 3b 0d 0a 0d 0a 09 09 76 61 72 20 63 6f 6e 74 65 78 74 20 3d 20 6e 65 77 20 41 63 74 69 76 65 58 4f 62 6a 65 63 74 28 22 57 62 65 6d 53 63 72 69 70 74 69 6e 67 2e 53 57 62 65 6d 4e 61 6d 65 64 56 61 6c 75 65 53 65 74 22 29 3b 0d 0a 09 09
                                  Data Ascii: if (typeof loadedJS !== "undefined") { loadedJS.push("3.js"); }// Read registry// ToDo: -!!!function RegRead(key) {key = key.replace('HKEY_LOCAL_MACHINE\\', 'HKLM\\');key = key.replace('HKEY_CURRENT_USER\\', 'HKCU\\');ret = RegRead32(key);if ((!ret) && (key.indexOf('\\SOFTWARE\\Microsoft\\') != -1)) {var t_key = key.replace('\\SOFTWARE\\Microsoft\\', '\\SOFTWARE\\Wow6432Node\\Microsoft\\');ret = RegRead32(t_key);}if (!ret && is64) {ret = RegRead64(key);}return ret;}function RegRead32(key) {var ret = "";try { ret = WshShell.RegRead(key); }catch (e) { ret = ""; }return ret;}function RegRead64(key) {try {var HKEY_LOCAL_MACHINE = 0x80000002;var HKEY_CURRENT_USER = 0x80000001;var context = new ActiveXObject("WbemScripting.SWbemNamedValueSet");
                                  Jun 5, 2023 23:31:41.659203053 CEST114INData Raw: 63 6f 6e 74 65 78 74 2e 41 64 64 28 22 5f 5f 50 72 6f 76 69 64 65 72 41 72 63 68 69 74 65 63 74 75 72 65 22 2c 20 36 34 29 3b 0d 0a 09 09 63 6f 6e 74 65 78 74 2e 41 64 64 28 22 5f 5f 52 65 71 75 69 72 65 64 41 72 63 68 69 74 65 63 74 75 72 65 22
                                  Data Ascii: context.Add("__ProviderArchitecture", 64);context.Add("__RequiredArchitecture", true);var locator = new ActiveXObject("Wbemscripting.SWbemLocator");var wbem = locator.ConnectServer(null, "root\\default", null, null, null, null, nul
                                  Jun 5, 2023 23:31:41.659303904 CEST115INData Raw: 0a 09 7d 20 63 61 74 63 68 20 28 65 72 72 6f 72 29 20 7b 0d 0a 09 09 73 65 74 54 69 6d 65 6f 75 74 28 66 75 6e 63 74 69 6f 6e 20 28 29 20 7b 0d 0a 09 09 09 69 66 20 28 74 79 70 65 6f 66 20 73 65 6e 64 4d 61 74 6f 6d 6f 45 76 65 6e 74 20 21 3d 3d
                                  Data Ascii: } catch (error) {setTimeout(function () {if (typeof sendMatomoEvent !== "undefined") {sendMatomoEvent({trackEvent: {category: 'Wrapper / Errors',action: ' WshShell
                                  Jun 5, 2023 23:31:41.672878981 CEST117OUTGET /bin/src/variables/5.js HTTP/1.1
                                  Accept: */*
                                  Referer: http://dwrapper-prod.herokuapp.com/bin/step1_av.html
                                  Accept-Language: en-US
                                  Accept-Encoding: gzip, deflate
                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
                                  Host: dwrapper-prod.herokuapp.com
                                  Connection: Keep-Alive
                                  Jun 5, 2023 23:31:41.717969894 CEST119INHTTP/1.1 200 OK
                                  Connection: keep-alive
                                  Server: nginx
                                  Date: Mon, 05 Jun 2023 21:31:41 GMT
                                  Content-Type: application/javascript
                                  Content-Length: 538
                                  Last-Modified: Fri, 12 May 2023 13:29:43 GMT
                                  Etag: "645e3f47-21a"
                                  Cache-Control: no-store, no-cache, must-revalidate, proxy-revalidate
                                  Pragma: no-cache
                                  Expires: 0
                                  Access-Control-Allow-Origin: *
                                  Accept-Ranges: bytes
                                  Via: 1.1 vegur
                                  Data Raw: ef bb bf 69 66 20 28 74 79 70 65 6f 66 20 6c 6f 61 64 65 64 4a 53 20 21 3d 3d 20 22 75 6e 64 65 66 69 6e 65 64 22 29 20 7b 20 6c 6f 61 64 65 64 4a 53 2e 70 75 73 68 28 22 35 2e 6a 73 22 29 3b 20 7d 0d 0a 0d 0a 66 75 6e 63 74 69 6f 6e 20 61 64 64 4c 6f 61 64 45 76 65 6e 74 28 66 75 6e 63 29 20 7b 0d 0a 09 76 61 72 20 6f 6c 64 6f 6e 6c 6f 61 64 20 3d 20 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3b 0d 0a 09 69 66 20 28 74 79 70 65 6f 66 20 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 20 21 3d 20 22 66 75 6e 63 74 69 6f 6e 22 29 20 7b 0d 0a 09 09 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 20 3d 20 66 75 6e 63 3b 0d 0a 09 7d 20 65 6c 73 65 20 7b 0d 0a 09 09 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 20 3d 20 66 75 6e 63 74 69 6f 6e 20 28 29 20 7b 0d 0a 09 09 09 69 66 20 28 6f 6c 64 6f 6e 6c 6f 61 64 29 20 7b 0d 0a 09 09 09 09 6f 6c 64 6f 6e 6c 6f 61 64 28 29 3b 0d 0a 09 09 09 7d 0d 0a 09 09 09 66 75 6e 63 28 29 3b 0d 0a 09 09 7d 3b 0d 0a 09 7d 0d 0a 09 2f 2f 20 d0 9f d1 80 d0 be d0 b2 d0 b5 d1 80 d1 8f d0 b5 d0 bc 20 d1 81 d0 be d1 81 d1 82 d0 be d1 8f d0 bd d0 b8 d0 b5 20 d0 b4 d0 be d0 ba d1 83 d0 bc d0 b5 d0 bd d1 82 d0 b0 20 d0 b8 20 d0 b2 d1 8b d0 b7 d1 8b d0 b2 d0 b0 d0 b5 d0 bc 20 d1 84 d1 83 d0 bd d0 ba d1 86 d0 b8 d1 8e 20 d1 81 d1 80 d0 b0 d0 b7 d1 83 20 d0 b6 d0 b5 2c 20 d0 b5 d1 81 d0 bb d0 b8 20 d0 b4 d0 be d0 ba d1 83 d0 bc d0 b5 d0 bd d1 82 20 d1 83 d0 b6 d0 b5 20 d0 b7 d0 b0 d0 b3 d1 80 d1 83 d0 b6 d0 b5 d0 bd 0d 0a 09 69 66 20 28 64 6f 63 75 6d 65 6e 74 2e 72 65 61 64 79 53 74 61 74 65 20 3d 3d 3d 20 22 63 6f 6d 70 6c 65 74 65 22 29 20 7b 0d 0a 09 09 66 75 6e 63 28 29 3b 0d 0a 09 7d 0d 0a 7d
                                  Data Ascii: if (typeof loadedJS !== "undefined") { loadedJS.push("5.js"); }function addLoadEvent(func) {var oldonload = window.onload;if (typeof window.onload != "function") {window.onload = func;} else {window.onload = function () {if (oldonload) {oldonload();}func();};}// , if (document.readyState === "complete") {func();}}
                                  Jun 5, 2023 23:31:41.760950089 CEST123OUTGET /bin/src/statistics.js HTTP/1.1
                                  Accept: */*
                                  Referer: http://dwrapper-prod.herokuapp.com/bin/step1_av.html
                                  Accept-Language: en-US
                                  Accept-Encoding: gzip, deflate
                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
                                  Host: dwrapper-prod.herokuapp.com
                                  Connection: Keep-Alive
                                  Jun 5, 2023 23:31:41.806013107 CEST125INHTTP/1.1 200 OK
                                  Connection: keep-alive
                                  Server: nginx
                                  Date: Mon, 05 Jun 2023 21:31:41 GMT
                                  Content-Type: application/javascript
                                  Content-Length: 8133
                                  Last-Modified: Fri, 12 May 2023 13:29:43 GMT
                                  Etag: "645e3f47-1fc5"
                                  Cache-Control: no-store, no-cache, must-revalidate, proxy-revalidate
                                  Pragma: no-cache
                                  Expires: 0
                                  Access-Control-Allow-Origin: *
                                  Accept-Ranges: bytes
                                  Via: 1.1 vegur
                                  Data Raw: ef bb bf 69 66 20 28 74 79 70 65 6f 66 20 6c 6f 61 64 65 64 4a 53 20 21 3d 3d 20 22 75 6e 64 65 66 69 6e 65 64 22 29 20 7b 20 6c 6f 61 64 65 64 4a 53 2e 70 75 73 68 28 22 73 74 61 74 69 73 74 69 63 73 2e 6a 73 22 29 3b 20 7d 0d 0a 0d 0a 2f 2a 0d 0a 2f 2f 20 d0 94 d0 be d0 ba d1 83 d0 bc d0 b5 d0 bd d1 82 d0 b0 d1 86 d0 b8 d1 8f 20 d0 bf d0 be 20 4d 61 74 6f 6d 6f 20 54 72 61 63 6b 69 6e 67 20 48 54 54 50 20 41 50 49 0d 0a 2f 2f 20 68 74 74 70 73 3a 2f 2f 64 65 76 65 6c 6f 70 65 72 2e 6d 61 74 6f 6d 6f 2e 6f 72 67 2f 61 70 69 2d 72 65 66 65 72 65 6e 63 65 2f 74 72 61 63 6b 69 6e 67 2d 61 70 69 0d 0a 0d 0a 0d 0a 2f 2f 20 d0 92 d0 be d1 82 20 d0 bd d0 b5 d1 81 d0 ba d0 be d0 bb d1 8c d0 ba d0 be 20 d0 bf d1 80 d0 b8 d0 bc d0 b5 d1 80 d0 be d0 b2 20 d0 b2 d1 8b d0 b7 d0 be d0 b2 d0 b0 20 d1 84 d1 83 d0 bd d0 ba d1 86 d0 b8 d0 b8 20 73 65 6e 64 4d 61 74 6f 6d 6f 45 76 65 6e 74 28 29 20 d1 81 20 d1 80 d0 b0 d0 b7 d0 bb d0 b8 d1 87 d0 bd d1 8b d0 bc d0 b8 20 d0 bf d0 b0 d1 80 d0 b0 d0 bc d0 b5 d1 82 d1 80 d0 b0 d0 bc d0 b8 3a 0d 0a 73 65 6e 64 4d 61 74 6f 6d 6f 45 76 65 6e 74 28 7b 0d 0a 20 20 74 69 74 6c 65 3a 20 27 4d 65 6e 75 27 2c 0d 0a 20 20 75 72 6c 3a 20 27 68 74 74 70 73 3a 2f 2f 65 78 61 6d 70 6c 65 2e 63 6f 6d 2f 6d 65 6e 75 27 0d 0a 7d 29 3b 0d 0a 0d 0a 2f 2f 20 d0 9e d1 82 d0 bf d1 80 d0 b0 d0 b2 d0 ba d0 b0 20 d1 81 d0 be d0 b1 d1 8b d1 82 d0 b8 d1 8f 20 d1 81 20 d0 be d1 82 d0 bd d0 be d1 81 d0 b8 d1 82 d0 b5 d0 bb d1 8c d0 bd d1 8b d0 bc 20 d0 b8 20 d0 b0 d0 b1 d1 81 d0 be d0 bb d1 8e d1 82 d0 bd d1 8b d0 bc 20 55 52 4c 3a 0d 0a 73 65 6e 64 4d 61 74 6f 6d 6f 45 76 65 6e 74 28 7b 0d 0a 20 20 74 69 74 6c 65 3a 20 27 48 6f 6d 65 70 61 67 65 27 2c 0d 0a 20 20 75 72 6c 3a 20 27 2f 68 6f 6d 65 27 0d 0a 7d 29 3b 0d 0a 0d 0a 2f 2f 20 d0 9e d1 82 d0 bf d1 80 d0 b0 d0 b2 d0 ba d0 b0 20 d1 81 d0 be d0 b1 d1 8b d1 82 d0 b8 d1 8f 20 d1 81 20 d0 ba d0 b0 d1 82 d0 b5 d0 b3 d0 be d1 80 d0 b8 d0 b5 d0 b9 2c 20 d0 b4 d0 b5 d0 b9 d1 81 d1 82 d0 b2 d0 b8 d0 b5 d0 bc 2c 20 d0 b8 d0 bc d0 b5 d0 bd d0 b5 d0 bc 20 d0 b8 20 d0 b7 d0 bd d0 b0 d1 87 d0 b5 d0 bd d0 b8 d0 b5 d0 bc 3a 0d 0a 73 65 6e 64 4d 61 74 6f 6d 6f 45 76 65 6e 74 28 7b 0d 0a 20 20 74 72 61 63 6b 45 76 65 6e 74 3a 20 7b 0d 0a 20 20 20 20 63 61 74 65 67 6f 72 79 3a 20 27 55 73 65 72 20 49 6e 74 65 72 61 63 74 69 6f 6e 27 2c 0d 0a 20 20 20 20 61 63 74 69 6f 6e 3a 20 27 43 6c 69 63 6b 27 2c 0d 0a 20 20 20 20 6e 61 6d 65 3a 20 27 42 75 74 74 6f 6e 20 31 27 2c 0d 0a 20 20 20 20 76 61 6c 75 65 3a 20 27 31 30 27 0d 0a 20 20 7d 0d 0a 7d 29 3b 0d 0a 0d 0a 2f 2f 20 d0 9e d1 82 d0 bf d1 80 d0 b0 d0 b2 d0 ba d0 b0 20 d1 81 d0 be d0 b1 d1 8b d1 82 d0 b8 d1 8f 20 d1 81 20 d0 bf d0 be d0 bb d1
                                  Data Ascii: if (typeof loadedJS !== "undefined") { loadedJS.push("statistics.js"); }/*// Matomo Tracking HTTP API// https://developer.matomo.org/api-reference/tracking-api// sendMatomoEvent() :sendMatomoEvent({ title: 'Menu', url: 'https://example.com/menu'});// URL:sendMatomoEvent({ title: 'Homepage', url: '/home'});// , , :sendMatomoEvent({ trackEvent: { category: 'User Interaction', action: 'Click', name: 'Button 1', value: '10' }});//
                                  Jun 5, 2023 23:31:41.806086063 CEST127INData Raw: 8c d0 b7 d0 be d0 b2 d0 b0 d1 82 d0 b5 d0 bb d1 8c d1 81 d0 ba d0 b8 d0 bc d0 b8 20 d0 b4 d0 b0 d0 bd d0 bd d1 8b d0 bc d0 b8 20 28 5f 63 76 61 72 29 20 d0 b8 20 d0 b4 d0 be d1 81 d1 82 d0 b8 d0 b6 d0 b5 d0 bd d0 b8 d0 b5 d0 bc 20 d1 86 d0 b5 d0
                                  Data Ascii: (_cvar) (goalId):sendMatomoEvent({ customData: { 1: ['User Type', 'Registered'], 2: ['Subscription Level', 'Premium'] }, goalId: 3});//
                                  Jun 5, 2023 23:31:41.806224108 CEST128INData Raw: b0 d1 82 d0 be d1 80 20 d0 b2 d0 b0 d1 88 d0 b5 d0 b3 d0 be 20 d1 81 d0 b0 d0 b9 d1 82 d0 b0 20 d0 b2 20 4d 61 74 6f 6d 6f 0d 0a 20 20 6d 61 74 6f 6d 6f 55 72 6c 3a 20 27 68 74 74 70 3a 2f 2f 65 78 61 6d 70 6c 65 2d 64 77 72 61 70 70 65 72 2e 6d
                                  Data Ascii: Matomo matomoUrl: 'http://example-dwrapper.matomo.cloud/matomo.php', // your-matomo-server.com URL Matomo domain: 'https://my-domain.com', //
                                  Jun 5, 2023 23:31:41.806292057 CEST129INData Raw: b6 d0 b5 d0 bd d0 b8 d0 b5 20 d0 b2 20 44 4f 4d 0d 0a 20 20 20 20 2f 2f 61 6c 65 72 74 28 70 69 78 65 6c 2e 73 72 63 29 3b 0d 0a 20 20 20 20 2f 2f 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 27 76 65 72 73 69 6f 6e 4c
                                  Data Ascii: DOM //alert(pixel.src); //document.getElementById('versionLabel').innerHTML = pixel.src; });}function matomoGenerateDefaultUrlParams() { var randomNum = Math.floor(Math.random() * (100000000 - 100000 + 1)) +
                                  Jun 5, 2023 23:31:41.806385040 CEST131INData Raw: 20 28 6f 70 74 69 6f 6e 73 2e 43 6c 69 65 6e 74 49 44 29 20 7b 0d 0a 20 20 20 20 70 61 72 61 6d 73 20 2b 3d 20 27 26 75 69 64 3d 27 20 2b 20 65 6e 63 6f 64 65 55 52 49 43 6f 6d 70 6f 6e 65 6e 74 28 6f 70 74 69 6f 6e 73 2e 43 6c 69 65 6e 74 49 44
                                  Data Ascii: (options.ClientID) { params += '&uid=' + encodeURIComponent(options.ClientID); } else if (window.matomoSettings.clientID) { params += '&uid=' + encodeURIComponent(window.matomoSettings.clientID); } //
                                  Jun 5, 2023 23:31:41.806464911 CEST132INData Raw: 6e 20 26 26 20 74 79 70 65 6f 66 20 6f 70 74 69 6f 6e 73 2e 64 69 6d 65 6e 73 69 6f 6e 20 3d 3d 3d 20 27 6f 62 6a 65 63 74 27 29 20 7b 0d 0a 20 20 20 20 66 6f 72 20 28 76 61 72 20 6b 65 79 20 69 6e 20 6f 70 74 69 6f 6e 73 2e 64 69 6d 65 6e 73 69
                                  Data Ascii: n && typeof options.dimension === 'object') { for (var key in options.dimension) { if (options.dimension.hasOwnProperty(key)) { params += '&dimension' + encodeURIComponent(key) + '=' + encodeURIComponent(options.dimension[
                                  Jun 5, 2023 23:31:41.806528091 CEST133INData Raw: 65 74 74 69 6e 67 73 2e 64 6f 6d 61 69 6e 20 2b 20 6f 70 74 69 6f 6e 73 2e 75 72 6c 3b 0d 0a 20 20 20 20 7d 0d 0a 0d 0a 20 20 20 20 70 61 72 61 6d 73 20 2b 3d 20 27 26 75 72 6c 3d 27 20 2b 20 65 6e 63 6f 64 65 55 52 49 43 6f 6d 70 6f 6e 65 6e 74
                                  Data Ascii: ettings.domain + options.url; } params += '&url=' + encodeURIComponent(url); } matomoCreateImage(params);}var showDefaultErrorWindow = true;window.onerror = function (msg, url, linenumber) { shortUrl = url.subs


                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                  2192.168.2.34970118.157.122.24880C:\Windows\SysWOW64\mshta.exe
                                  TimestampkBytes transferredDirectionData
                                  Jun 5, 2023 23:31:43.121170998 CEST206OUTGET /matomo.php?idsite=1&rec=1&rand=55936274&apiv=1&cookie=1&bots=1&res=1280x1024&h=23&m=31&s=42&uid=10212914377202365&action_name=Wrapper%20%2F%20Start%20screen%20page&url=https%3A%2F%2Fmy-domain.com%2Fstart_screen.html HTTP/1.1
                                  Accept: */*
                                  Referer: http://dwrapper-prod.herokuapp.com/bin/step1_av.html
                                  Accept-Language: en-US
                                  Accept-Encoding: gzip, deflate
                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
                                  Host: example-dwrapper.matomo.cloud
                                  Connection: Keep-Alive
                                  Jun 5, 2023 23:31:43.150623083 CEST206INHTTP/1.1 503 Service Unavailable
                                  Date: Mon, 05 Jun 2023 21:31:43 GMT
                                  Content-Type: image/gif
                                  Content-Length: 50
                                  Connection: keep-alive
                                  Server: Apache
                                  Cache-Control: no-store
                                  Vary: X-Forwarded-Port-Override,X-Forwarded-Proto-Override,Accept-Encoding,User-Agent
                                  Content-Encoding: gzip
                                  Data Raw: 1f 8b 08 00 00 00 00 00 00 03 73 f7 74 b3 b0 4c 64 64 60 64 68 60 80 02 c5 9f 2c 8c 20 5a 07 44 80 64 18 98 98 5c 18 19 ac 01 76 bd 68 ab 2b 00 00 00
                                  Data Ascii: stLdd`dh`, ZDd\vh+
                                  Jun 5, 2023 23:31:43.490397930 CEST207OUTGET /matomo.php?idsite=1&rec=1&rand=97815994&apiv=1&cookie=1&bots=1&res=1280x1024&h=23&m=31&s=43&uid=10212914377202365&e_c=Wrapper%20%2F%20Errors%20%2F%20Missing%20scripts&e_a=%D0%92%D1%81%D0%B5%20%D1%81%D0%BA%D1%80%D0%B8%D0%BF%D1%82%D1%8B%20%D1%83%D1%81%D0%BF%D0%B5%D1%88%D0%BD%D0%BE%20%D0%B7%D0%B0%D0%B3%D1%80%D1%83%D0%B7%D0%B8%D0%BB%D0%B8%D1%81%D1%8C&e_n=&e_v=&ca=1 HTTP/1.1
                                  Accept: */*
                                  Referer: http://dwrapper-prod.herokuapp.com/bin/step1_av.html
                                  Accept-Language: en-US
                                  Accept-Encoding: gzip, deflate
                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
                                  Host: example-dwrapper.matomo.cloud
                                  Connection: Keep-Alive
                                  Jun 5, 2023 23:31:43.521100998 CEST208INHTTP/1.1 503 Service Unavailable
                                  Date: Mon, 05 Jun 2023 21:31:43 GMT
                                  Content-Type: image/gif
                                  Content-Length: 50
                                  Connection: keep-alive
                                  Server: Apache
                                  Cache-Control: no-store
                                  Vary: X-Forwarded-Port-Override,X-Forwarded-Proto-Override,Accept-Encoding,User-Agent
                                  Content-Encoding: gzip
                                  Data Raw: 1f 8b 08 00 00 00 00 00 00 03 73 f7 74 b3 b0 4c 64 64 60 64 68 60 80 02 c5 9f 2c 8c 20 5a 07 44 80 64 18 98 98 5c 18 19 ac 01 76 bd 68 ab 2b 00 00 00
                                  Data Ascii: stLdd`dh`, ZDd\vh+


                                  Statistics

                                  CPU Usage

                                  050100s020406080100

                                  Click to jump to process

                                  Memory Usage

                                  050100s0.0010203040MB

                                  Click to jump to process

                                  High Level Behavior Distribution

                                  • File
                                  • Registry

                                  Click to dive into process behavior distribution

                                  System Behavior

                                  General

                                  Target ID:0
                                  Start time:23:31:40
                                  Start date:05/06/2023
                                  Path:C:\Windows\SysWOW64\mshta.exe
                                  Wow64 process (32bit):true
                                  Commandline:mshta.exe "C:\Users\user\Desktop\PROD_Start_DriverPack.hta"
                                  Imagebase:0x120000
                                  File size:13312 bytes
                                  MD5 hash:7083239CE743FDB68DFC933B7308E80A
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:high
                                  Show Windows behavior

                                  File Activities

                                  Show Windows behavior

                                  Section Activities

                                  Show Windows behavior

                                  Registry Activities

                                  Show Windows behavior

                                  COM Activities

                                  There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                  There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                  Show Windows behavior

                                  Thread Activities

                                  Show Windows behavior

                                  Memory Activities

                                  Show Windows behavior

                                  System Activities

                                  There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                  Show Windows behavior

                                  Windows UI Activities

                                  There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                  There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                                  There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                                  Disassembly

                                  Executed Functions

                                  Memory Dump Source
                                  • Source File: 00000000.00000002.616195010.00000000085E0000.00000010.00000800.00020000.00000000.sdmp, Offset: 085E0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_85e0000_mshta.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 0b1b3c275437561b8b74ab691ce133e6b034324bfd1cba2a2c2e1caf449408fd
                                  • Instruction ID: 07796ad50f16f3dfc907b620021e9a8146eedb0efb1882b84f78f039e93fff80
                                  • Opcode Fuzzy Hash: 0b1b3c275437561b8b74ab691ce133e6b034324bfd1cba2a2c2e1caf449408fd
                                  • Instruction Fuzzy Hash:
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Memory Dump Source
                                  • Source File: 00000000.00000002.616195010.00000000085E0000.00000010.00000800.00020000.00000000.sdmp, Offset: 085E0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_85e0000_mshta.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 0b1b3c275437561b8b74ab691ce133e6b034324bfd1cba2a2c2e1caf449408fd
                                  • Instruction ID: 07796ad50f16f3dfc907b620021e9a8146eedb0efb1882b84f78f039e93fff80
                                  • Opcode Fuzzy Hash: 0b1b3c275437561b8b74ab691ce133e6b034324bfd1cba2a2c2e1caf449408fd
                                  • Instruction Fuzzy Hash:
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Memory Dump Source
                                  • Source File: 00000000.00000002.616195010.00000000085E0000.00000010.00000800.00020000.00000000.sdmp, Offset: 085E0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_85e0000_mshta.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 0b1b3c275437561b8b74ab691ce133e6b034324bfd1cba2a2c2e1caf449408fd
                                  • Instruction ID: 07796ad50f16f3dfc907b620021e9a8146eedb0efb1882b84f78f039e93fff80
                                  • Opcode Fuzzy Hash: 0b1b3c275437561b8b74ab691ce133e6b034324bfd1cba2a2c2e1caf449408fd
                                  • Instruction Fuzzy Hash:
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Memory Dump Source
                                  • Source File: 00000000.00000002.616195010.00000000085E0000.00000010.00000800.00020000.00000000.sdmp, Offset: 085E0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_85e0000_mshta.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 0b1b3c275437561b8b74ab691ce133e6b034324bfd1cba2a2c2e1caf449408fd
                                  • Instruction ID: 07796ad50f16f3dfc907b620021e9a8146eedb0efb1882b84f78f039e93fff80
                                  • Opcode Fuzzy Hash: 0b1b3c275437561b8b74ab691ce133e6b034324bfd1cba2a2c2e1caf449408fd
                                  • Instruction Fuzzy Hash:
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Memory Dump Source
                                  • Source File: 00000000.00000002.616195010.00000000085E0000.00000010.00000800.00020000.00000000.sdmp, Offset: 085E0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_85e0000_mshta.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 0b1b3c275437561b8b74ab691ce133e6b034324bfd1cba2a2c2e1caf449408fd
                                  • Instruction ID: 07796ad50f16f3dfc907b620021e9a8146eedb0efb1882b84f78f039e93fff80
                                  • Opcode Fuzzy Hash: 0b1b3c275437561b8b74ab691ce133e6b034324bfd1cba2a2c2e1caf449408fd
                                  • Instruction Fuzzy Hash:
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Memory Dump Source
                                  • Source File: 00000000.00000002.616195010.00000000085E0000.00000010.00000800.00020000.00000000.sdmp, Offset: 085E0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_85e0000_mshta.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 0b1b3c275437561b8b74ab691ce133e6b034324bfd1cba2a2c2e1caf449408fd
                                  • Instruction ID: 07796ad50f16f3dfc907b620021e9a8146eedb0efb1882b84f78f039e93fff80
                                  • Opcode Fuzzy Hash: 0b1b3c275437561b8b74ab691ce133e6b034324bfd1cba2a2c2e1caf449408fd
                                  • Instruction Fuzzy Hash:
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Memory Dump Source
                                  • Source File: 00000000.00000002.616195010.00000000085E0000.00000010.00000800.00020000.00000000.sdmp, Offset: 085E0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_85e0000_mshta.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 0b1b3c275437561b8b74ab691ce133e6b034324bfd1cba2a2c2e1caf449408fd
                                  • Instruction ID: 07796ad50f16f3dfc907b620021e9a8146eedb0efb1882b84f78f039e93fff80
                                  • Opcode Fuzzy Hash: 0b1b3c275437561b8b74ab691ce133e6b034324bfd1cba2a2c2e1caf449408fd
                                  • Instruction Fuzzy Hash:
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Memory Dump Source
                                  • Source File: 00000000.00000002.616195010.00000000085E0000.00000010.00000800.00020000.00000000.sdmp, Offset: 085E0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_85e0000_mshta.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 0b1b3c275437561b8b74ab691ce133e6b034324bfd1cba2a2c2e1caf449408fd
                                  • Instruction ID: 07796ad50f16f3dfc907b620021e9a8146eedb0efb1882b84f78f039e93fff80
                                  • Opcode Fuzzy Hash: 0b1b3c275437561b8b74ab691ce133e6b034324bfd1cba2a2c2e1caf449408fd
                                  • Instruction Fuzzy Hash:
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Memory Dump Source
                                  • Source File: 00000000.00000002.616195010.00000000085E0000.00000010.00000800.00020000.00000000.sdmp, Offset: 085E0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_85e0000_mshta.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 0b1b3c275437561b8b74ab691ce133e6b034324bfd1cba2a2c2e1caf449408fd
                                  • Instruction ID: 07796ad50f16f3dfc907b620021e9a8146eedb0efb1882b84f78f039e93fff80
                                  • Opcode Fuzzy Hash: 0b1b3c275437561b8b74ab691ce133e6b034324bfd1cba2a2c2e1caf449408fd
                                  • Instruction Fuzzy Hash:
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Memory Dump Source
                                  • Source File: 00000000.00000002.616195010.00000000085E0000.00000010.00000800.00020000.00000000.sdmp, Offset: 085E0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_85e0000_mshta.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 0b1b3c275437561b8b74ab691ce133e6b034324bfd1cba2a2c2e1caf449408fd
                                  • Instruction ID: 07796ad50f16f3dfc907b620021e9a8146eedb0efb1882b84f78f039e93fff80
                                  • Opcode Fuzzy Hash: 0b1b3c275437561b8b74ab691ce133e6b034324bfd1cba2a2c2e1caf449408fd
                                  • Instruction Fuzzy Hash:
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Memory Dump Source
                                  • Source File: 00000000.00000002.616195010.00000000085E0000.00000010.00000800.00020000.00000000.sdmp, Offset: 085E0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_85e0000_mshta.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 0b1b3c275437561b8b74ab691ce133e6b034324bfd1cba2a2c2e1caf449408fd
                                  • Instruction ID: 07796ad50f16f3dfc907b620021e9a8146eedb0efb1882b84f78f039e93fff80
                                  • Opcode Fuzzy Hash: 0b1b3c275437561b8b74ab691ce133e6b034324bfd1cba2a2c2e1caf449408fd
                                  • Instruction Fuzzy Hash:
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Memory Dump Source
                                  • Source File: 00000000.00000002.616195010.00000000085E0000.00000010.00000800.00020000.00000000.sdmp, Offset: 085E0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_85e0000_mshta.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 0b1b3c275437561b8b74ab691ce133e6b034324bfd1cba2a2c2e1caf449408fd
                                  • Instruction ID: 07796ad50f16f3dfc907b620021e9a8146eedb0efb1882b84f78f039e93fff80
                                  • Opcode Fuzzy Hash: 0b1b3c275437561b8b74ab691ce133e6b034324bfd1cba2a2c2e1caf449408fd
                                  • Instruction Fuzzy Hash:
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Memory Dump Source
                                  • Source File: 00000000.00000002.616195010.00000000085E0000.00000010.00000800.00020000.00000000.sdmp, Offset: 085E0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_85e0000_mshta.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 0b1b3c275437561b8b74ab691ce133e6b034324bfd1cba2a2c2e1caf449408fd
                                  • Instruction ID: 07796ad50f16f3dfc907b620021e9a8146eedb0efb1882b84f78f039e93fff80
                                  • Opcode Fuzzy Hash: 0b1b3c275437561b8b74ab691ce133e6b034324bfd1cba2a2c2e1caf449408fd
                                  • Instruction Fuzzy Hash:
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Memory Dump Source
                                  • Source File: 00000000.00000002.616195010.00000000085E0000.00000010.00000800.00020000.00000000.sdmp, Offset: 085E0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_85e0000_mshta.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 0b1b3c275437561b8b74ab691ce133e6b034324bfd1cba2a2c2e1caf449408fd
                                  • Instruction ID: 07796ad50f16f3dfc907b620021e9a8146eedb0efb1882b84f78f039e93fff80
                                  • Opcode Fuzzy Hash: 0b1b3c275437561b8b74ab691ce133e6b034324bfd1cba2a2c2e1caf449408fd
                                  • Instruction Fuzzy Hash:
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Memory Dump Source
                                  • Source File: 00000000.00000002.616195010.00000000085E0000.00000010.00000800.00020000.00000000.sdmp, Offset: 085E0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_85e0000_mshta.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 0b1b3c275437561b8b74ab691ce133e6b034324bfd1cba2a2c2e1caf449408fd
                                  • Instruction ID: 07796ad50f16f3dfc907b620021e9a8146eedb0efb1882b84f78f039e93fff80
                                  • Opcode Fuzzy Hash: 0b1b3c275437561b8b74ab691ce133e6b034324bfd1cba2a2c2e1caf449408fd
                                  • Instruction Fuzzy Hash:
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Memory Dump Source
                                  • Source File: 00000000.00000002.616195010.00000000085E0000.00000010.00000800.00020000.00000000.sdmp, Offset: 085E0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_85e0000_mshta.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 0b1b3c275437561b8b74ab691ce133e6b034324bfd1cba2a2c2e1caf449408fd
                                  • Instruction ID: 07796ad50f16f3dfc907b620021e9a8146eedb0efb1882b84f78f039e93fff80
                                  • Opcode Fuzzy Hash: 0b1b3c275437561b8b74ab691ce133e6b034324bfd1cba2a2c2e1caf449408fd
                                  • Instruction Fuzzy Hash:
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Memory Dump Source
                                  • Source File: 00000000.00000002.616195010.00000000085E0000.00000010.00000800.00020000.00000000.sdmp, Offset: 085E0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_85e0000_mshta.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 0b1b3c275437561b8b74ab691ce133e6b034324bfd1cba2a2c2e1caf449408fd
                                  • Instruction ID: 07796ad50f16f3dfc907b620021e9a8146eedb0efb1882b84f78f039e93fff80
                                  • Opcode Fuzzy Hash: 0b1b3c275437561b8b74ab691ce133e6b034324bfd1cba2a2c2e1caf449408fd
                                  • Instruction Fuzzy Hash:
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Memory Dump Source
                                  • Source File: 00000000.00000002.616195010.00000000085E0000.00000010.00000800.00020000.00000000.sdmp, Offset: 085E0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_85e0000_mshta.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 0b1b3c275437561b8b74ab691ce133e6b034324bfd1cba2a2c2e1caf449408fd
                                  • Instruction ID: 07796ad50f16f3dfc907b620021e9a8146eedb0efb1882b84f78f039e93fff80
                                  • Opcode Fuzzy Hash: 0b1b3c275437561b8b74ab691ce133e6b034324bfd1cba2a2c2e1caf449408fd
                                  • Instruction Fuzzy Hash:
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Memory Dump Source
                                  • Source File: 00000000.00000002.616195010.00000000085E0000.00000010.00000800.00020000.00000000.sdmp, Offset: 085E0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_85e0000_mshta.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 0b1b3c275437561b8b74ab691ce133e6b034324bfd1cba2a2c2e1caf449408fd
                                  • Instruction ID: 07796ad50f16f3dfc907b620021e9a8146eedb0efb1882b84f78f039e93fff80
                                  • Opcode Fuzzy Hash: 0b1b3c275437561b8b74ab691ce133e6b034324bfd1cba2a2c2e1caf449408fd
                                  • Instruction Fuzzy Hash:
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Memory Dump Source
                                  • Source File: 00000000.00000002.616195010.00000000085E0000.00000010.00000800.00020000.00000000.sdmp, Offset: 085E0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_85e0000_mshta.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 0b1b3c275437561b8b74ab691ce133e6b034324bfd1cba2a2c2e1caf449408fd
                                  • Instruction ID: 07796ad50f16f3dfc907b620021e9a8146eedb0efb1882b84f78f039e93fff80
                                  • Opcode Fuzzy Hash: 0b1b3c275437561b8b74ab691ce133e6b034324bfd1cba2a2c2e1caf449408fd
                                  • Instruction Fuzzy Hash:
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Memory Dump Source
                                  • Source File: 00000000.00000002.616195010.00000000085E0000.00000010.00000800.00020000.00000000.sdmp, Offset: 085E0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_85e0000_mshta.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 0b1b3c275437561b8b74ab691ce133e6b034324bfd1cba2a2c2e1caf449408fd
                                  • Instruction ID: 07796ad50f16f3dfc907b620021e9a8146eedb0efb1882b84f78f039e93fff80
                                  • Opcode Fuzzy Hash: 0b1b3c275437561b8b74ab691ce133e6b034324bfd1cba2a2c2e1caf449408fd
                                  • Instruction Fuzzy Hash:
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Memory Dump Source
                                  • Source File: 00000000.00000002.616195010.00000000085E0000.00000010.00000800.00020000.00000000.sdmp, Offset: 085E0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_85e0000_mshta.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 0b1b3c275437561b8b74ab691ce133e6b034324bfd1cba2a2c2e1caf449408fd
                                  • Instruction ID: 07796ad50f16f3dfc907b620021e9a8146eedb0efb1882b84f78f039e93fff80
                                  • Opcode Fuzzy Hash: 0b1b3c275437561b8b74ab691ce133e6b034324bfd1cba2a2c2e1caf449408fd
                                  • Instruction Fuzzy Hash:
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Memory Dump Source
                                  • Source File: 00000000.00000002.616195010.00000000085E0000.00000010.00000800.00020000.00000000.sdmp, Offset: 085E0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_85e0000_mshta.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 0b1b3c275437561b8b74ab691ce133e6b034324bfd1cba2a2c2e1caf449408fd
                                  • Instruction ID: 07796ad50f16f3dfc907b620021e9a8146eedb0efb1882b84f78f039e93fff80
                                  • Opcode Fuzzy Hash: 0b1b3c275437561b8b74ab691ce133e6b034324bfd1cba2a2c2e1caf449408fd
                                  • Instruction Fuzzy Hash:
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Memory Dump Source
                                  • Source File: 00000000.00000002.616195010.00000000085E0000.00000010.00000800.00020000.00000000.sdmp, Offset: 085E0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_85e0000_mshta.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 0b1b3c275437561b8b74ab691ce133e6b034324bfd1cba2a2c2e1caf449408fd
                                  • Instruction ID: 07796ad50f16f3dfc907b620021e9a8146eedb0efb1882b84f78f039e93fff80
                                  • Opcode Fuzzy Hash: 0b1b3c275437561b8b74ab691ce133e6b034324bfd1cba2a2c2e1caf449408fd
                                  • Instruction Fuzzy Hash:
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Memory Dump Source
                                  • Source File: 00000000.00000002.616195010.00000000085E0000.00000010.00000800.00020000.00000000.sdmp, Offset: 085E0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_85e0000_mshta.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 0b1b3c275437561b8b74ab691ce133e6b034324bfd1cba2a2c2e1caf449408fd
                                  • Instruction ID: 07796ad50f16f3dfc907b620021e9a8146eedb0efb1882b84f78f039e93fff80
                                  • Opcode Fuzzy Hash: 0b1b3c275437561b8b74ab691ce133e6b034324bfd1cba2a2c2e1caf449408fd
                                  • Instruction Fuzzy Hash:
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Memory Dump Source
                                  • Source File: 00000000.00000003.351587287.00000000080F0000.00000010.00000800.00020000.00000000.sdmp, Offset: 080F0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_3_80f0000_mshta.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: c3a15be25e73e0af5cd098aeb9f1030a3306e00c055dd63b442d0747fe722849
                                  • Instruction ID: 13ab118c32cafb8aea86a84ef37130cf2042737a7757661efe35bc20f59ce0b7
                                  • Opcode Fuzzy Hash: c3a15be25e73e0af5cd098aeb9f1030a3306e00c055dd63b442d0747fe722849
                                  • Instruction Fuzzy Hash:
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Memory Dump Source
                                  • Source File: 00000000.00000003.351587287.00000000080F0000.00000010.00000800.00020000.00000000.sdmp, Offset: 080F0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_3_80f0000_mshta.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: c3a15be25e73e0af5cd098aeb9f1030a3306e00c055dd63b442d0747fe722849
                                  • Instruction ID: 13ab118c32cafb8aea86a84ef37130cf2042737a7757661efe35bc20f59ce0b7
                                  • Opcode Fuzzy Hash: c3a15be25e73e0af5cd098aeb9f1030a3306e00c055dd63b442d0747fe722849
                                  • Instruction Fuzzy Hash:
                                  Uniqueness

                                  Uniqueness Score: -1.00%

                                  Memory Dump Source
                                  • Source File: 00000000.00000003.351587287.00000000080F0000.00000010.00000800.00020000.00000000.sdmp, Offset: 080F0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_3_80f0000_mshta.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: c3a15be25e73e0af5cd098aeb9f1030a3306e00c055dd63b442d0747fe722849
                                  • Instruction ID: 13ab118c32cafb8aea86a84ef37130cf2042737a7757661efe35bc20f59ce0b7
                                  • Opcode Fuzzy Hash: c3a15be25e73e0af5cd098aeb9f1030a3306e00c055dd63b442d0747fe722849
                                  • Instruction Fuzzy Hash:
                                  Uniqueness

                                  Uniqueness Score: -1.00%