Windows Analysis Report
PROD_Start_DriverPack.hta

Overview

General Information

Sample name:	PROD_Start_DriverPack.hta
Analysis ID:	1427884
MD5:	dda846a4704efc2a03e1f8392e6f1ffc
SHA1:	387171a06eee5a76aaedc3664385bb89703cf6df
SHA256:	e9dc9648d8fb7d943431459f49a7d9926197c2d60b3c2b6a58294fd75b672b25
Infos:

Detection

Score:	52
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Snort IDS alert for network traffic

Writes or reads registry keys via WMI

Queries the volume information (name, serial number etc) of a device

Searches for the Microsoft Outlook file path

Uses a known web browser user agent for HTTP communication

Classification

Signatures

Source: C:\Windows\SysWOW64\mshta.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior

Networking

Snort IDS alert for network traffic

Source: Traffic

Snort IDS: 2831817 ETPRO CURRENT_EVENTS Likely Malicious JS Inbound 46.137.15.86:80 -> 192.168.2.4:49731

Uses a known web browser user agent for HTTP communication

Source: global traffic	HTTP traffic detected: GET /bin/step1_av.html HTTP/1.1Accept: /Accept-Language: en-CHAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: dwrapper-prod.herokuapp.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bin/src/style.css HTTP/1.1Accept: /Referer: http://dwrapper-prod.herokuapp.com/bin/step1_av.htmlAccept-Language: en-CHAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: dwrapper-prod.herokuapp.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bin/src/missing-scripts-detector.js HTTP/1.1Accept: /Referer: http://dwrapper-prod.herokuapp.com/bin/step1_av.htmlAccept-Language: en-CHAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: dwrapper-prod.herokuapp.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /client_ip.js HTTP/1.1Accept: /Referer: http://dwrapper-prod.herokuapp.com/bin/step1_av.htmlAccept-Language: en-CHAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: dwrapper-prod.herokuapp.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bin/src/variables/1.js HTTP/1.1Accept: /Referer: http://dwrapper-prod.herokuapp.com/bin/step1_av.htmlAccept-Language: en-CHAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: dwrapper-prod.herokuapp.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bin/src/variables/2.js HTTP/1.1Accept: /Referer: http://dwrapper-prod.herokuapp.com/bin/step1_av.htmlAccept-Language: en-CHAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: dwrapper-prod.herokuapp.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bin/src/variables/3.js HTTP/1.1Accept: /Referer: http://dwrapper-prod.herokuapp.com/bin/step1_av.htmlAccept-Language: en-CHAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: dwrapper-prod.herokuapp.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bin/src/variables/4.js HTTP/1.1Accept: /Referer: http://dwrapper-prod.herokuapp.com/bin/step1_av.htmlAccept-Language: en-CHAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: dwrapper-prod.herokuapp.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bin/src/variables/5.js HTTP/1.1Accept: /Referer: http://dwrapper-prod.herokuapp.com/bin/step1_av.htmlAccept-Language: en-CHAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: dwrapper-prod.herokuapp.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bin/src/script.js HTTP/1.1Accept: /Referer: http://dwrapper-prod.herokuapp.com/bin/step1_av.htmlAccept-Language: en-CHAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: dwrapper-prod.herokuapp.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bin/src/statistics.js HTTP/1.1Accept: /Referer: http://dwrapper-prod.herokuapp.com/bin/step1_av.htmlAccept-Language: en-CHAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: dwrapper-prod.herokuapp.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bin/src/lang.js HTTP/1.1Accept: /Referer: http://dwrapper-prod.herokuapp.com/bin/step1_av.htmlAccept-Language: en-CHAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: dwrapper-prod.herokuapp.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bin/img/background.jpg HTTP/1.1Accept: /Referer: http://dwrapper-prod.herokuapp.com/bin/step1_av.htmlAccept-Language: en-CHAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: dwrapper-prod.herokuapp.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /matomo.php?idsite=1&rec=1&rand=5523935&apiv=1&cookie=1&bots=1&res=1280x1024&h=9&m=58&s=28&uid=8118157522024418&action_name=Wrapper%20%2F%20Start%20screen%20page&url=https%3A%2F%2Fmy-domain.com%2Fstart_screen.html HTTP/1.1Accept: /Referer: http://dwrapper-prod.herokuapp.com/bin/step1_av.htmlAccept-Language: en-CHAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: exampledd.matomo.cloudConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /matomo.php?idsite=1&rec=1&rand=3535895&apiv=1&cookie=1&bots=1&res=1280x1024&h=9&m=58&s=28&uid=8118157522024418&e_c=Wrapper%20%2F%20Errors%20%2F%20Missing%20scripts&e_a=%D0%92%D1%81%D0%B5%20%D1%81%D0%BA%D1%80%D0%B8%D0%BF%D1%82%D1%8B%20%D1%83%D1%81%D0%BF%D0%B5%D1%88%D0%BD%D0%BE%20%D0%B7%D0%B0%D0%B3%D1%80%D1%83%D0%B7%D0%B8%D0%BB%D0%B8%D1%81%D1%8C&e_n=&e_v=&ca=1 HTTP/1.1Accept: /Referer: http://dwrapper-prod.herokuapp.com/bin/step1_av.htmlAccept-Language: en-CHAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: exampledd.matomo.cloudConnection: Keep-Alive

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 18 Apr 2024 07:58:29 GMTContent-Type: text/html; charset=UTF-8Content-Length: 101Connection: keep-aliveServer: ApacheVary: X-Forwarded-Port-Override,X-Forwarded-Proto-Override,Accept-Encoding,User-AgentContent-Encoding: gzipData Raw: 1f 8b 08 00 00 00 00 00 00 03 15 ca b1 0d 80 30 0c 04 c0 55 7e 00 c4 0e 94 14 48 14 2c 60 05 8b 58 04 1b 39 46 c0 f6 84 ee 8a 1b 2a 26 0a 3b 0c 52 a1 16 10 ad 41 a5 f0 8a 97 a3 43 64 c6 e2 94 76 d1 0d c3 3c 22 91 fe ed 74 4b dc 12 e9 8a 5b 4a 01 3f 12 4d 91 ed 0a b0 bb 79 ff 01 d2 75 8f 77 5c 00 00 00 Data Ascii: 0U~H,`X9F*&;RACdv<"tK[J?Myuw\
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 18 Apr 2024 07:58:30 GMTContent-Type: text/html; charset=UTF-8Content-Length: 101Connection: keep-aliveServer: ApacheVary: X-Forwarded-Port-Override,X-Forwarded-Proto-Override,Accept-Encoding,User-AgentContent-Encoding: gzipData Raw: 1f 8b 08 00 00 00 00 00 00 03 15 ca b1 0d 80 30 0c 04 c0 55 7e 00 c4 0e 94 14 48 14 2c 60 05 8b 58 04 1b 39 46 c0 f6 84 ee 8a 1b 2a 26 0a 3b 0c 52 a1 16 10 ad 41 a5 f0 8a 97 a3 43 64 c6 e2 94 76 d1 0d c3 3c 22 91 fe ed 74 4b dc 12 e9 8a 5b 4a 01 3f 12 4d 91 ed 0a b0 bb 79 ff 01 d2 75 8f 77 5c 00 00 00 Data Ascii: 0U~H,`X9F*&;RACdv<"tK[J?Myuw\

Source: global traffic	HTTP traffic detected: GET /bin/step1_av.html HTTP/1.1Accept: /Accept-Language: en-CHAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: dwrapper-prod.herokuapp.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bin/src/style.css HTTP/1.1Accept: /Referer: http://dwrapper-prod.herokuapp.com/bin/step1_av.htmlAccept-Language: en-CHAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: dwrapper-prod.herokuapp.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bin/src/missing-scripts-detector.js HTTP/1.1Accept: /Referer: http://dwrapper-prod.herokuapp.com/bin/step1_av.htmlAccept-Language: en-CHAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: dwrapper-prod.herokuapp.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /client_ip.js HTTP/1.1Accept: /Referer: http://dwrapper-prod.herokuapp.com/bin/step1_av.htmlAccept-Language: en-CHAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: dwrapper-prod.herokuapp.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bin/src/variables/1.js HTTP/1.1Accept: /Referer: http://dwrapper-prod.herokuapp.com/bin/step1_av.htmlAccept-Language: en-CHAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: dwrapper-prod.herokuapp.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bin/src/variables/2.js HTTP/1.1Accept: /Referer: http://dwrapper-prod.herokuapp.com/bin/step1_av.htmlAccept-Language: en-CHAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: dwrapper-prod.herokuapp.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bin/src/variables/3.js HTTP/1.1Accept: /Referer: http://dwrapper-prod.herokuapp.com/bin/step1_av.htmlAccept-Language: en-CHAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: dwrapper-prod.herokuapp.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bin/src/variables/4.js HTTP/1.1Accept: /Referer: http://dwrapper-prod.herokuapp.com/bin/step1_av.htmlAccept-Language: en-CHAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: dwrapper-prod.herokuapp.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bin/src/variables/5.js HTTP/1.1Accept: /Referer: http://dwrapper-prod.herokuapp.com/bin/step1_av.htmlAccept-Language: en-CHAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: dwrapper-prod.herokuapp.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bin/src/script.js HTTP/1.1Accept: /Referer: http://dwrapper-prod.herokuapp.com/bin/step1_av.htmlAccept-Language: en-CHAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: dwrapper-prod.herokuapp.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bin/src/statistics.js HTTP/1.1Accept: /Referer: http://dwrapper-prod.herokuapp.com/bin/step1_av.htmlAccept-Language: en-CHAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: dwrapper-prod.herokuapp.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bin/src/lang.js HTTP/1.1Accept: /Referer: http://dwrapper-prod.herokuapp.com/bin/step1_av.htmlAccept-Language: en-CHAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: dwrapper-prod.herokuapp.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bin/img/background.jpg HTTP/1.1Accept: /Referer: http://dwrapper-prod.herokuapp.com/bin/step1_av.htmlAccept-Language: en-CHAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: dwrapper-prod.herokuapp.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /matomo.php?idsite=1&rec=1&rand=5523935&apiv=1&cookie=1&bots=1&res=1280x1024&h=9&m=58&s=28&uid=8118157522024418&action_name=Wrapper%20%2F%20Start%20screen%20page&url=https%3A%2F%2Fmy-domain.com%2Fstart_screen.html HTTP/1.1Accept: /Referer: http://dwrapper-prod.herokuapp.com/bin/step1_av.htmlAccept-Language: en-CHAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: exampledd.matomo.cloudConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /matomo.php?idsite=1&rec=1&rand=3535895&apiv=1&cookie=1&bots=1&res=1280x1024&h=9&m=58&s=28&uid=8118157522024418&e_c=Wrapper%20%2F%20Errors%20%2F%20Missing%20scripts&e_a=%D0%92%D1%81%D0%B5%20%D1%81%D0%BA%D1%80%D0%B8%D0%BF%D1%82%D1%8B%20%D1%83%D1%81%D0%BF%D0%B5%D1%88%D0%BD%D0%BE%20%D0%B7%D0%B0%D0%B3%D1%80%D1%83%D0%B7%D0%B8%D0%BB%D0%B8%D1%81%D1%8C&e_n=&e_v=&ca=1 HTTP/1.1Accept: /Referer: http://dwrapper-prod.herokuapp.com/bin/step1_av.htmlAccept-Language: en-CHAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: exampledd.matomo.cloudConnection: Keep-Alive

Source: unknown

DNS traffic detected: queries for: dwrapper-prod.herokuapp.com

Source: mshta.exe, 00000000.00000003.1730335018.0000000006492000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1733479679.0000000006492000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1734242310.0000000006492000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.2926779689.0000000006492000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://dwrapper-prod.herokuapp.com/
Source: mshta.exe, 00000000.00000003.1734242310.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1714351909.0000000006476000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/img/background.jpg
Source: mshta.exe, 00000000.00000003.1714351909.0000000006476000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/img/background.jpg2
Source: mshta.exe, 00000000.00000003.1733479679.0000000006467000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1734242310.0000000006467000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1730335018.0000000006467000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.2926779689.0000000006467000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/img/background.jpg94
Source: mshta.exe, 00000000.00000003.1733479679.0000000006467000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1734242310.0000000006467000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1730335018.0000000006467000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.2926779689.0000000006467000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/img/background.jpgI2
Source: mshta.exe, 00000000.00000003.1714351909.0000000006476000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/img/background.jpgcal
Source: mshta.exe, 00000000.00000003.1733479679.0000000006467000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1734242310.0000000006467000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1730335018.0000000006467000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.2926779689.0000000006467000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/img/background.jpgdI
Source: mshta.exe, 00000000.00000002.2926779689.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1733479679.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1730335018.0000000006416000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1730132184.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1734242310.000000000640B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/img/background.jpge
Source: mshta.exe, 00000000.00000002.2926779689.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1733479679.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1730335018.0000000006416000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1730132184.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1734242310.000000000640B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/img/background.jpgo
Source: mshta.exe, 00000000.00000002.2926779689.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1733479679.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1730335018.0000000006416000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1730132184.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1734242310.000000000640B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/paywall_expert_mode.html
Source: mshta.exe, 00000000.00000002.2923542831.0000000002DBF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/paywall_expert_mode.htmlP
Source: mshta.exe, 00000000.00000002.2926779689.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1733479679.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1730335018.0000000006416000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1730132184.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1734242310.000000000640B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/paywall_expert_mode.htmlu
Source: mshta.exe, 00000000.00000003.1730335018.0000000006467000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/paywall_expert_mode.htmly
Source: mshta.exe, 00000000.00000003.1734242310.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1734242310.0000000006492000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.2926779689.0000000006492000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/src/lang.js
Source: mshta.exe, 00000000.00000003.1714227041.0000000006467000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/src/lang.js(
Source: mshta.exe, 00000000.00000003.1714351909.0000000006492000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1730335018.0000000006492000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1733479679.0000000006492000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1734242310.0000000006492000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.2926779689.0000000006492000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/src/lang.jsC:
Source: mshta.exe, 00000000.00000003.1733479679.0000000006467000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1734242310.0000000006467000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1730335018.0000000006467000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.2926779689.0000000006467000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/src/lang.jsG
Source: mshta.exe, 00000000.00000002.2926779689.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1733479679.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1730335018.0000000006416000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1730132184.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1734242310.000000000640B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/src/lang.jsJK
Source: mshta.exe, 00000000.00000002.2926779689.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1733479679.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1730335018.0000000006416000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1730132184.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1734242310.000000000640B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/src/lang.jscs.js
Source: mshta.exe, 00000000.00000002.2923542831.0000000002E70000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/src/lang.jss
Source: mshta.exe, 00000000.00000003.1733479679.0000000006467000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1734242310.0000000006467000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1730335018.0000000006467000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1714227041.0000000006467000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.2926779689.0000000006467000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.2923542831.0000000002DBF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/src/missing-scripts-detector.js
Source: mshta.exe, 00000000.00000002.2923542831.0000000002DBF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/src/missing-scripts-detector.js#
Source: mshta.exe, 00000000.00000002.2923542831.0000000002DED000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/src/missing-scripts-detector.js/html
Source: mshta.exe, 00000000.00000003.1733479679.0000000006467000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1734242310.0000000006467000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1730335018.0000000006467000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1714227041.0000000006467000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.2926779689.0000000006467000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/src/missing-scripts-detector.jsN
Source: mshta.exe, 00000000.00000002.2927500831.0000000008785000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/src/missing-scripts-detector.jsp
Source: mshta.exe, 00000000.00000002.2923542831.0000000002DBF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/src/missing-scripts-detector.jst
Source: mshta.exe, 00000000.00000003.1734242310.000000000640B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/src/script.js
Source: mshta.exe, 00000000.00000002.2923542831.0000000002E5E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/src/script.js5.jsSE7
Source: mshta.exe, 00000000.00000002.2926779689.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1733479679.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1730335018.0000000006416000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1730132184.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1734242310.000000000640B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/src/script.js8B
Source: mshta.exe, 00000000.00000002.2926779689.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1733479679.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1730335018.0000000006416000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1730132184.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1734242310.000000000640B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/src/script.jsnEr
Source: mshta.exe, 00000000.00000003.1714351909.0000000006492000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1730335018.0000000006492000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/src/script.jsoC:
Source: mshta.exe, 00000000.00000003.1714351909.0000000006476000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/src/statistics.js
Source: mshta.exe, 00000000.00000003.1733479679.0000000006467000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1734242310.0000000006467000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1730335018.0000000006467000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.2926779689.0000000006467000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1714351909.0000000006476000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/src/statistics.js)7
Source: mshta.exe, 00000000.00000002.2926779689.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1733479679.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1730335018.0000000006416000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1730132184.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1734242310.000000000640B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/src/statistics.js/
Source: mshta.exe, 00000000.00000002.2926779689.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1733479679.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1730335018.0000000006416000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1730132184.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1734242310.000000000640B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/src/statistics.js_
Source: mshta.exe, 00000000.00000002.2926779689.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1733479679.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1730335018.0000000006416000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1730132184.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1734242310.000000000640B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/src/statistics.jsate
Source: mshta.exe, 00000000.00000002.2926779689.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1733479679.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1730335018.0000000006416000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1730132184.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1734242310.000000000640B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/src/statistics.jso
Source: mshta.exe, 00000000.00000002.2926779689.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1733479679.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1730335018.0000000006416000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1730132184.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1734242310.000000000640B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/src/statistics.jssV
Source: mshta.exe, 00000000.00000002.2923542831.0000000002E70000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1730335018.0000000006416000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1730132184.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1734242310.000000000640B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/src/style.css
Source: mshta.exe, 00000000.00000002.2923542831.0000000002E70000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/src/style.css2
Source: mshta.exe, 00000000.00000002.2923542831.0000000002E70000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/src/style.cssD
Source: mshta.exe, 00000000.00000002.2926779689.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1733479679.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1730335018.0000000006416000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1730132184.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1734242310.000000000640B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/src/style.cssKB
Source: mshta.exe, 00000000.00000002.2923542831.0000000002DBF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/src/style.csshta
Source: mshta.exe, 00000000.00000002.2926779689.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1733479679.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1730335018.0000000006416000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1730132184.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1734242310.000000000640B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/src/style.cssl
Source: mshta.exe, 00000000.00000002.2923542831.0000000002E70000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/src/style.cssu
Source: mshta.exe, 00000000.00000002.2923542831.0000000002DBF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/src/variables/1.js
Source: mshta.exe, 00000000.00000002.2923542831.0000000002E5E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/src/variables/1.js&
Source: mshta.exe, 00000000.00000003.1733479679.0000000006467000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1734242310.0000000006467000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1730335018.0000000006467000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1714227041.0000000006467000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.2926779689.0000000006467000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/src/variables/1.js-detector.js
Source: mshta.exe, 00000000.00000002.2923542831.0000000002DBF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/src/variables/1.js6
Source: mshta.exe, 00000000.00000002.2923542831.0000000002DBF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/src/variables/1.js;
Source: mshta.exe, 00000000.00000002.2923542831.0000000002DBF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/src/variables/1.jsk
Source: mshta.exe, 00000000.00000002.2923542831.0000000002DFA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/src/variables/1.jssC:
Source: mshta.exe, 00000000.00000003.1714351909.0000000006476000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/src/variables/2.js
Source: mshta.exe, 00000000.00000002.2923542831.0000000002DBF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/src/variables/2.js;
Source: mshta.exe, 00000000.00000002.2926779689.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1733479679.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1730335018.0000000006416000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1730132184.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1734242310.000000000640B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/src/variables/2.jssV
Source: mshta.exe, 00000000.00000002.2926779689.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1733479679.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1730335018.0000000006416000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1730132184.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1734242310.000000000640B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/src/variables/2.jsu
Source: mshta.exe, 00000000.00000003.1714351909.0000000006476000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/src/variables/3.js
Source: mshta.exe, 00000000.00000003.1714351909.0000000006476000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/src/variables/3.js3H
Source: mshta.exe, 00000000.00000003.1733479679.0000000006467000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1734242310.0000000006467000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1730335018.0000000006467000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.2926779689.0000000006467000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1714351909.0000000006476000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/src/variables/3.jsI4
Source: mshta.exe, 00000000.00000002.2923542831.0000000002DBF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/src/variables/3.jsK
Source: mshta.exe, 00000000.00000002.2926779689.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1733479679.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1730335018.0000000006416000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1730132184.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1734242310.000000000640B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/src/variables/3.jsbV
Source: mshta.exe, 00000000.00000002.2926779689.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1733479679.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1730335018.0000000006416000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1730132184.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1734242310.000000000640B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/src/variables/3.jsenu
Source: mshta.exe, 00000000.00000002.2927500831.0000000008785000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/src/variables/3.jshttp://dwrapper-prod.herokuapp.com/bin/src/
Source: mshta.exe, 00000000.00000003.1714351909.0000000006476000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/src/variables/4.js
Source: mshta.exe, 00000000.00000003.1714351909.0000000006476000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/src/variables/4.js94
Source: mshta.exe, 00000000.00000002.2926779689.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1733479679.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1730335018.0000000006416000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1730132184.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1734242310.000000000640B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/src/variables/4.js?
Source: mshta.exe, 00000000.00000003.1714351909.0000000006492000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1730335018.0000000006492000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1733479679.0000000006492000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1734242310.0000000006492000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/src/variables/4.jsC:
Source: mshta.exe, 00000000.00000002.2926779689.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1733479679.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1730335018.0000000006416000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1730132184.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1734242310.000000000640B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/src/variables/4.jsI
Source: mshta.exe, 00000000.00000002.2926779689.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1733479679.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1730335018.0000000006416000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1730132184.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1734242310.000000000640B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/src/variables/4.js_
Source: mshta.exe, 00000000.00000002.2926779689.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1733479679.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1730335018.0000000006416000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1730132184.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1734242310.000000000640B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/src/variables/4.jsenu
Source: mshta.exe, 00000000.00000003.1734242310.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1734242310.0000000006492000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.2926779689.0000000006492000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1714351909.0000000006476000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/src/variables/5.js
Source: mshta.exe, 00000000.00000002.2926779689.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1733479679.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1730335018.0000000006416000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1730132184.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1734242310.000000000640B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/src/variables/5.js/
Source: mshta.exe, 00000000.00000003.1733479679.0000000006467000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1734242310.0000000006467000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1730335018.0000000006467000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.2926779689.0000000006467000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1714351909.0000000006476000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/src/variables/5.js97
Source: mshta.exe, 00000000.00000003.1714351909.0000000006492000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1730335018.0000000006492000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1733479679.0000000006492000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1734242310.0000000006492000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.2926779689.0000000006492000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/src/variables/5.jsC:
Source: mshta.exe, 00000000.00000002.2926779689.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1733479679.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1730335018.0000000006416000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1730132184.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1734242310.000000000640B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/src/variables/5.jsDV
Source: mshta.exe, 00000000.00000002.2926779689.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1733479679.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1730335018.0000000006416000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1730132184.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1734242310.000000000640B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/src/variables/5.jsO
Source: mshta.exe, 00000000.00000002.2927500831.0000000008785000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/src/variables/5.jshttp://dwrapper-prod.herokuapp.com/bin/src/
Source: mshta.exe, 00000000.00000002.2923542831.0000000002DBF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/src/variables/5.jsrtcuts
Source: mshta.exe, 00000000.00000003.1733479679.0000000006467000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1734242310.0000000006467000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1730335018.0000000006467000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.2926779689.0000000006467000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1714351909.0000000006476000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/src/variables/5.jsy4l
Source: mshta.exe, 00000000.00000002.2923542831.0000000002DBF000.00000004.00000020.00020000.00000000.sdmp, PROD_Start_DriverPack.hta	String found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/step1_av.html
Source: mshta.exe, 00000000.00000002.2926779689.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1733479679.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1734242310.000000000640B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/step1_av.html)B
Source: mshta.exe, 00000000.00000002.2923542831.0000000002E70000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/step1_av.html3
Source: mshta.exe, 00000000.00000002.2926779689.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1733479679.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1734242310.000000000640B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/step1_av.html9E
Source: mshta.exe, 00000000.00000003.1714227041.000000000645C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/step1_av.htmlA
Source: mshta.exe, 00000000.00000002.2926779689.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1733479679.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1730335018.0000000006416000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1730132184.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1734242310.000000000640B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/step1_av.htmlC:
Source: mshta.exe, 00000000.00000002.2927500831.0000000008785000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/step1_av.htmlHKLM
Source: mshta.exe, 00000000.00000003.1733479679.0000000006459000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/step1_av.htmlb
Source: mshta.exe, 00000000.00000002.2923542831.0000000002E5E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/step1_av.htmletCookies
Source: mshta.exe, 00000000.00000002.2923542831.0000000002E70000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/step1_av.htmlf
Source: mshta.exe, 00000000.00000002.2925033238.0000000004FE7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/step1_av.htmlh
Source: mshta.exe, 00000000.00000002.2923542831.0000000002E5E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/step1_av.htmlhta
Source: mshta.exe, 00000000.00000002.2923542831.0000000002DFA000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1730335018.0000000006416000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1730132184.000000000640B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/step1_av.htmll
Source: mshta.exe, 00000000.00000003.1730335018.0000000006416000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1730132184.000000000640B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/step1_av.htmll)B
Source: mshta.exe, 00000000.00000003.1730335018.0000000006416000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1730132184.000000000640B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/step1_av.htmll7B
Source: mshta.exe, 00000000.00000002.2923542831.0000000002DFA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/step1_av.htmlo9M
Source: mshta.exe, 00000000.00000002.2923542831.0000000002E70000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/step1_av.htmlv
Source: mshta.exe, 00000000.00000002.2923542831.0000000002DBF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/step1_av.html~
Source: mshta.exe, 00000000.00000002.2923542831.0000000002DFA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/step1_av.html~9
Source: mshta.exe, 00000000.00000003.1733479679.0000000006451000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/step1_av.html~rE
Source: mshta.exe, 00000000.00000002.2926779689.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1733479679.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.2923542831.0000000002E91000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1730335018.0000000006416000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1730132184.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1734242310.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.2923542831.0000000002DBF000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1722413056.0000000006551000.00000004.00000020.00020000.00000000.sdmp, step1_av[1].htm.0.dr	String found in binary or memory: http://dwrapper-prod.herokuapp.com/client_ip.js
Source: mshta.exe, 00000000.00000002.2923542831.0000000002E91000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://dwrapper-prod.herokuapp.com/client_ip.js&
Source: mshta.exe, 00000000.00000002.2923542831.0000000002E91000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://dwrapper-prod.herokuapp.com/client_ip.js7
Source: mshta.exe, 00000000.00000002.2923542831.0000000002E91000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://dwrapper-prod.herokuapp.com/client_ip.jsP
Source: mshta.exe, 00000000.00000002.2923542831.0000000002DBF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://dwrapper-prod.herokuapp.com/client_ip.jsPack.hta8
Source: mshta.exe, 00000000.00000002.2923542831.0000000002E91000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://dwrapper-prod.herokuapp.com/client_ip.jsh
Source: mshta.exe, 00000000.00000002.2923542831.0000000002E5E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://dwrapper-prod.herokuapp.com/client_ip.jshtmlhta#
Source: mshta.exe, 00000000.00000002.2927500831.0000000008785000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://dwrapper-prod.herokuapp.com/client_ip.jshttp://dwrapper-prod.herokuapp.com/bin/src/variables/
Source: mshta.exe, 00000000.00000002.2923542831.0000000002E0E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://dwrapper-prod.herokuapp.com/client_ip.jsng-scripts-detector.js
Source: mshta.exe, 00000000.00000003.1733479679.0000000006467000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1734242310.0000000006467000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1730335018.0000000006467000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://dwrapper-prod.herokuapp.m/bin/step1_av.html
Source: mshta.exe, 00000000.00000002.2926779689.0000000006467000.00000004.00000020.00020000.00000000.sdmp, style[1].css.0.dr	String found in binary or memory: http://emojipedia-us.s3.dualstack.us-west-1.amazonaws.com/thumbs/240/apple/285/white-heavy-check-mar
Source: mshta.exe, 00000000.00000003.1730335018.0000000006492000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1733479679.0000000006492000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1734242310.0000000006492000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.2926779689.0000000006492000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://exampledd.matomo.cloud/
Source: mshta.exe, 00000000.00000003.1730335018.0000000006492000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1733479679.0000000006492000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1734242310.0000000006492000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.2926779689.0000000006492000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://exampledd.matomo.cloud/(
Source: mshta.exe, 00000000.00000003.1730335018.0000000006492000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://exampledd.matomo.cloud/F
Source: mshta.exe, 00000000.00000003.1714427884.00000000064A6000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1714351909.0000000006492000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1730335018.0000000006492000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.2927500831.0000000008785000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1733479679.0000000006492000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1734242310.0000000006492000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.2926779689.0000000006492000.00000004.00000020.00020000.00000000.sdmp, statistics[1].js.0.dr	String found in binary or memory: http://exampledd.matomo.cloud/matomo.php
Source: mshta.exe, 00000000.00000003.1734242310.0000000006492000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.2926779689.0000000006492000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.2923542831.0000000002E0E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://exampledd.matomo.cloud/matomo.php?idsite=1&rec=1&rand=3535895&apiv=1&cookie=1&bots=1&res=1280
Source: mshta.exe, 00000000.00000002.2926779689.00000000063FC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1733479679.0000000006492000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1734242310.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1734242310.0000000006492000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.2926779689.0000000006492000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://exampledd.matomo.cloud/matomo.php?idsite=1&rec=1&rand=5523935&apiv=1&cookie=1&bots=1&res=1280
Source: mshta.exe, 00000000.00000003.1714427884.00000000064A6000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1714351909.0000000006492000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1730335018.0000000006492000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1733479679.0000000006492000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1734242310.0000000006492000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.2926779689.0000000006492000.00000004.00000020.00020000.00000000.sdmp, statistics[1].js.0.dr	String found in binary or memory: https://developer.matomo.org/api-reference/tracking-api
Source: mshta.exe, 00000000.00000002.2923542831.0000000002DED000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.comtarting...
Source: mshta.exe, 00000000.00000003.1714427884.00000000064A6000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1714351909.0000000006492000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1730335018.0000000006492000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1733479679.0000000006492000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1734242310.0000000006492000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.2926779689.0000000006492000.00000004.00000020.00020000.00000000.sdmp, statistics[1].js.0.dr	String found in binary or memory: https://my-domain.com
Source: mshta.exe, 00000000.00000002.2927500831.0000000008785000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://my-domain.com&queuedtracking=0&apiv=1&cookie=1&bots=1z
Source: mshta.exe, 00000000.00000003.1730335018.0000000006492000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1733479679.0000000006492000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1734242310.0000000006492000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.2926779689.0000000006492000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://nel.heroku.com/reports
Source: mshta.exe, 00000000.00000003.1734242310.000000000640B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://nel.heroku.com/reports?ts=1713427106&sid=812dcc77-0bd0-43b1-a5f1-b25750382959&s=Thizdw6FGJTo
Source: mshta.exe, 00000000.00000002.2926779689.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1733479679.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1730335018.0000000006416000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1730132184.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1734242310.000000000640B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://nel.heroku.com/reports?ts=1713427107&sid=812dcc77-0bd0-43b1-a5f1-b25750382959&s=ob
Source: mshta.exe, 00000000.00000003.1734242310.000000000645C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1734242310.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.2926499361.000000000569C000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: https://nel.heroku.com/reports?ts=1713427107&sid=812dcc77-0bd0-43b1-a5f1-b25750382959&s=obAs9E56L77J
Source: mshta.exe, 00000000.00000003.1734242310.000000000640B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://nel.heroku.com/reports?ts=1713427108&sid=812dcc77-0bd0-43b1-a5f1-b25750382959&s=AMdLCtQBxpAf

System Summary

Writes or reads registry keys via WMI

Source: C:\Windows\SysWOW64\mshta.exe

WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue

Searches for the Microsoft Outlook file path

Source: C:\Windows\SysWOW64\mshta.exe

Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE

Jump to behavior

Source: classification engine

Classification label: mal52.winHTA@2/16@2/2

Source: C:\Windows\SysWOW64\mshta.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH

Jump to behavior

Source: C:\Windows\SysWOW64\mshta.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\SysWOW64\mshta.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Windows\SysWOW64\mshta.exe mshta.exe "C:\Users\user\Desktop\PROD_Start_DriverPack.hta"
Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding

Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: mshtml.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: msiso.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: srpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: msimtf.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: dataexchange.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: dcomp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: d2d1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: dxcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: jscript9.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: uiautomationcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: dxtrans.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: ddrawex.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: ddraw.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: dciman32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: dxtmsft.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: imgutil.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: esscli.dll	Jump to behavior

Source: C:\Windows\SysWOW64\mshta.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{25336920-03F9-11CF-8FD0-00AA00686F13}\InProcServer32

Jump to behavior

Source: C:\Windows\SysWOW64\mshta.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Settings

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\SysWOW64\mshta.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior

Source: mshta.exe, 00000000.00000002.2926779689.00000000063B0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.2926779689.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1733479679.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.2923542831.0000000002E70000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1730132184.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1734242310.000000000640B000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW

Source: C:\Windows\SysWOW64\mshta.exe

Memory allocated: page read and write | page guard

Jump to behavior

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\SysWOW64\mshta.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation	Jump to behavior

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
3.126.133.169	exampledd.matomo.cloud	United States		16509	AMAZON-02US	false
46.137.15.86	dwrapper-prod.herokuapp.com	Ireland		16509	AMAZON-02US	true

Contacted Domains

Name	IP	Active
dwrapper-prod.herokuapp.com	46.137.15.86	true
exampledd.matomo.cloud	3.126.133.169	true

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://dwrapper-prod.herokuapp.com/bin/src/missing-scripts-detector.js	true	2%, Virustotal, Browse	unknown
http://dwrapper-prod.herokuapp.com/bin/src/variables/5.js	true	4%, Virustotal, Browse	unknown
http://dwrapper-prod.herokuapp.com/bin/src/script.js	true	0%, Virustotal, Browse	unknown
http://dwrapper-prod.herokuapp.com/bin/src/statistics.js	true	0%, Virustotal, Browse	unknown
http://exampledd.matomo.cloud/matomo.php?idsite=1&rec=1&rand=3535895&apiv=1&cookie=1&bots=1&res=1280x1024&h=9&m=58&s=28&uid=8118157522024418&e_c=Wrapper%20%2F%20Errors%20%2F%20Missing%20scripts&e_a=%D0%92%D1%81%D0%B5%20%D1%81%D0%BA%D1%80%D0%B8%D0%BF%D1%82%D1%8B%20%D1%83%D1%81%D0%BF%D0%B5%D1%88%D0%BD%D0%BE%20%D0%B7%D0%B0%D0%B3%D1%80%D1%83%D0%B7%D0%B8%D0%BB%D0%B8%D1%81%D1%8C&e_n=&e_v=&ca=1	false		unknown
http://dwrapper-prod.herokuapp.com/bin/src/style.css	true	0%, Virustotal, Browse	unknown
http://dwrapper-prod.herokuapp.com/client_ip.js	true		unknown
http://exampledd.matomo.cloud/matomo.php?idsite=1&rec=1&rand=5523935&apiv=1&cookie=1&bots=1&res=1280x1024&h=9&m=58&s=28&uid=8118157522024418&action_name=Wrapper%20%2F%20Start%20screen%20page&url=https%3A%2F%2Fmy-domain.com%2Fstart_screen.html	false		unknown
http://dwrapper-prod.herokuapp.com/bin/src/lang.js	true		unknown
http://dwrapper-prod.herokuapp.com/bin/src/variables/3.js	true		unknown
http://dwrapper-prod.herokuapp.com/bin/step1_av.html	true		unknown
http://dwrapper-prod.herokuapp.com/bin/src/variables/4.js	true		unknown
http://dwrapper-prod.herokuapp.com/bin/src/variables/1.js	true		unknown
http://dwrapper-prod.herokuapp.com/bin/src/variables/2.js	true		unknown
http://dwrapper-prod.herokuapp.com/bin/img/background.jpg	true		unknown

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\MSIMGSIZ.DAT	data	0392ADA071EB68355BED625D8F9695F3	777253141235B6C6AC92E17E297A1482E82252CC	B1313DD95EAF63F33F86F72F09E2ECD700D11159A8693210C37470FCB84038F7
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\matomo[1].htm	ASCII text, with no line terminators	51C8E2EC2D4A042736B88F1BE1BE5B7E	1D0129C54851C24EF993FDED1645041F9DBDEEB0	481BEEA6F83C5C784276DF3BFB8693CC60C0CE8EF0A2CB8F47D624E2D6C9B076
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\client_ip[1].js	ASCII text, with no line terminators	237C21A7373FFF0B07DBF9F5ED125A49	BE651F7D52FC65ED6E2ED25F5DCF32D527E3BFE1	7B52AF5DBF4535E927B9881ACBCF24EF89B0E80EF980862CBAEDAC91686DDFB5
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\missing-scripts-detector[1].js	Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	5BB70933199563BD95A85E9D58D0920B	1E0322DD237C61A911D58D11F3A2879D78A36444	915A03DDD5D887CE43185A21FD9927FFCFC6E8F373D80D6FB0BFE96E65C029CD
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\step1_av[1].htm	HTML document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	1FAE5694001ACA3836F123E1A89AFD3D	AF928CF191AB07D12BDA774D13B8AE9423F4122A	2240EF798569427F1B37E16BF630D7BD5E415F5835CA9FDF730E1F063721291B
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\style[1].css	Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	CE40483E494B033AA4A204080ABB54DA	DE2F905749B10491D2D0DB6A79210425E94BF5AC	1FC4501622BAFC4560C28442D01F708579F26AFBB88229328B2CE7E83A2D36A8
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\1[1].js	Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	B2AEEF062DB55284085A863B0FCF48A5	8C59EAD571761CAAE34B0C2776E3EA32D19AAF48	C79C9F0F44CA9EF9E84346BB88C12187C3F0DDE18F6C8FA83A54D1D89CBB0CB7
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\2[1].js	Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	22D3D08CBEC1245327396FAA5B60725A	71DFB22D57F73CD5390F1991B6013AB44CD7351A	923CBFF9E47CA64E292A8932A13ED11F9E4A488DC20775181B010231F15E3E26
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\3[1].js	Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	CC9E168614A8D567352E24F970CA21E0	623C06BB9699F5AD91C4D19199A0F3780FC76A4D	578820B83CD0244FFC068665C531A8C7D633F890A927A682A1708B84B7A08702
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\4[1].js	Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	B21247B2428E6D9F72405EB1A2F5F75C	11C6612989710432AE9730C2C20CE7EE9F0DF609	9DDF298484BD63F71CFF04DD81E00913266FA8D71793E2C26F3B7B215067812C
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\5[1].js	Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	50B3202ACF32B140238D284FD2F9CE17	72F7DB2CB9B6D09AC1F853A365D329D83F5B6C9C	F173F32E6CE3B40E56CC2B41EA8F6B15555F2B38D069A39F561C40EBC4F51EDA
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\background[1].jpg	JPEG image data, JFIF standard 1.01, resolution (DPI), density 72x72, segment length 16, baseline, precision 8, 1400x700, components 3	127D8C7FA37B2B4DEE77ADC97AA2BCC5	6C819AC7FB5377E466609B5155E57ACE3FF87A06	60FDC7731E194240FE1B586290AFD762793625A92E1BB21061B0B47628861160
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\lang[1].js	HTML document, Unicode text, UTF-8 (with BOM) text, with very long lines (399), with CRLF line terminators	3B196A2A5E0875A186EFA1A6101B775D	9A2E605751E1F9C0C2FA0B2EE119BA4886F27B8E	B6EF0302FB7FE71577D6B6AFE104B4C890FC6419FB9A9C4EC359A0CC25EA8885
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\matomo[1].htm	ASCII text, with no line terminators	51C8E2EC2D4A042736B88F1BE1BE5B7E	1D0129C54851C24EF993FDED1645041F9DBDEEB0	481BEEA6F83C5C784276DF3BFB8693CC60C0CE8EF0A2CB8F47D624E2D6C9B076
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\script[1].js	Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	5E3199E1E9AB11EF8DB27BDC821ECCDC	D11FDA451561C08FDD68D6D8731C8C17F60DC800	DDF24F928593CF87E0DB0744F8456761089140766A23768D9106BB73EFBD0515
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\statistics[1].js	Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	0701E8CE6920DA0050B219769314E144	8063C0D6CA04E74351209E957D2C8FA95E1A44A4	5D53ECD246441E19CD7B305749C822132476170938E5B7A673856B1FD29708BF

Source: C:\Windows\SysWOW64\mshta.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior

Networking

Snort IDS alert for network traffic

Source: Traffic

Snort IDS: 2831817 ETPRO CURRENT_EVENTS Likely Malicious JS Inbound 46.137.15.86:80 -> 192.168.2.4:49731

Uses a known web browser user agent for HTTP communication

Source: global traffic	HTTP traffic detected: GET /bin/step1_av.html HTTP/1.1Accept: /Accept-Language: en-CHAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: dwrapper-prod.herokuapp.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bin/src/style.css HTTP/1.1Accept: /Referer: http://dwrapper-prod.herokuapp.com/bin/step1_av.htmlAccept-Language: en-CHAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: dwrapper-prod.herokuapp.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bin/src/missing-scripts-detector.js HTTP/1.1Accept: /Referer: http://dwrapper-prod.herokuapp.com/bin/step1_av.htmlAccept-Language: en-CHAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: dwrapper-prod.herokuapp.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /client_ip.js HTTP/1.1Accept: /Referer: http://dwrapper-prod.herokuapp.com/bin/step1_av.htmlAccept-Language: en-CHAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: dwrapper-prod.herokuapp.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bin/src/variables/1.js HTTP/1.1Accept: /Referer: http://dwrapper-prod.herokuapp.com/bin/step1_av.htmlAccept-Language: en-CHAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: dwrapper-prod.herokuapp.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bin/src/variables/2.js HTTP/1.1Accept: /Referer: http://dwrapper-prod.herokuapp.com/bin/step1_av.htmlAccept-Language: en-CHAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: dwrapper-prod.herokuapp.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bin/src/variables/3.js HTTP/1.1Accept: /Referer: http://dwrapper-prod.herokuapp.com/bin/step1_av.htmlAccept-Language: en-CHAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: dwrapper-prod.herokuapp.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bin/src/variables/4.js HTTP/1.1Accept: /Referer: http://dwrapper-prod.herokuapp.com/bin/step1_av.htmlAccept-Language: en-CHAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: dwrapper-prod.herokuapp.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bin/src/variables/5.js HTTP/1.1Accept: /Referer: http://dwrapper-prod.herokuapp.com/bin/step1_av.htmlAccept-Language: en-CHAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: dwrapper-prod.herokuapp.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bin/src/script.js HTTP/1.1Accept: /Referer: http://dwrapper-prod.herokuapp.com/bin/step1_av.htmlAccept-Language: en-CHAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: dwrapper-prod.herokuapp.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bin/src/statistics.js HTTP/1.1Accept: /Referer: http://dwrapper-prod.herokuapp.com/bin/step1_av.htmlAccept-Language: en-CHAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: dwrapper-prod.herokuapp.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bin/src/lang.js HTTP/1.1Accept: /Referer: http://dwrapper-prod.herokuapp.com/bin/step1_av.htmlAccept-Language: en-CHAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: dwrapper-prod.herokuapp.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bin/img/background.jpg HTTP/1.1Accept: /Referer: http://dwrapper-prod.herokuapp.com/bin/step1_av.htmlAccept-Language: en-CHAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: dwrapper-prod.herokuapp.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /matomo.php?idsite=1&rec=1&rand=5523935&apiv=1&cookie=1&bots=1&res=1280x1024&h=9&m=58&s=28&uid=8118157522024418&action_name=Wrapper%20%2F%20Start%20screen%20page&url=https%3A%2F%2Fmy-domain.com%2Fstart_screen.html HTTP/1.1Accept: /Referer: http://dwrapper-prod.herokuapp.com/bin/step1_av.htmlAccept-Language: en-CHAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: exampledd.matomo.cloudConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /matomo.php?idsite=1&rec=1&rand=3535895&apiv=1&cookie=1&bots=1&res=1280x1024&h=9&m=58&s=28&uid=8118157522024418&e_c=Wrapper%20%2F%20Errors%20%2F%20Missing%20scripts&e_a=%D0%92%D1%81%D0%B5%20%D1%81%D0%BA%D1%80%D0%B8%D0%BF%D1%82%D1%8B%20%D1%83%D1%81%D0%BF%D0%B5%D1%88%D0%BD%D0%BE%20%D0%B7%D0%B0%D0%B3%D1%80%D1%83%D0%B7%D0%B8%D0%BB%D0%B8%D1%81%D1%8C&e_n=&e_v=&ca=1 HTTP/1.1Accept: /Referer: http://dwrapper-prod.herokuapp.com/bin/step1_av.htmlAccept-Language: en-CHAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: exampledd.matomo.cloudConnection: Keep-Alive

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 18 Apr 2024 07:58:29 GMTContent-Type: text/html; charset=UTF-8Content-Length: 101Connection: keep-aliveServer: ApacheVary: X-Forwarded-Port-Override,X-Forwarded-Proto-Override,Accept-Encoding,User-AgentContent-Encoding: gzipData Raw: 1f 8b 08 00 00 00 00 00 00 03 15 ca b1 0d 80 30 0c 04 c0 55 7e 00 c4 0e 94 14 48 14 2c 60 05 8b 58 04 1b 39 46 c0 f6 84 ee 8a 1b 2a 26 0a 3b 0c 52 a1 16 10 ad 41 a5 f0 8a 97 a3 43 64 c6 e2 94 76 d1 0d c3 3c 22 91 fe ed 74 4b dc 12 e9 8a 5b 4a 01 3f 12 4d 91 ed 0a b0 bb 79 ff 01 d2 75 8f 77 5c 00 00 00 Data Ascii: 0U~H,`X9F*&;RACdv<"tK[J?Myuw\
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 18 Apr 2024 07:58:30 GMTContent-Type: text/html; charset=UTF-8Content-Length: 101Connection: keep-aliveServer: ApacheVary: X-Forwarded-Port-Override,X-Forwarded-Proto-Override,Accept-Encoding,User-AgentContent-Encoding: gzipData Raw: 1f 8b 08 00 00 00 00 00 00 03 15 ca b1 0d 80 30 0c 04 c0 55 7e 00 c4 0e 94 14 48 14 2c 60 05 8b 58 04 1b 39 46 c0 f6 84 ee 8a 1b 2a 26 0a 3b 0c 52 a1 16 10 ad 41 a5 f0 8a 97 a3 43 64 c6 e2 94 76 d1 0d c3 3c 22 91 fe ed 74 4b dc 12 e9 8a 5b 4a 01 3f 12 4d 91 ed 0a b0 bb 79 ff 01 d2 75 8f 77 5c 00 00 00 Data Ascii: 0U~H,`X9F*&;RACdv<"tK[J?Myuw\

Source: global traffic	HTTP traffic detected: GET /bin/step1_av.html HTTP/1.1Accept: /Accept-Language: en-CHAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: dwrapper-prod.herokuapp.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bin/src/style.css HTTP/1.1Accept: /Referer: http://dwrapper-prod.herokuapp.com/bin/step1_av.htmlAccept-Language: en-CHAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: dwrapper-prod.herokuapp.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bin/src/missing-scripts-detector.js HTTP/1.1Accept: /Referer: http://dwrapper-prod.herokuapp.com/bin/step1_av.htmlAccept-Language: en-CHAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: dwrapper-prod.herokuapp.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /client_ip.js HTTP/1.1Accept: /Referer: http://dwrapper-prod.herokuapp.com/bin/step1_av.htmlAccept-Language: en-CHAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: dwrapper-prod.herokuapp.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bin/src/variables/1.js HTTP/1.1Accept: /Referer: http://dwrapper-prod.herokuapp.com/bin/step1_av.htmlAccept-Language: en-CHAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: dwrapper-prod.herokuapp.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bin/src/variables/2.js HTTP/1.1Accept: /Referer: http://dwrapper-prod.herokuapp.com/bin/step1_av.htmlAccept-Language: en-CHAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: dwrapper-prod.herokuapp.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bin/src/variables/3.js HTTP/1.1Accept: /Referer: http://dwrapper-prod.herokuapp.com/bin/step1_av.htmlAccept-Language: en-CHAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: dwrapper-prod.herokuapp.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bin/src/variables/4.js HTTP/1.1Accept: /Referer: http://dwrapper-prod.herokuapp.com/bin/step1_av.htmlAccept-Language: en-CHAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: dwrapper-prod.herokuapp.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bin/src/variables/5.js HTTP/1.1Accept: /Referer: http://dwrapper-prod.herokuapp.com/bin/step1_av.htmlAccept-Language: en-CHAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: dwrapper-prod.herokuapp.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bin/src/script.js HTTP/1.1Accept: /Referer: http://dwrapper-prod.herokuapp.com/bin/step1_av.htmlAccept-Language: en-CHAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: dwrapper-prod.herokuapp.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bin/src/statistics.js HTTP/1.1Accept: /Referer: http://dwrapper-prod.herokuapp.com/bin/step1_av.htmlAccept-Language: en-CHAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: dwrapper-prod.herokuapp.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bin/src/lang.js HTTP/1.1Accept: /Referer: http://dwrapper-prod.herokuapp.com/bin/step1_av.htmlAccept-Language: en-CHAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: dwrapper-prod.herokuapp.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /bin/img/background.jpg HTTP/1.1Accept: /Referer: http://dwrapper-prod.herokuapp.com/bin/step1_av.htmlAccept-Language: en-CHAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: dwrapper-prod.herokuapp.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /matomo.php?idsite=1&rec=1&rand=5523935&apiv=1&cookie=1&bots=1&res=1280x1024&h=9&m=58&s=28&uid=8118157522024418&action_name=Wrapper%20%2F%20Start%20screen%20page&url=https%3A%2F%2Fmy-domain.com%2Fstart_screen.html HTTP/1.1Accept: /Referer: http://dwrapper-prod.herokuapp.com/bin/step1_av.htmlAccept-Language: en-CHAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: exampledd.matomo.cloudConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /matomo.php?idsite=1&rec=1&rand=3535895&apiv=1&cookie=1&bots=1&res=1280x1024&h=9&m=58&s=28&uid=8118157522024418&e_c=Wrapper%20%2F%20Errors%20%2F%20Missing%20scripts&e_a=%D0%92%D1%81%D0%B5%20%D1%81%D0%BA%D1%80%D0%B8%D0%BF%D1%82%D1%8B%20%D1%83%D1%81%D0%BF%D0%B5%D1%88%D0%BD%D0%BE%20%D0%B7%D0%B0%D0%B3%D1%80%D1%83%D0%B7%D0%B8%D0%BB%D0%B8%D1%81%D1%8C&e_n=&e_v=&ca=1 HTTP/1.1Accept: /Referer: http://dwrapper-prod.herokuapp.com/bin/step1_av.htmlAccept-Language: en-CHAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: exampledd.matomo.cloudConnection: Keep-Alive

Source: unknown

DNS traffic detected: queries for: dwrapper-prod.herokuapp.com

Source: mshta.exe, 00000000.00000003.1730335018.0000000006492000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1733479679.0000000006492000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1734242310.0000000006492000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.2926779689.0000000006492000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://dwrapper-prod.herokuapp.com/
Source: mshta.exe, 00000000.00000003.1734242310.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1714351909.0000000006476000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/img/background.jpg
Source: mshta.exe, 00000000.00000003.1714351909.0000000006476000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/img/background.jpg2
Source: mshta.exe, 00000000.00000003.1733479679.0000000006467000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1734242310.0000000006467000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1730335018.0000000006467000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.2926779689.0000000006467000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/img/background.jpg94
Source: mshta.exe, 00000000.00000003.1733479679.0000000006467000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1734242310.0000000006467000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1730335018.0000000006467000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.2926779689.0000000006467000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/img/background.jpgI2
Source: mshta.exe, 00000000.00000003.1714351909.0000000006476000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/img/background.jpgcal
Source: mshta.exe, 00000000.00000003.1733479679.0000000006467000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1734242310.0000000006467000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1730335018.0000000006467000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.2926779689.0000000006467000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/img/background.jpgdI
Source: mshta.exe, 00000000.00000002.2926779689.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1733479679.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1730335018.0000000006416000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1730132184.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1734242310.000000000640B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/img/background.jpge
Source: mshta.exe, 00000000.00000002.2926779689.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1733479679.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1730335018.0000000006416000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1730132184.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1734242310.000000000640B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/img/background.jpgo
Source: mshta.exe, 00000000.00000002.2926779689.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1733479679.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1730335018.0000000006416000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1730132184.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1734242310.000000000640B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/paywall_expert_mode.html
Source: mshta.exe, 00000000.00000002.2923542831.0000000002DBF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/paywall_expert_mode.htmlP
Source: mshta.exe, 00000000.00000002.2926779689.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1733479679.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1730335018.0000000006416000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1730132184.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1734242310.000000000640B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/paywall_expert_mode.htmlu
Source: mshta.exe, 00000000.00000003.1730335018.0000000006467000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/paywall_expert_mode.htmly
Source: mshta.exe, 00000000.00000003.1734242310.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1734242310.0000000006492000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.2926779689.0000000006492000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/src/lang.js
Source: mshta.exe, 00000000.00000003.1714227041.0000000006467000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/src/lang.js(
Source: mshta.exe, 00000000.00000003.1714351909.0000000006492000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1730335018.0000000006492000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1733479679.0000000006492000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1734242310.0000000006492000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.2926779689.0000000006492000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/src/lang.jsC:
Source: mshta.exe, 00000000.00000003.1733479679.0000000006467000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1734242310.0000000006467000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1730335018.0000000006467000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.2926779689.0000000006467000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/src/lang.jsG
Source: mshta.exe, 00000000.00000002.2926779689.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1733479679.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1730335018.0000000006416000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1730132184.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1734242310.000000000640B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/src/lang.jsJK
Source: mshta.exe, 00000000.00000002.2926779689.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1733479679.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1730335018.0000000006416000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1730132184.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1734242310.000000000640B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/src/lang.jscs.js
Source: mshta.exe, 00000000.00000002.2923542831.0000000002E70000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/src/lang.jss
Source: mshta.exe, 00000000.00000003.1733479679.0000000006467000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1734242310.0000000006467000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1730335018.0000000006467000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1714227041.0000000006467000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.2926779689.0000000006467000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.2923542831.0000000002DBF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/src/missing-scripts-detector.js
Source: mshta.exe, 00000000.00000002.2923542831.0000000002DBF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/src/missing-scripts-detector.js#
Source: mshta.exe, 00000000.00000002.2923542831.0000000002DED000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/src/missing-scripts-detector.js/html
Source: mshta.exe, 00000000.00000003.1733479679.0000000006467000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1734242310.0000000006467000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1730335018.0000000006467000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1714227041.0000000006467000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.2926779689.0000000006467000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/src/missing-scripts-detector.jsN
Source: mshta.exe, 00000000.00000002.2927500831.0000000008785000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/src/missing-scripts-detector.jsp
Source: mshta.exe, 00000000.00000002.2923542831.0000000002DBF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/src/missing-scripts-detector.jst
Source: mshta.exe, 00000000.00000003.1734242310.000000000640B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/src/script.js
Source: mshta.exe, 00000000.00000002.2923542831.0000000002E5E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/src/script.js5.jsSE7
Source: mshta.exe, 00000000.00000002.2926779689.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1733479679.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1730335018.0000000006416000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1730132184.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1734242310.000000000640B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/src/script.js8B
Source: mshta.exe, 00000000.00000002.2926779689.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1733479679.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1730335018.0000000006416000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1730132184.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1734242310.000000000640B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/src/script.jsnEr
Source: mshta.exe, 00000000.00000003.1714351909.0000000006492000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1730335018.0000000006492000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/src/script.jsoC:
Source: mshta.exe, 00000000.00000003.1714351909.0000000006476000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/src/statistics.js
Source: mshta.exe, 00000000.00000003.1733479679.0000000006467000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1734242310.0000000006467000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1730335018.0000000006467000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.2926779689.0000000006467000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1714351909.0000000006476000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/src/statistics.js)7
Source: mshta.exe, 00000000.00000002.2926779689.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1733479679.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1730335018.0000000006416000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1730132184.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1734242310.000000000640B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/src/statistics.js/
Source: mshta.exe, 00000000.00000002.2926779689.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1733479679.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1730335018.0000000006416000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1730132184.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1734242310.000000000640B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/src/statistics.js_
Source: mshta.exe, 00000000.00000002.2926779689.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1733479679.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1730335018.0000000006416000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1730132184.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1734242310.000000000640B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/src/statistics.jsate
Source: mshta.exe, 00000000.00000002.2926779689.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1733479679.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1730335018.0000000006416000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1730132184.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1734242310.000000000640B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/src/statistics.jso
Source: mshta.exe, 00000000.00000002.2926779689.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1733479679.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1730335018.0000000006416000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1730132184.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1734242310.000000000640B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/src/statistics.jssV
Source: mshta.exe, 00000000.00000002.2923542831.0000000002E70000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1730335018.0000000006416000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1730132184.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1734242310.000000000640B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/src/style.css
Source: mshta.exe, 00000000.00000002.2923542831.0000000002E70000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/src/style.css2
Source: mshta.exe, 00000000.00000002.2923542831.0000000002E70000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/src/style.cssD
Source: mshta.exe, 00000000.00000002.2926779689.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1733479679.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1730335018.0000000006416000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1730132184.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1734242310.000000000640B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/src/style.cssKB
Source: mshta.exe, 00000000.00000002.2923542831.0000000002DBF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/src/style.csshta
Source: mshta.exe, 00000000.00000002.2926779689.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1733479679.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1730335018.0000000006416000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1730132184.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1734242310.000000000640B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/src/style.cssl
Source: mshta.exe, 00000000.00000002.2923542831.0000000002E70000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/src/style.cssu
Source: mshta.exe, 00000000.00000002.2923542831.0000000002DBF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/src/variables/1.js
Source: mshta.exe, 00000000.00000002.2923542831.0000000002E5E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/src/variables/1.js&
Source: mshta.exe, 00000000.00000003.1733479679.0000000006467000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1734242310.0000000006467000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1730335018.0000000006467000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1714227041.0000000006467000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.2926779689.0000000006467000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/src/variables/1.js-detector.js
Source: mshta.exe, 00000000.00000002.2923542831.0000000002DBF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/src/variables/1.js6
Source: mshta.exe, 00000000.00000002.2923542831.0000000002DBF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/src/variables/1.js;
Source: mshta.exe, 00000000.00000002.2923542831.0000000002DBF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/src/variables/1.jsk
Source: mshta.exe, 00000000.00000002.2923542831.0000000002DFA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/src/variables/1.jssC:
Source: mshta.exe, 00000000.00000003.1714351909.0000000006476000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/src/variables/2.js
Source: mshta.exe, 00000000.00000002.2923542831.0000000002DBF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/src/variables/2.js;
Source: mshta.exe, 00000000.00000002.2926779689.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1733479679.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1730335018.0000000006416000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1730132184.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1734242310.000000000640B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/src/variables/2.jssV
Source: mshta.exe, 00000000.00000002.2926779689.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1733479679.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1730335018.0000000006416000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1730132184.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1734242310.000000000640B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/src/variables/2.jsu
Source: mshta.exe, 00000000.00000003.1714351909.0000000006476000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/src/variables/3.js
Source: mshta.exe, 00000000.00000003.1714351909.0000000006476000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/src/variables/3.js3H
Source: mshta.exe, 00000000.00000003.1733479679.0000000006467000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1734242310.0000000006467000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1730335018.0000000006467000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.2926779689.0000000006467000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1714351909.0000000006476000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/src/variables/3.jsI4
Source: mshta.exe, 00000000.00000002.2923542831.0000000002DBF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/src/variables/3.jsK
Source: mshta.exe, 00000000.00000002.2926779689.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1733479679.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1730335018.0000000006416000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1730132184.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1734242310.000000000640B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/src/variables/3.jsbV
Source: mshta.exe, 00000000.00000002.2926779689.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1733479679.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1730335018.0000000006416000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1730132184.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1734242310.000000000640B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/src/variables/3.jsenu
Source: mshta.exe, 00000000.00000002.2927500831.0000000008785000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/src/variables/3.jshttp://dwrapper-prod.herokuapp.com/bin/src/
Source: mshta.exe, 00000000.00000003.1714351909.0000000006476000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/src/variables/4.js
Source: mshta.exe, 00000000.00000003.1714351909.0000000006476000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/src/variables/4.js94
Source: mshta.exe, 00000000.00000002.2926779689.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1733479679.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1730335018.0000000006416000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1730132184.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1734242310.000000000640B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/src/variables/4.js?
Source: mshta.exe, 00000000.00000003.1714351909.0000000006492000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1730335018.0000000006492000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1733479679.0000000006492000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1734242310.0000000006492000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/src/variables/4.jsC:
Source: mshta.exe, 00000000.00000002.2926779689.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1733479679.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1730335018.0000000006416000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1730132184.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1734242310.000000000640B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/src/variables/4.jsI
Source: mshta.exe, 00000000.00000002.2926779689.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1733479679.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1730335018.0000000006416000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1730132184.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1734242310.000000000640B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/src/variables/4.js_
Source: mshta.exe, 00000000.00000002.2926779689.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1733479679.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1730335018.0000000006416000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1730132184.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1734242310.000000000640B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/src/variables/4.jsenu
Source: mshta.exe, 00000000.00000003.1734242310.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1734242310.0000000006492000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.2926779689.0000000006492000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1714351909.0000000006476000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/src/variables/5.js
Source: mshta.exe, 00000000.00000002.2926779689.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1733479679.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1730335018.0000000006416000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1730132184.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1734242310.000000000640B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/src/variables/5.js/
Source: mshta.exe, 00000000.00000003.1733479679.0000000006467000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1734242310.0000000006467000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1730335018.0000000006467000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.2926779689.0000000006467000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1714351909.0000000006476000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/src/variables/5.js97
Source: mshta.exe, 00000000.00000003.1714351909.0000000006492000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1730335018.0000000006492000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1733479679.0000000006492000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1734242310.0000000006492000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.2926779689.0000000006492000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/src/variables/5.jsC:
Source: mshta.exe, 00000000.00000002.2926779689.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1733479679.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1730335018.0000000006416000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1730132184.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1734242310.000000000640B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/src/variables/5.jsDV
Source: mshta.exe, 00000000.00000002.2926779689.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1733479679.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1730335018.0000000006416000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1730132184.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1734242310.000000000640B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/src/variables/5.jsO
Source: mshta.exe, 00000000.00000002.2927500831.0000000008785000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/src/variables/5.jshttp://dwrapper-prod.herokuapp.com/bin/src/
Source: mshta.exe, 00000000.00000002.2923542831.0000000002DBF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/src/variables/5.jsrtcuts
Source: mshta.exe, 00000000.00000003.1733479679.0000000006467000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1734242310.0000000006467000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1730335018.0000000006467000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.2926779689.0000000006467000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1714351909.0000000006476000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/src/variables/5.jsy4l
Source: mshta.exe, 00000000.00000002.2923542831.0000000002DBF000.00000004.00000020.00020000.00000000.sdmp, PROD_Start_DriverPack.hta	String found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/step1_av.html
Source: mshta.exe, 00000000.00000002.2926779689.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1733479679.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1734242310.000000000640B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/step1_av.html)B
Source: mshta.exe, 00000000.00000002.2923542831.0000000002E70000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/step1_av.html3
Source: mshta.exe, 00000000.00000002.2926779689.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1733479679.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1734242310.000000000640B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/step1_av.html9E
Source: mshta.exe, 00000000.00000003.1714227041.000000000645C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/step1_av.htmlA
Source: mshta.exe, 00000000.00000002.2926779689.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1733479679.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1730335018.0000000006416000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1730132184.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1734242310.000000000640B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/step1_av.htmlC:
Source: mshta.exe, 00000000.00000002.2927500831.0000000008785000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/step1_av.htmlHKLM
Source: mshta.exe, 00000000.00000003.1733479679.0000000006459000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/step1_av.htmlb
Source: mshta.exe, 00000000.00000002.2923542831.0000000002E5E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/step1_av.htmletCookies
Source: mshta.exe, 00000000.00000002.2923542831.0000000002E70000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/step1_av.htmlf
Source: mshta.exe, 00000000.00000002.2925033238.0000000004FE7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/step1_av.htmlh
Source: mshta.exe, 00000000.00000002.2923542831.0000000002E5E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/step1_av.htmlhta
Source: mshta.exe, 00000000.00000002.2923542831.0000000002DFA000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1730335018.0000000006416000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1730132184.000000000640B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/step1_av.htmll
Source: mshta.exe, 00000000.00000003.1730335018.0000000006416000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1730132184.000000000640B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/step1_av.htmll)B
Source: mshta.exe, 00000000.00000003.1730335018.0000000006416000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1730132184.000000000640B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/step1_av.htmll7B
Source: mshta.exe, 00000000.00000002.2923542831.0000000002DFA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/step1_av.htmlo9M
Source: mshta.exe, 00000000.00000002.2923542831.0000000002E70000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/step1_av.htmlv
Source: mshta.exe, 00000000.00000002.2923542831.0000000002DBF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/step1_av.html~
Source: mshta.exe, 00000000.00000002.2923542831.0000000002DFA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/step1_av.html~9
Source: mshta.exe, 00000000.00000003.1733479679.0000000006451000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://dwrapper-prod.herokuapp.com/bin/step1_av.html~rE
Source: mshta.exe, 00000000.00000002.2926779689.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1733479679.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.2923542831.0000000002E91000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1730335018.0000000006416000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1730132184.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1734242310.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.2923542831.0000000002DBF000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1722413056.0000000006551000.00000004.00000020.00020000.00000000.sdmp, step1_av[1].htm.0.dr	String found in binary or memory: http://dwrapper-prod.herokuapp.com/client_ip.js
Source: mshta.exe, 00000000.00000002.2923542831.0000000002E91000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://dwrapper-prod.herokuapp.com/client_ip.js&
Source: mshta.exe, 00000000.00000002.2923542831.0000000002E91000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://dwrapper-prod.herokuapp.com/client_ip.js7
Source: mshta.exe, 00000000.00000002.2923542831.0000000002E91000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://dwrapper-prod.herokuapp.com/client_ip.jsP
Source: mshta.exe, 00000000.00000002.2923542831.0000000002DBF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://dwrapper-prod.herokuapp.com/client_ip.jsPack.hta8
Source: mshta.exe, 00000000.00000002.2923542831.0000000002E91000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://dwrapper-prod.herokuapp.com/client_ip.jsh
Source: mshta.exe, 00000000.00000002.2923542831.0000000002E5E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://dwrapper-prod.herokuapp.com/client_ip.jshtmlhta#
Source: mshta.exe, 00000000.00000002.2927500831.0000000008785000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://dwrapper-prod.herokuapp.com/client_ip.jshttp://dwrapper-prod.herokuapp.com/bin/src/variables/
Source: mshta.exe, 00000000.00000002.2923542831.0000000002E0E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://dwrapper-prod.herokuapp.com/client_ip.jsng-scripts-detector.js
Source: mshta.exe, 00000000.00000003.1733479679.0000000006467000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1734242310.0000000006467000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1730335018.0000000006467000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://dwrapper-prod.herokuapp.m/bin/step1_av.html
Source: mshta.exe, 00000000.00000002.2926779689.0000000006467000.00000004.00000020.00020000.00000000.sdmp, style[1].css.0.dr	String found in binary or memory: http://emojipedia-us.s3.dualstack.us-west-1.amazonaws.com/thumbs/240/apple/285/white-heavy-check-mar
Source: mshta.exe, 00000000.00000003.1730335018.0000000006492000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1733479679.0000000006492000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1734242310.0000000006492000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.2926779689.0000000006492000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://exampledd.matomo.cloud/
Source: mshta.exe, 00000000.00000003.1730335018.0000000006492000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1733479679.0000000006492000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1734242310.0000000006492000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.2926779689.0000000006492000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://exampledd.matomo.cloud/(
Source: mshta.exe, 00000000.00000003.1730335018.0000000006492000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://exampledd.matomo.cloud/F
Source: mshta.exe, 00000000.00000003.1714427884.00000000064A6000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1714351909.0000000006492000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1730335018.0000000006492000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.2927500831.0000000008785000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1733479679.0000000006492000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1734242310.0000000006492000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.2926779689.0000000006492000.00000004.00000020.00020000.00000000.sdmp, statistics[1].js.0.dr	String found in binary or memory: http://exampledd.matomo.cloud/matomo.php
Source: mshta.exe, 00000000.00000003.1734242310.0000000006492000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.2926779689.0000000006492000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.2923542831.0000000002E0E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://exampledd.matomo.cloud/matomo.php?idsite=1&rec=1&rand=3535895&apiv=1&cookie=1&bots=1&res=1280
Source: mshta.exe, 00000000.00000002.2926779689.00000000063FC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1733479679.0000000006492000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1734242310.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1734242310.0000000006492000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.2926779689.0000000006492000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://exampledd.matomo.cloud/matomo.php?idsite=1&rec=1&rand=5523935&apiv=1&cookie=1&bots=1&res=1280
Source: mshta.exe, 00000000.00000003.1714427884.00000000064A6000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1714351909.0000000006492000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1730335018.0000000006492000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1733479679.0000000006492000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1734242310.0000000006492000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.2926779689.0000000006492000.00000004.00000020.00020000.00000000.sdmp, statistics[1].js.0.dr	String found in binary or memory: https://developer.matomo.org/api-reference/tracking-api
Source: mshta.exe, 00000000.00000002.2923542831.0000000002DED000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.comtarting...
Source: mshta.exe, 00000000.00000003.1714427884.00000000064A6000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1714351909.0000000006492000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1730335018.0000000006492000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1733479679.0000000006492000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1734242310.0000000006492000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.2926779689.0000000006492000.00000004.00000020.00020000.00000000.sdmp, statistics[1].js.0.dr	String found in binary or memory: https://my-domain.com
Source: mshta.exe, 00000000.00000002.2927500831.0000000008785000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://my-domain.com&queuedtracking=0&apiv=1&cookie=1&bots=1z
Source: mshta.exe, 00000000.00000003.1730335018.0000000006492000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1733479679.0000000006492000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1734242310.0000000006492000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.2926779689.0000000006492000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://nel.heroku.com/reports
Source: mshta.exe, 00000000.00000003.1734242310.000000000640B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://nel.heroku.com/reports?ts=1713427106&sid=812dcc77-0bd0-43b1-a5f1-b25750382959&s=Thizdw6FGJTo
Source: mshta.exe, 00000000.00000002.2926779689.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1733479679.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1730335018.0000000006416000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1730132184.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1734242310.000000000640B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://nel.heroku.com/reports?ts=1713427107&sid=812dcc77-0bd0-43b1-a5f1-b25750382959&s=ob
Source: mshta.exe, 00000000.00000003.1734242310.000000000645C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000003.1734242310.000000000640B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.2926499361.000000000569C000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: https://nel.heroku.com/reports?ts=1713427107&sid=812dcc77-0bd0-43b1-a5f1-b25750382959&s=obAs9E56L77J
Source: mshta.exe, 00000000.00000003.1734242310.000000000640B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://nel.heroku.com/reports?ts=1713427108&sid=812dcc77-0bd0-43b1-a5f1-b25750382959&s=AMdLCtQBxpAf

System Summary

Writes or reads registry keys via WMI

Source: C:\Windows\SysWOW64\mshta.exe

WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue

Searches for the Microsoft Outlook file path

Source: C:\Windows\SysWOW64\mshta.exe

Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE

Jump to behavior

Source: classification engine

Classification label: mal52.winHTA@2/16@2/2

Source: C:\Windows\SysWOW64\mshta.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH

Jump to behavior

Source: C:\Windows\SysWOW64\mshta.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\SysWOW64\mshta.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Windows\SysWOW64\mshta.exe mshta.exe "C:\Users\user\Desktop\PROD_Start_DriverPack.hta"
Source: C:\Windows\SysWOW64\mshta.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding

Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: mshtml.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: msiso.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: srpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: msimtf.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: dataexchange.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: dcomp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: d2d1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: dxcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: jscript9.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: uiautomationcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: dxtrans.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: ddrawex.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: ddraw.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: dciman32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: dxtmsft.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Section loaded: imgutil.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: esscli.dll	Jump to behavior

Source: C:\Windows\SysWOW64\mshta.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{25336920-03F9-11CF-8FD0-00AA00686F13}\InProcServer32

Jump to behavior

Source: C:\Windows\SysWOW64\mshta.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Settings

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\SysWOW64\mshta.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior

Binary or memory string: Hyper-V RAW

Source: C:\Windows\SysWOW64\mshta.exe

Memory allocated: page read and write | page guard

Jump to behavior

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\SysWOW64\mshta.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\mshta.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation	Jump to behavior

ID:	1427884
Product:	CloudBasic
Start time:	09:57:32
Start date:	18.04.2024
Sample:	PROD_Start_DriverPack.hta
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	dda846a4704efc2a03e1f8392e6f1ffc
SHA1:	387171a06eee5a76aaedc3664385bb89703cf6df
SHA256:	e9dc9648d8fb7d943431459f49a7d9926197c2d60b3c2b6a58294fd75b672b25
Filetype:	HyperText Markup Language (15004/1) 83.32%

Windows Analysis Report
PROD_Start_DriverPack.hta

Overview

General Information

Detection

Signatures

Classification

Signatures

Spreading

Networking

System Summary

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report PROD_Start_DriverPack.hta

Overview

General Information

Detection

Signatures

Classification

Signatures

Spreading

Networking

System Summary

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report
PROD_Start_DriverPack.hta